Comment by modeless
14 hours ago
I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction. They speak perfect English with an American accent, sound very friendly, and have knowledge of your account balance. Thankfully on the first call I realized it was a scam right away, and Google's call screening feature takes good care of the rest. Wish I could forward them to Kitboga[1].
I guess they didn't have as much luck as they wanted scamming Coinbase's customers, and once they had their fun they decided to try extorting Coinbase themselves.
If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency
https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...
"They Stole a Quarter-Billion in Crypto and Got Caught Within a Month. How luxury cars, $500,000 bar tabs and a mysterious kidnapping attempt helped investigators unravel the heist of a lifetime." https://www.nytimes.com/2025/04/24/magazine/crybercrime-cryp... (gift article)
And this crypto CEO in Toronto was kidnapped for a $1M ransom: https://www.cbc.ca/news/canada/toronto/kidnapping-toronto-bu...
2 replies →
Seems to be a whole thing in France too: https://www.theguardian.com/world/2025/may/04/french-police-....
1 reply →
Why is this such an issue with crypto?
Wealth status is often very well known for public figures and entrepreneurs. People are driving around in $200k cars.
Is it due to the liquidity of cryptocurrencies that $5 wrench attacks work better?
It happens with cash sometimes but people are limited to the amount they can get out of an ATM where with crypto you can force someone to hand over all their wealth with a few keystrokes.
> will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company
This story keeps repeating. Maybe we should try it and see if it works as a deterrent.
It's worked before; Arthur Andersen ceased to exist after the Enron accounting scandal.
So you’re saying that one year of complementary credit monitoring by Experian isn’t enough??? /s
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
> I'm surprised at the lack of security if I’m honest
This is the crypto industry, who make the discrepancy between Theranos' claims and practice look conservative.
> Companies should seriously consider implementing GDPR even in the US
... and save the data in US cloud where everybody can access it.
It is really funny how FAANG can get away with data colkection in spite of GDPR.
1 reply →
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
I think that the right lesson to learn here is not "I should store my money with a company I can't trust not to advertise where I live, but without telling them where I live ".
No one is forced to use a "crypto exchange" in the first place.
1 reply →
They said less than 1% of users were affected.
probably the top 1%.
And yet, Coinbase goes Scott free
Someone, someone at that company should be going to prison for negligence
> Someone, someone at that company should be going to prison for negligence
That's not how capitalism works. /s
"decentralized currency"
Bitcoin is plenty decentralized. Coinbase deals with dollars, that's the non-decentralized part.
3 replies →
[dead]
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
The US Government didn't provide high-volume, bulk access to this extremely sensitive information to contractors in foreign countries with no controls over their ability to mass-exfiltrate the data.
Coinbase is the entity that set up this dangerous system.
Coinbase did it because it was cheap for them, not because they were being trustworthy custodians of information that put their customers at risk.
Sure, yes, obviously every company's employees and contractors are vulnerable to bribes and blackmail. That's why a trustworthy, competent custodian would establish systems and controls to prevent bribed and blackmailed insiders from mass-exfiltrating information that could get their customers killed.
The fact that other companies manage to be trustworthy, competent custodians while Coinbase doesn't is not the fault of KYC.
1 reply →
You don't think Coinbase is responsible for restricting access to member data for support agents?
There is no valid reason why Coinbase or any other financial services company should ever be excepted from AML/KYC laws. If anything the laws ought to be even tighter to slow down financial flows to criminals and sanctioned entities.
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Yeah, but banks and the normie monetary system has a lot more safeguards in it when it comes to account transfers. Or at least, they appear to have them.
Crypto? It's wild, and people think it's wild.
2 replies →
The median person does not have $10k sitting in a checking account that they can easily withdraw. My gut feeling is that the threat of kidnapping is a lot more serious in some countries. The US maybe not so much.
4 replies →
The average American can't deal with a $1000 emergency.
Bank transactions are reversible, crypto transactions are not.
Also, people do point guns in people’s faces and force them to pay them via Venmo or Cashapp. Google ‘Venmo robbery’ or ‘cashapp robbery’ for plenty of examples. Pointing a gun in someone’s face for $4M in crypto is a lot more lucrative.
I just switched to iPhone from a pixel device and I’m shook by all the spam calls. How do iPhone users deal with this?
Also, on TMobile if you dial #662#, it'll block the Scam Likely calls at the carrier.
I had no idea. Thank you!
Oh man. They start at 7AM and end around 4-5ish PM. I was hoping the war between Pakistan and India would make these stop. Jk obv. Nobody likes wars. But other than Tmobile are there similar methods for different providers? It can get so annoying. I did restrict calls from known numbers only.
