I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
"They Stole a Quarter-Billion in Crypto and Got Caught Within a Month. How luxury cars, $500,000 bar tabs and a mysterious kidnapping attempt helped investigators unravel the heist of a lifetime."
https://www.nytimes.com/2025/04/24/magazine/crybercrime-cryp... (gift article)
The parent post was someone literally hosting a crpyto conference, and this one was someone who runs a crypto company. A sibling story describes the father of a 'cryptocurrency influencer.' Is there any evidence of real crime happening which was targeted at Coinbase leak data, or is this just vibes
If you're kidnapping a generic very rich person, how are you expecting them to pay the ransom, a big burlap sack of cash? There's a lot that can go wrong there. A bank transfer or other conventional financial instrument? Few criminals would be comfortable with that approach. (John Grisham novels, and 'Archer's beloved bearer bonds, aside, it's virtually impossible to make this untraceable). Magic internet money is presumably far less messy.
Also, a decent proportion of crypto-millionaires came by their riches in... not entirely above-board ways (in particular, securities fraud; all those pump and dump scamcoins are paying off for _someone_), and may be reluctant to involve the authorities. And the crypto industry as a whole is unusually comfortable with extortion; hacked crypto companies paying a kind of bounty to hackers to get the rest of the funds back is a common thing.
> They can use their bank account to buy crypto and then pay the ransom.
This is actually more difficult than it sounds. Most banks and crypto exchanges won't allow a person to make meaningfully large crypto transactions without some account history.
“Hey, cryptocurrency exchange, I, a random rich person, would like to, having never interacted with you before, buy a million dollars of bitcoin and transfer it out. Today, please.”
Eh, million dollars would not raise a single eyebrow from an exchange side. Your bank, maybe, will have some questions about the transaction, but the things they can do to prevent you spending your money are thankfully fairly limited.
How long do you think it takes to create an account, get your KYC documents verified, get your trading and withdrawal limits raised to a million or more, transfer funds from your brokerage account, buy tokens and then re-verify when you try to transfer the tokens out of the exchange?
You'd be lucky to complete this in less than a week.
My experience with banks in UK / EU is that they will bother you for much smaller amounts than 1M. I had banks bother me for 10k transfers and other banks completely ignore me for 100k transfers.
It happens with cash sometimes but people are limited to the amount they can get out of an ATM where with crypto you can force someone to hand over all their wealth with a few keystrokes.
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
I think that the right lesson to learn here is not "I should store my money with a company I can't trust not to advertise where I live, but without telling them where I live ".
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Yeah, but banks and the normie monetary system has a lot more safeguards in it when it comes to account transfers. Or at least, they appear to have them.
I tried to use Coinbase a few months ago to pay for something, and I couldn't even make a transaction because it was deemed suspicious, and my account got locked or something.
Someone with a lot of cryptocurrency in Coinbase is also quite likely (at least relative to the average person) to have lots of on-chain cryptocurrency, too, though.
The median person does not have $10k sitting in a checking account that they can easily withdraw. My gut feeling is that the threat of kidnapping is a lot more serious in some countries. The US maybe not so much.
> The median person does not have $10k sitting in a checking account that they can easily withdraw.
That's true, finding someone with 10k is not as easy as picking a person at random, but it is as easy as driving to the right parking lot and picking a person at random.
Pulling $10k out of the global banking system by physical coercion in a way that isn't reversible and won't get you caught is hard problem, you might as well attempt to rob the bank instead. That's why most of the "successful" criminals in that space use social engineering and scamming where the victim is a unwitting participant rather than kidnapping someone.
With crypto, no bank or other middleman involved, it's like stealing physical cash/gold/diamonds from someone, if you know they have it in their possession, so violence can be a lot more successful at coercing a change of possession.
Good point, perhaps the lower $ examples are about other countries where that may be a lot more than median transactional account holdings and maybe that concern is part of why folks were using crypto holdings.
Bank transactions are reversible, crypto transactions are not.
Also, people do point guns in people’s faces and force them to pay them via Venmo or Cashapp. Google ‘Venmo robbery’ or ‘cashapp robbery’ for plenty of examples. Pointing a gun in someone’s face for $4M in crypto is a lot more lucrative.
Maybe they wouldn't be able to cover other planned expenses with said loss or something but the median (I intentionally avoid referring to "average" for reasons also mentioned in this article) amount American have access to in their transactional bank accounts is $8,000 according to the Federal Reserve: https://www.fool.com/money/research/average-savings-account-...
Someone else made a great mention though: Coinbase didn't just serve the US. For the vast majority of countries these amounts are more than the yearly disposable income of a typical household. From that angle the numbers in the stories make a bit more sense.
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
> How does Coinbase protect data in transit and data at rest?
> Coinbase employs a range of technical and organizational measures to defeat efforts to intercept, surveil, or otherwise access without authorization data in transit. For instance, Coinbase encrypts all confidential data transfers to prevent interception or tampering of that data by unauthorized third parties.
Coinbase does business in the EU and thus, already has to comply with the GDPR. Moreover, the US also requires safeguards for sensitive customer information by financial services companies.
