Coinbase Faces DoJ Probe After $400M Breach, Hacker Taunts ZachXBT Amid Insider Leak Fallout

• ZachXBT, a well-known crypto investigator, has been publicly taunted by someone he claims is the bad actor or group behind the Coinbase breach.
• Last week, it was reported that some Coinbase users had been tricked into sending funds to attackers after they gained access to personal information.
• Instead of paying the $20 million ransom demanded by hackers, Coinbase offered the same amount as a reward for information leading to arrests.

The threat actor behind the Coinbase data breach has publicly taunted popular on-chain investigator ZachXBT using a public Ethereum transaction.

The move comes after Coinbase declined to pay a $20 million ransom to attackers who infiltrated customer account data by bribing overseas support staff.

Last week, the Department of Justice (DoJ) announced it was investigating the breach.

Coinbase Hacker Taunts Investigator

On May 22, ZachXBT revealed in the “Investigations” Telegram channel that he had identified the threat actor as the same individual or group behind the data breach at Coinbase.

On Wednesday, using the blockchain’s input data message feature after an Ethereum transaction, the hacker wrote: “L bozo.”

ZachXBT said the threat actor moved approximately $42.5 million from Bitcoin to Ethereum using the swapping protocol Thorchain.

Further data from the threat actor, that is marked as “Fake_Phishing1158790,” showed they moved another 8,698 ETH ($22.6 million) an hour after posting the mocking message to ZachXBT.

DoJ Investigation

According to a report from Bloomberg on Monday, May 19, investigators launched a probe into the circumstances surrounding the breach, citing a source familiar with the matter.

Paul Grewal, Coinbase’s chief legal officer, told Bloomberg that the company reported the incident to the DoJ and that Coinbase itself is not under investigation.

In a statement to Bloomberg, Grewal said: “We have notified and are working with the DOJ and other U.S. and international law enforcement agencies, and we welcome law enforcement’s pursuit of criminal charges against these bad actors.”

Data protection authorities in Ireland and the U.K. are also reportedly assessing the breach after being contacted by Coinbase.

Coinbase Breach

In a May 14 filing with U.S. regulators, Coinbase revealed that a hacker had contacted the company earlier this week, claiming to have accessed customer account information.

According to the company, the attackers acquired this data by bribing support staff working outside the U.S.

These individuals were able to extract customer information from internal systems they had legitimate access to for their job duties.

Coinbase has since terminated the individuals involved.

The company also noted that it had detected suspicious activity in recent months and warned affected customers to “prevent misuse of any compromised information.”

Coinbase estimates that remedying the breach will lead to losses between $180 million and $400 million.

Ransom Demand Rejected

The attackers demanded $20 million in exchange for not releasing the stolen data, but Coinbase refused to comply.

In a video posted on X, CEO Brian Armstrong spoke directly to the hackers: “No, we are not going to be paying your ransom.”

He emphasized the company’s commitment to transparency and detailed how the attackers exploited weaknesses by targeting overseas support staff who might be willing to accept bribes.

Armstrong clarified that no passwords, private keys, or customer funds were accessed in the breach.

However, support staff do have access to sensitive personal information, including names, birthdates, and addresses, he explained.

This allowed the attackers to carry out social engineering attacks, where they impersonated customer service agents to deceive users into transferring funds.

Coinbase has pledged to reimburse customers who were deceived into sending money.

Armstrong also shared that the company is working to strengthen its internal systems to prevent similar incidents in the future, ensuring support tools have limited access to sensitive customer information.

Nick Jones, Founder and CEO at Zumo, believes the scope of attacks are growing increasingly sophisticated through “new AI tools and techniques to bypass fraud prevention measures.”

“This is understandably a huge blow for a company that has had a pivotal few weeks, announcing the acquisition of Deribit in the digital market’s largest deal to date, and then joining the S&P 500,” he said.

Jones highlighted how the EU introduced its Digital Operational Resilience Act earlier this year, which puts emphasis on financial institutions ensuring the resilience of its supply chain.

“This seems particularly pertinent as it emerges that the hack occurred when attackers bribed overseas support staff,” Jones added.

Crypto Attacks Surge

This incident marks the latest in a growing trend of cyberattacks targeting the crypto industry.

According to blockchain analytics firm Chainalysis , cryptocurrency thefts in 2024 have already reached $2.2 billion, a 21.07% increase from the previous year.

While decentralized finance platforms were the main targets from 2021 to 2023, centralized exchanges like Coinbase saw an uptick in attacks during the second and third quarters of 2024.

Chainalysis noted that DeFi developers often prioritize growth and speed to market over security, making them vulnerable.

Still, centralized platforms remain lucrative targets for hackers as they manage massive amounts of user funds.

In response to the Coinbase breach, Nick France, CTO of Sectigo, said that a “multi-pronged” approach is crucial to defending from social engineering attacks.

Although Coinbase maintains that no passwords have been stolen, France believes the industry should brace itself for further threats.

“A compromised login exposes an entire financial ecosystem – potentially including crypto holdings as well as bank accounts and loyalty programmes – all housed within the wallet,” France said.

The CTO suggested that authentication methods like public key infrastructure should be used to provide “digital certificates that verify the identities of both users and merchants during transactions.”

“This adds an extra layer of trust and helps prevent unauthorised access, even if a login credential is compromised,” he added.