Author: Fairy, ChainCatcher
Editor: TB, ChainCatcher
“The estimated loss from this incident is about $180 million to $400 million.”
A political review ultimately cannot stop social engineering attacks…
In early April, we reported that Coinbase users were frequently targeted by precise scams, with annual losses potentially reaching $300 million. Now, the truth is gradually coming to light.
Yesterday, Coinbase disclosed key details: hackers bribed overseas customer service personnel to steal personal information from less than 1% of active users. The long-concealed internal security risks have finally been exposed to the light.
Glory has not faded, but the crisis has arrived
Less than a week after the positive news of soaring into the S&P 500, the Coinbase security scandal followed, and the stock price immediately turned downward, dropping 7.2% in a single day.
In early April, Mike Dudas, co-founder of The Block, received a notification from Coinbase stating that his account had been accessed improperly by an employee, raising concerns about internal data permission management at that time. (Related reading: Annual losses of $300 million, Coinbase users frequently targeted by precise scams, is there an "insider" leaking information?)
Coinbase's announcement yesterday revealed the full scope of the incident for the first time: overseas customer service personnel were bribed by criminals, copying data from less than 1% of monthly active users in an attempt to impersonate the official for fraud. The hackers attempted to extort Coinbase, demanding a $20 million hush money. Coinbase refused to pay and instead offered a reward of the same amount to track down and convict the masterminds behind the attack.
At the same time, questions about whether Coinbase has inflated its user numbers have also come to the forefront. The SEC is investigating the key data of "100 million verified users" disclosed in its registration documents, a metric that was quietly discontinued two years ago. Although its Chief Legal Officer Paul Grewal responded that this is a legacy investigation from the previous administration and that relevant information has been fully disclosed, under internal and external pressures, Coinbase has once again become the focus of public opinion.
Can Coinbase still be trusted?
Coinbase's credibility is facing an unprecedented test. For a publicly listed cryptocurrency exchange that prides itself on "security and compliance," the leakage of sensitive data, the surge in social engineering fraud risks, and potential regulatory penalties are undoubtedly a multi-faceted "slap in the face."
From the content disclosed in Coinbase's announcement, the information stolen by hackers almost covers the complete KYC profile of users: including names, addresses, phone numbers, emails, ID document images, and even some bank account information. Such information falling into the hands of criminals not only provides "precise ammunition" for subsequent social engineering attacks, phishing emails, and fund theft but may also be resold on the dark web, creating long-term risks.
Looking at Coinbase's response measures, Coinbase has promised to fully compensate users who were scammed and transferred money to attackers due to this incident, and to undertake systematic repairs for the security vulnerabilities. They will strengthen customer service permission management and add new customer service centers in the U.S. to enhance regulatory capabilities. At the same time, Coinbase will also increase internal investments in potential threat detection, automated response, and attack simulation testing.
Although these measures are a case of closing the barn door after the horse has bolted, they also convey Coinbase's attitude of "facing the battle head-on." Whether this series of remedial measures can truly curb risks and regain the trust of investors and users will require time and actual results to verify.
KYC controversy reignited
The original intention of KYC is to combat money laundering and terrorist financing, but in practice, it has also become the most concentrated repository of user privacy information. This data breach incident at Coinbase has once again brought the controversy surrounding the KYC system to the forefront.
In this storm, several project founders and CEOs have spoken out, reflecting on three questions:
- Is "exchanging privacy for security" worth it?
Nansen CEO Alex Svanevik bluntly stated that the KYC system requires users to submit a large amount of sensitive information, such as ID documents, passports, utility bills, etc., but in reality, "almost no real criminals have been caught."
Casa Wallet CEO Nick Neuman stated, "This is why we do not collect KYC." In his view, KYC only provides hackers with more avenues for attack.
- System loopholes exacerbate user risks
Platforms that collect sensitive user information, if lacking corresponding protective capabilities, will instead place users at greater risk. Wintermute CEO Evgeny Gaevoy emphasized that Coinbase did not timely disclose the information leak incident, which is the "dark side of the stupid and absurd KYC/AML system we are in." He believes that this system "facilitates geopolitical and law enforcement efforts at the expense of citizen privacy, while placing a heavy burden on businesses, making it easier for criminals to engage in extortion, kidnapping, and fraud."
- Information honeypot, should we continue to double down?
Arthur, founder of DeFiance Capital, posted on X platform stating that Coinbase really needs to solve their problems; if ultimately the Coinbase platform becomes a honeypot for important user information, there is no reason to continue requiring KYC.
For the cryptocurrency industry, when "compliance" becomes the reason for forcibly collecting sensitive user information, are platforms ready to bear the accompanying data security responsibilities? This discussion surrounding KYC is not new, but this real-world case has made the controversy sharper: the tension between regulatory compliance and user privacy is becoming an unavoidable dilemma for the cryptocurrency industry.
Compliance is the ticket to the mainstream, but it is also the philosopher's stone of data security. It not only tests technical strength but also questions the platform's sense of responsibility and governance level.
This is a road with no turning back, and a journey that is destined to be long and arduous.
The road ahead is long, and the burden is heavy.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