Yeah this is really frustrating, especially the way the EU commission keep coming up with workarounds that the court will almost certainly strike down.
I checked my email to see if I received anything and, interestingly, I received an email from Coinbase on April 14 that they're updating the User Agreement. The new terms only apply to disputes initiated by me or Coinbase after May 15, 2025. Timing seems suspect.
The comment said "should be" which you glibly interpret as "should be going to jail based on the law" but could very easily be "the law should be such that this kind of negligence results in jail time".
I assume they mean that someone from the company going to prison for this would be a just outcome, not that a path to such an outcome exists today (it likely does not).
Only because of US law. It didn't have to be this way; the US wanted to destroy Bitcoin as a currency because it threatened their surveillance state, and they effectively have.
Btc whales want to destroy the dollar because it benefits them.
Neither the dollar or crypto are anything but social illusions, neither have an inherent right to exist.
It’s just people manipulating people. Such an intellectually dishonest forum to sit here and discuss meaningless layers of obfuscation.
The most important thing to any individual is enough other humans around their own life isn’t so hard. Specific humans, like those on this forum, are not essential.
You all can bleat on as hard as you want about the existence of crypto but it’s not an evenly distributed belief. And your individual value is non existent to the majority on the planet. No reason to prop up your hallucinations
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
The US Government didn't provide high-volume, bulk access to this extremely sensitive information to contractors in foreign countries with no controls over their ability to mass-exfiltrate the data.
Coinbase is the entity that set up this dangerous system.
Coinbase did it because it was cheap for them, not because they were being trustworthy custodians of information that put their customers at risk.
Sure, yes, obviously every company's employees and contractors are vulnerable to bribes and blackmail. That's why a trustworthy, competent custodian would establish systems and controls to prevent bribed and blackmailed insiders from mass-exfiltrating information that could get their customers killed.
The fact that other companies manage to be trustworthy, competent custodians while Coinbase doesn't is not the fault of KYC.
Fair enough, and it does sound like they had limits given that not all customer data was exfiltrated but those limits were probably far too high at tens of thousands affected.
There is no valid reason why Coinbase or any other financial services company should ever be excepted from AML/KYC laws. If anything the laws ought to be even tighter to slow down financial flows to criminals and sanctioned entities.
It’s my biggest gripe. They can pretty accurately flag a number as Spam or Telemarketing but in the “Silence Unknown Callers” setting I can only silence every single unknown caller. I can’t silence every single number that’s not in my contacts. When the plumber calls to confirm he’s in route, my phone needs to ring. Stuff like that.
In the realm of Caller ID, a phone number may be "PRIVATE" (or "WITHHELD") or "UNKNOWN". An "UNKNOWN" Caller ID cannot display any name nor any number, because... they are not known to the switch.
Therefore, an unknown number that can be blocked/ignored by your phone or the app is one that doesn't support Caller ID's name or number functions. It doesn't have anything to do with who's in your Contacts app, because of course those consist of known names and known numbers.
There is a defined type “Unknown” which I think you’re describing but it’s Not exactly how the iOS feature works. It says let’s through those in your contacts or who you’ve had recent conversations with and Siri suggestions. It’s basically a dumb proxy for letting through people you might actually want to talk with. Except sometimes you don’t know who/where/when those calls are coming from and I haven’t spoken to them before.
it is super fucking easy. it has been a decade since I answered an unknown number. if plumber calls (and I dont have her/his number stored) it goes to voicemail. I then call known company number. The communication is always one-way, I call you. I never answer. You follow this one very simple rule and you good :)
Theres plenty of situations where this doesn't work. If you're called from a business central line and you don't know their extension you just call back and get the normal call tree which can take you forever to get through. Or if you're on the "cancellation list" for an appointment if they can't get through to you, they don't wait for you to call back, they just go on to the next person to schedule in their open slot.
Taxi cab dispatchers will do this for sure. They do callbacks to “confirm” your ride, especially when busy, because if you don’t answer, they simply drop your request on the sticky office floor.
this is a loss of business for them, not my problem. it is 2025, if they do not have map where i can track where they are etc.. imma not going to be using that service...
So this app that millions of people use, probably most of the ~1.4 billion iPhone users… instead of making some minor edits to the settings to make it better for a lot of people, the solution is we all just need to use the app the way you do?
Not even going to consider that some people are more phone dependent and not just fielding an occasional call from their lost dasher or uber driver. Overly simplistic view on the world, you need to think beyond your use cases and make software that is beneficial to the entire user base. It’s the whole point of having a settings section of the app, to allow some custom behaviors tailored to your needs and some you won’t use because they are tailored towards someone else’s needs
Glad it works for you, I’m not allergic to the phone like seemingly everyone else so I strive to minimize phone tag BS and would rather answer the calls I get and filter out known spam, it’s not rocket science it’s probably only 2 lines of code in the phone app
If call is spam and ignore spam option enabled, send call to voicemail.
That’s it, a simple line of code. Just make the option selectable and it’s done.
This could have been solved with regulation. Mandate delivery of all available phone call metadata to every digital telephone. Mandate that mobile phone operating systems must expose that data to apps approved by the user.
