CyberSecurity news

FlagThis - #insiderthreat

Dissent@DataBreaches.Net //

Coinbase Data Breach Exposes Customer Data - Coinbase confirmed an insider data breach where overseas support staff were bribed, resulting in the compromise of 69,461 customers’ data.
Coinbase confirmed a significant data breach affecting 69,461 customers, revealing that overseas support staff were bribed to hand over sensitive user data to criminals. The breach, which began on December 26, 2024, went undetected until May 11, 2025, leaving customers vulnerable to potential phishing attacks and extortion schemes. Coinbase acknowledged the incident in a filing with the Securities and Exchange Commission (SEC) on May 15, further detailing that the perpetrators attempted to extort the company for $20 million. The company has since confirmed the support staff involved have been fired.

The compromised data included a wide range of personal information, such as names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers, images of government IDs (passports and driver's licenses), and Coinbase account data, including balance snapshots and transaction histories. Coinbase emphasized that passwords, seed phrases, and private keys were not compromised, ensuring direct access to accounts and funds remained secure. The company is offering affected users free one-year credit monitoring and identity protection services to mitigate the potential fallout.

In response to the breach, Coinbase is bolstering its cybersecurity measures and has issued a $20 million bounty for information leading to the arrest of those responsible. The company estimates spending between $180 million and $400 million to cover reimbursements to affected users and enhance security infrastructure. While Coinbase intends to reimburse customers who may have fallen victim to phishing scams stemming from the stolen data, concerns remain regarding the potential for continued targeting of Coinbase customers, prompting some legal professionals to consider class-action lawsuits against the cryptocurrency exchange.

Recommended read:
References :
Dissent@DataBreaches.Net //

Coinbase Data Breach Due to Bribed Support Agents - Coinbase disclosed a data breach from bribed overseas support agents, leading to a $20 million extortion attempt and potential costs between $180 million and $400 million for remediation and customer reimbursement.
Coinbase recently disclosed a significant data breach resulting from a bribery scheme targeting overseas customer support agents. The breach, which came to light after a $20 million ransom demand, involved rogue contractors who abused their access to exfiltrate customer data. Coinbase has confirmed that these contractors, located outside the United States, were successfully bribed by cybercriminals to access internal systems and steal sensitive information. Upon discovering the unauthorized activity, Coinbase terminated the involved personnel and initiated a thorough internal investigation.

The compromised data, affecting less than 1% of Coinbase's monthly transacting users, includes names, addresses, phone numbers, email addresses, and the last four digits of Social Security numbers. Additionally, masked bank account numbers, some banking identifiers, government-issued ID images such as driver's licenses and passports, and account data including balance snapshots and transaction histories were exposed. Importantly, Coinbase has stated that no passwords, private keys, or access to customer funds were compromised, and Coinbase Prime accounts and wallets were unaffected.

In response to the breach, Coinbase refused to pay the $20 million ransom and instead offered a $20 million reward for information leading to the identification and prosecution of those responsible. The company is also reimbursing customers who mistakenly sent funds to the scammers due to phishing attempts. Furthermore, Coinbase is taking several steps to enhance security, including stricter identity verification, scam-awareness prompts, relocating support functions to a U.S.-based hub, and improving fraud monitoring and insider threat detection capabilities. This incident could potentially cost Coinbase between $180 million and $400 million for remediation and customer reimbursement.