It’s my biggest gripe. They can pretty accurately flag a number as Spam or Telemarketing but in the “Silence Unknown Callers” setting I can only silence every single unknown caller. I can’t silence every single number that’s not in my contacts. When the plumber calls to confirm he’s in route, my phone needs to ring. Stuff like that.
I would have assumed an unknown caller was defined as any number not in your contacts. what is it instead?
2 replies →
I've failed to semantically parse your statements
it is super fucking easy. it has been a decade since I answered an unknown number. if plumber calls (and I dont have her/his number stored) it goes to voicemail. I then call known company number. The communication is always one-way, I call you. I never answer. You follow this one very simple rule and you good :)
2 replies →
Why would a number in your contacts be considered "unknown"
iphone has been enshittified for several years now, it seems apple engineers are not using their own phones any more. I can understand it - when you're a millionaire just from your corporate job you won't be a stressed power user of your own iphones.
2 replies →
Yeup, I finally broke down went from Android -> IPhone 16 Pro. I like a lot about Apple's personal security policies for their consumers vs Google, but damn, I miss google's automatic call spam detection and management. All day long my Apple phone rings, and I just have to ignore the calls.
Unfortunately blocking all unknown calls is the only way to sanity. Otherwise we're talking 6-9 calls coming in ALL DAY, EVERY DAY.
The calls are coming from new numbers, across multiple area codes. A few months ago I would have advised using Begone (https://apps.apple.com/us/app/begone-spam-call-blocker/id159...) to block but that only worked since these calls were isolated to blocks of area codes that were pretty safe to block like 888-XXX-XXXX, but now ZERO of these calls are using a fixed area code that would be relative safe to block.
I can't block all calls, but the screening feature on my Pixel did an immense job of filtering out the spam.
answer the call and immediately put it on mute. they will hang up and stop calling
I don’t get any calls, seems to be an US problem?
Unfortunately, the US phone network is indeed completely unusable without a good spam call filter.
US and Canada
I have the exact same experience. I felt like I went back to a phone from 2018.
I never answer my phone, also turned off sound except alarms a couple years ago
What about while job hunting?
1 reply →
I have my phone set to silence Unknown callers. What did you have setup on the Pixel before to block them?
That’s too heavy handed for me. I get valid calls that I need to answer that aren’t in my contacts.
The calls they flag as potential spam and telemarketers has been 100% accurate in my experience so i wish I could just silence those
3 replies →
I need calls from unknown numbers (doctors, vendors, etc.) Pixel would flag spam calls and not ring, all the unknown-but-valid callers got through without issue.
You turn off the notifications from unknown callers? How does Android handle it?
Sometimes you need to answer calls from unknown numbers.
Google's call screening feature picks up the phone before it rings and asks the caller why they're calling. If they actually give a good reason, then it shows you the reason as text and you can decide whether to hang up on them or answer. https://support.google.com/phoneapp/answer/9118387
Yeah you went the wrong way there brother.
If it’s says Rogers you know it’s a scam
Settings -> Phone -> Silence Unknown callers
iPhone user here. I put on airplane mode unless I'm making or expecting a call. Otherwise, I make it clear that email is my primary form of communication.
"Yeah yeah... installing your app now... oh there is an error... will try again..."
> I have been receiving regular spear phishing calls from these guys, or someone who bought the leaked data, with classic tactics like claiming that I need to confirm a potentially fraudulent transaction.
And how long has this been at an increased level? Because i'm not buying the coinbase narrative that they thought this was a systemic issue until they were contacted by the 'cybercriminals'.
It started around the beginning of April, at the same time as I got an initial email from them about my account information being accessed. Which I'm thinking is probably the same breach as they're talking about here.
I started getting regular Coinbase login confirmation codes text messages with no attempts on my end
Same with my Microsoft account actually
I usually just ignore it but I assume someone is testing if my email can be used to login.
Oh yeah I get the Microsoft account emails, and Instagram ones, randomly (I have an account but never use it). I'm pretty sure SMS 2FA is turned off on my Coinbase account, which is highly recommended.
Scams have gotten better since AI. Most of the common spelling mistakes are gone.
I was looking through some phishing e-mails the other day out of curiosity and found a weird unicode character mistranslated. Immediately knew it was an artifact of bad translation. So they're not perfect, but they're damn good.
The common spelling mistakes are there for a reason most of the time.
> a reason
Because people who read the message and think it's professionally written despite the spelling errors have a large overlap with people who will fall for the scam, at least far enough that money is transferred.
Where was the number from? I received an impressive number of phonecalls attempt but thankfully I never answer to unknown numbers. With google call screen they hung up everytime so I assume its a scam.
I got probably three or four in the past week.
I wonder if some of that perfect accent might be ML.
> They speak perfect English, sound very friendly, and have knowledge of your account balance.
.. and are former employees of Coinbase .. oh! just imagining!!
its a shame it'll never stop, and the criminal element is now a legal capitalism