We'd have hundreds of enshittification-ready VC-backed apps to fix spam calls overnight.
Instead, we got STIR/SHAKEN mandates, which is just a soft way of having the legacy telcos "promise to fix it for you."
I believe there are Phone app alternatives, I just don’t trust them
I feel like Apples M.O. on software is to build the lowest passable set of features in their apps, never enhance them, allow third parties to delve into the high functionality/spec software. Mail is horrible, Camera good enough for most people, for me personally even Safari is in this camp; I’d swap any of those for a third party solution without much thought. Phone app becomes a bit to much of a security risk to use a third party, such that I’d never even consider leaving the default Phone app.
iphone has been enshittified for several years now, it seems apple engineers are not using their own phones any more. I can understand it - when you're a millionaire just from your corporate job you won't be a stressed power user of your own iphones.
It’s not that it got worse, this feature has just never been great. It just feels half baked , which I agree a lot of Apple software has been trending towards. That said, what has increased is the volume of spam calls. So the importance of this feature has also increased.
It’s sad because this seems like such a low hanging fruit for a big improvement. At some point in the relatively recent past, they added the indicator of the caller being a spammer or telemarketer. Seems like that would have been a good time to also enhance this filter but it seems nobody ever connected the dots on that one. Or if I’m being even more cynical, some engineer actually decided he’d rather everyone see his work on every incoming spam call instead of his work quietly improving everyone’s experience
No sane person would flaunt Apple secrecy in such a fashion whilst employed there.
>instead of his work quietly improving everyone’s experiBence
Laughable that you feel that Apple engineers have the capacity for this kind of desire in 2025. If they did, Xcode would be way better to use. They cant even quietly improve their own experience.
Whatever man, I'm not trying to shit on them like you want me to. I think adding this simple feature that is likely little more than a line or two of code is a night an day comparison to overhauling something like Xcode to meet your definition of what "better" means
Oh man. They start at 7AM and end around 4-5ish PM. I was hoping the war between Pakistan and India would make these stop. Jk obv. Nobody likes wars. But other than Tmobile are there similar methods for different providers? It can get so annoying. I did restrict calls from known numbers only.
Yeup, I finally broke down went from Android -> IPhone 16 Pro. I like a lot about Apple's personal security policies for their consumers vs Google, but damn, I miss google's automatic call spam detection and management. All day long my Apple phone rings, and I just have to ignore the calls.
Verizon (and I assume many other US carriers) offer junk call identification which your iPhone can block if you have ”Silence Junk Callers” toggled in Settings > Phone > Call Blocking & Identification.
Unfortunately blocking all unknown calls is the only way to sanity. Otherwise we're talking 6-9 calls coming in ALL DAY, EVERY DAY.
The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.
They could also just easily enhance the feature right? It’s an extra if statement in the code. I get enough calls that it’s not practical to constantly edit a setting that’s like this. There’s nothing else in the settings app I change regularly, it’s mostly set and forget.
It’s much better to just silence every spam call manually instead of having to go into voicemail, listen , decide if I need to respond, hope that I’m acting quickly enough that the other person answers when I ring them back, etc. i imagine this works for a lot of people. But if you get enough calls, or get urgent calls for any reason, it’s not ideal.
For those that can’t imagine the use cases. Consider you are primary contact for your elderly parent. If they fall in the middle of the night you might be getting a call from any random number. Do not disturb isn’t an option and sometimes the EMS guys will call you from their personal cell phone. Even some services like home security will call from random numbers. If ask a plumber to come over, some random technician will call from their device to talk. If a potential client gets my number somehow, I’d prefer to answer versus them get my voicemail.
You have to also factor in that a lot of people don’t even like leaving voicemail so they don’t leave one and I’m left guessing if it mattered that
I need calls from unknown numbers (doctors, vendors, etc.) Pixel would flag spam calls and not ring, all the unknown-but-valid callers got through without issue.
Sometimes you need to answer calls from unknown numbers.
Google's call screening feature picks up the phone before it rings and asks the caller why they're calling. If they actually give a good reason, then it shows you the reason as text and you can decide whether to hang up on them or answer. https://support.google.com/phoneapp/answer/9118387
iPhone user here. I put on airplane mode unless I'm making or expecting a call. Otherwise, I make it clear that email is my primary form of communication.
Oh yeah I get the Microsoft account emails, and Instagram ones, randomly (I have an account but never use it). I'm pretty sure SMS 2FA is turned off on my Coinbase account, which is highly recommended.
> I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction.
And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.
It started around the beginning of April, at the same time as I got an initial email from them about my account information being accessed. Which I'm thinking is probably the same breach as they're talking about here.
Scams have gotten better since AI. Most of the common spelling mistakes are gone.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
Because people who read the message and think it's professionally written despite the spelling errors have a large overlap with people who will fall for the scam, at least far enough that money is transferred.
Where was the number from? I received an impressive number of phonecalls attempt but thankfully I never answer to unknown numbers. With google call screen they hung up everytime so I assume its a scam.
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
[1] https://www.youtube.com/watch?v=HNziOoXDBeg