Recommended read:
References :
  • DataBreaches.Net: Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom
  • fortune.com: Coinbase puts $20 million bounty on crooks who tried to extort firm over stolen customer data
  • BleepingComputer: Coinbase, a cryptocurrency exchange with over 100 million customers, has disclosed that cybercriminals working with rogue support agents stole customer data and demanded a $20 million ransom not to publish the stolen information.
  • techcrunch.com: Coinbase says customers’ personal information stolen in data breach. The crypto exchange giant said the hacker was "paying multiple contractors or employees working in support roles," and contacted Coinbase with a ransom demand this week with stolen data, which Coinbase says is "credible."
  • BleepingComputer: Coinbase data breach exposes customer info and government IDs
  • www.bleepingcomputer.com: Coinbase Discloses Breach, Faces Up to $400 Million in Losses
  • The Register - Security: Coinbase says some of its overseas support staff were paid off to steal information on behalf of cybercriminals, and the company is now being extorted for $20 million.
  • Zack Whittaker: Coinbase CEO says the hacker demanded $20 million in a ransom payment not to publish the stolen data. A Coinbase spokesperson tells me that less than 1% of its monthly customers are affected.
  • techxplore.com: Coinbase, the largest cryptocurrency exchange based in the U.S., said Thursday that criminals had improperly obtained personal data on the exchange's customers for use in crypto-stealing scams and were demanding a $20 million payment not to publicly release the info.
  • Metacurity: Hacking incident could cost Coinbase $400 million, $20 million reward offered
  • securityaffairs.com: Coinbase disclosed a data breach after an extortion attempt
  • thecyberexpress.com: Coinbase details insider data theft that led to a $20 million ransom demand. In a and , Coinbase – the third largest crypto exchange by volume – said it will reimburse any customers tricked into sending funds to the attacker.
  • The Hacker News: The Hacker News reports on Coinbase agents being bribed.
  • Secure Bulletin: Coinbase, one of the world’s largest cryptocurrency exchanges with over 100 million customers, has disclosed a significant data breach orchestrated through insider collusion.
  • cyberinsider.com: Coinbase Hit by Insider Breach and Extortion, User Data Compromised
  • securebulletin.com: Coinbase faces major Data Breach: $400 Million in potential losses
  • www.metacurity.com: Hacking incident could cost Coinbase $400 million, $20 million reward offered
  • Zack Whittaker: Coinbase says it was breached, and customers' personal information stolen. The crypto giant said the hacker was "paying multiple contractors or employees working in support roles," and contacted Coinbase with a ransom demand this week with stolen data, which Coinbase says is "credible."
  • The DefendOps Diaries: Inside the Coinbase Breach: Lessons in Cybersecurity
  • techxplore.com: Coinbase on Thursday said criminals bribed and duped their way to stealing cryptocurrency from its users, then tried to blackmail the exchange to keep the crime quiet.
  • Risky Business Media: Risky Bulletin: Coinbase reveals insider breach, extortion attempt
  • hackread.com: Coinbase Customer Info Stolen by Bribed Overseas Agents
  • techcrunch.com: Coinbase says customers’ personal information stolen in data breach
  • www.techradar.com: Personal information leaked in Coinbase cyberattack, cost could be $400 million
  • Security Latest: Coinbase Will Reimburse Customers Up to $400 Million After Data Breach
  • Matthew Rosenquist: This is how you handle digital extortion! Cybercriminals attempted to extort $20 million from Coinbase, but Coinbase refused and will instead fund a $20 million bounty for those that provide information that leads to the attacker’s arrest!
  • Cybersecurity Blog: Cracking the Coinbase Breach: What Went Wrong and What We Can Learn
  • www.cybersecuritydive.com: The crypto exchange is offering a $20 million reward for information leading to the hackers’ arrest. Coinbase terminated customer support agents who leaked customer data.
  • Threats | CyberScoop: Coinbase flips $20M extortion demand into bounty for info on attackers
  • Bitcoin News: Coinbase says it might cost between $180 million and $400 million to upgrade its security measures and reimburse lost funds.
  • www.csoonline.com: Coinbase ( ), the largest crypto exchange in the US, is offering a $20 million bounty for information leading to those behind a May 2025 breach that compromised customer data.
  • cyberscoop.com: Coinbase is offering a $20 million reward for information leading to the hackers’ arrest.
  • www.cybersecurity-insiders.com: Coinbase, one of the largest cryptocurrency exchanges, has disclosed a significant data breach that exposed sensitive customer information, including government-issued IDs. The attackers contacted Coinbase on May 11, demanding a $20 million ransom to prevent the public release of the stolen data.
  • hackernoon.com: Contractor Backdoor: Coinbase Faces $400M Blow in Major Data Breach
Lawrence Abrams@BleepingComputer //

Hacker Pleads Guilty to Stealing Disney Slack Data - Ryan Kramer pleaded guilty to illegally accessing Disney’s Slack channels and stealing confidential data using malware disguised as an AI image generation tool.
Ryan Kramer, a 25-year-old from California, has pleaded guilty to two criminal charges related to a significant data breach at Disney. Kramer, operating under the alias "NullBulge," admitted to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of confidential data. The stolen data included internal communications, sensitive information, images, source code, and credentials. The breach led Disney to switch from Slack to Microsoft Teams following the incident, which impacted over 10,000 Slack channels.

He distributed a malicious program, disguised as an AI-powered image generation tool, on platforms like GitHub. This program contained a backdoor that allowed him to access the computers of those who downloaded and executed it. According to prosecutors, a Disney employee fell victim to this poisoned project between April and May of 2024, inadvertently granting Kramer access to their network and online credentials. This initial breach then allowed Kramer to move laterally within Disney's systems, compromising various platforms and confidential data storage areas.

Armed with the stolen data, Kramer, falsely claiming affiliation with the Russian hacking group NullBulge, attempted to extort the victim. When the victim did not respond, Kramer proceeded to release their personal information, including bank, medical, and other sensitive details, across multiple platforms. While Kramer awaits sentencing, he faces a maximum of five years in federal prison for each felony count of accessing a computer to obtain information and threatening to damage a protected computer. The FBI is also investigating the extent to which data from at least two other victims who downloaded Kramer's malicious GitHub project may have been compromised.

