A $20 million, insider-lead extortion attempt at Coinbase has proved a stark reminder of the threat companies can face internally – and the need to minimise blast radius from potential IT support team compromise. 

The top-five crypto exchange admitted on May 15 that the threat began with a “small group of insiders” persuaded by a cash offer to copy data in Coinbase’s customer support tools and share it with threat actors.

The data breach affected 1% of its monthly users, likely 97,000 people based on its recent user data. Personal details, ID images, social security and bank numbers, account data, and some corporate data were stolen in the attack: “No passwords, private keys, or funds were exposed” it insists. 

But armed with this information, the attackers launched a wave of successful social engineering attacks, posing as customer-support representatives for Coinbase. The company said in an SEC filing that it has “preliminarily estimated expenses to be within the range of approximately $180 million to $400 million” for remediation costs and reimbursements.

That’s just the latest in a string of social engineering attacks against crypto-wallet holders. An earlier campaign saw attackers breach SendGrid, an email service provider used by cryptocurrency portfolio management platform Cointrackers to send phishing emails at scale.

It also follows a successful attack on Okta's support team and the compromise of its support case management system in 2023.

The NCSC’s printable one-page exfiltration baseline

Coinbase has refused to pay a $20 million ransom; instead offering a reward of the same value for information on the attackers’ identity.

It’s a textbook case for a type of attack that has kept many a CISO and CSO up at night, involving what the same SEC filing described as “multiple contractors or employees working in support roles outside the US.”

It was not immediately clear if it was a third-party support firm that was hit. Coinbase has outsourceed customer support since 2017. Regardless, there’s a lesson on maintaining security across outsourced operations.

As Kane Narraway, who runs security for Canva, noted: “The reality is you can do everything right, then someone can just pay insiders for the info…

“[But use] defense in depth to limit their standing access” he wrote on LinkedIn, suggesting that organisations should, where possible, ensure “different support teams have access to different customer sets. The fewer customers a support agent has standing access to, the better.

Karraway added that firms should:

“Use explicit customer consent checks wherever possible and prevent access to customer UGC [user-generated content]. This is a great way to cut down the amount of access individuals have, without hefty access approvals.
“Make access log reviews easy, both for the security team and for managers of customer support, as they often have more context about expected access patterns. Ideally, pair both device logs (EDR, Browser, etc) with detailed customer support access logs.
“Ideally, customer support should test customer issues in ephemeral cloud environments, which are separated per customer rather than on their workstations.
“Ensure your BPOs and contractors follow the same controls as your staff, if not even stronger controls."

(Risk management company Mitratech claimed 61% of companies it spoke to had suffered a third-party data breach or security incident in 2023, and real world examples have been as serious as North Korean state actors finding their way into US and European countries as IT freelancers.)

For the public, the breach is also a reminder of the threat posed by traditional social engineering tricks for even higher security technologies such as blockchain.

Nick France, CTO of digital certificates company Sectigo, said compromised crypto accounts had the potential to lead attackers to “an entire financial ecosystem.”

He advised: “Robust authentication methods like MFA and biometrics are useful and Public Key Infrastructure (PKI) can play a vital role by providing secure digital certificates that verify the identities of both users and merchants during transactions.”

Insider threat frameworks: A gap, still?

As MITRE noted in June 2024, "there are currently no data-driven comprehensive threat frameworks for insider threat.

"While there have been some attempts to develop conceptual threat frameworks for insider threat, those efforts are generally based on assumptions, or have limited or no utility due to inadequate data quantity and quality. Most existing frameworks fail to account for both behavioral and cyber aspects of insider threat..."

The organisation has since created an "insider threat TTP [Tactics, Techniques, and Procedure] tools knowledge base" that maps possible mitigations to the ATT&CK TTPs.

As MITRE's Mike Cunningham noted when launching that project: "The most identified mitigations are foundational security practices — user account management, privileged account management, multi-factor authentication, auditing, and disabling or removal of features or programs. These demonstrate that basic cyber hygiene is still essential and effective when designing a security program.

He added: We’ve also introduced Observable Human Indicators (OHIs), which are discernible and quantifiable attributes of individuals within an organization — such as job title, access level, and tenure. OHIs provide a factual basis for assessing potential insider threat risk that complements the techniques insiders deploy against IT systems."

The extent to which such OHIs can be monitored across third-party firms arguably remains a major controls gap.

We'd welcome our readers' views. Get in touch by email.

The link has been copied!