Recommended read:
References :
  • bsky.app: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • cyberinsider.com: A 25-year-old Santa Clarita man has agreed to plead guilty to hacking a Disney employee's personal computer, stealing login credentials, and exfiltrating 1.1 terabytes of confidential data from internal Slack channels used by the entertainment giant.
  • The DefendOps Diaries: Explore lessons from Disney's Slack breach, highlighting corporate cybersecurity vulnerabilities and strategies for protection.
  • BleepingComputer: Hacker 'NullBulge' pleads guilty to stealing Disney's Slack data
  • www.scworld.com: A 25-year-old California man, Ryan Kramer, has pleaded guilty to infiltrating Disneys internal communications and stealing over 1.1 terabytes of confidential data by deploying malware disguised as an AI image generation tool, BleepingComputer reports.
  • The Register - Security: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • www.scworld.com: Hacker pleads guilty to orchestrating Disney data heist
  • www.techradar.com: Hacker pleads guilty to illegally accessing Disney Slack channels and stealing huge tranche of data
  • The Register: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware A 25-year-old California man pleaded guilty to stealing and dumping 1.1TB of data from the House of Mouse When someone stole more than a terabyte of data from Disney last year, it was believed to be the work of Russian hacktivists protesting for artist rights. We now know it was actually a 25-year-old Calif…
  • go.theregister.com: Disney Slack attack wasn't Russian protesters, just a Cali dude with malware
  • gbhackers.com: GBHackers Article: Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data
  • Talkback Resources: Disney Slack hacker was Californian, not Russian: DoJ
  • DataBreaches.Net: Disney Hacker Who Accessed 1.1 Terabytes of Data Pleads Guilty
  • CyberInsider: Disney Hacker Admits Using Malware-Laced AI Art App to Achieve Breach
  • securityonline.info: California Man to Plead Guilty in Hack of Disney Employee, Theft of 1.1TB of Confidential Slack Data
Pierluigi Paganini@Security Affairs //

Cybersecurity CEO Charged with Hospital Malware Installation - Cybersecurity firm Veritaco's CEO, Jeffrey Bowie, was charged with installing malware on hospital systems in Oklahoma City to capture screenshots and transmit them to an external IP address.
Jeffrey Bowie, the CEO of cybersecurity firm Veritaco, has been arrested and charged with two counts of violating Oklahoma's Computer Crimes Act. The charges stem from an incident on August 6, 2024, where Bowie allegedly installed malware on employee computers at St. Anthony Hospital in Oklahoma City. Security footage captured Bowie accessing multiple offices within the hospital before installing the malicious software, which was designed to capture screenshots every 20 minutes and transmit them to an external IP address.

Following the discovery of the unauthorized installation by a vigilant hospital employee, St. Anthony Hospital conducted a forensic review confirming the presence of malware. When confronted, Bowie claimed he needed to use the computer for a family member undergoing surgery, but authorities found his explanation unconvincing. SSM Health, the hospital's parent organization, issued a statement assuring the public that immediate action was taken and that no patient information was compromised due to the security measures in place. The hospital has since increased monitoring and employee training to further protect their systems.

Bowie's arrest has sent shockwaves through the cybersecurity community, particularly given his position as the head of a firm specializing in protecting businesses from cyber threats. Veritaco, described on Bowie's LinkedIn profile as a company focused on "cybersecurity, digital forensics, and private intelligence," employed between two and ten individuals. The incident underscores the potential for insider threats, even from individuals entrusted with security responsibilities, and has led to renewed calls for robust internal controls and employee vigilance.

Recommended read:
References :
  • Cyber Security News: Cyber Security Company CEO Arrested for Installing Malware Onto Hospital Computers
  • gbhackers.com: Jeffrey Bowie, the CEO of a local cybersecurity firm, has been arrested for allegedly planting malware on computers at SSM St. Anthony Hospital.
  • buherator's timeline: Cybersecurity News - CEO of cybersecurity firm charged with installing malware on hospital systems 🤦
  • securityaffairs.com: Veritaco CEO Jeffrey Bowie faces charges for allegedly installing malware on hospital computers, violating Oklahoma’s Computer Crimes Act.
  • Talkback Resources: Veritaco CEO Jeffrey Bowie arrested for allegedly installing malware on hospital computers in violation of Oklahoma's Computer Crimes Act.
  • cybersecuritynews.com: Jeffrey Bowie, the CEO of a cybersecurity firm Veritaco, is facing two counts of violating Oklahoma’s Computer Crimes Act for allegedly infecting employee computers at the Oklahoma City St. Anthony Hospital.
  • The Register - Security: Cybersecurity CEO accused of running malware on hospital PC blabs about it on LinkedIn

Posts

Blogs

Research Tools