Comment by jclarkcom

12 hours ago

In January 2025, I was targeted by scammers who knew my exact Bitcoin balance, SSN, DL, and other private Coinbase account details. I immediately reported this to Coinbase's Head of Trust & Safety with recordings and technical evidence. Despite repeated follow-ups asking how attackers had my data, Coinbase went silent for 4 months. They only disclosed the breach in May after attackers demanded $20M ransom. The breach involved overseas contractors at TaskUs being bribed for customer data. This article documents the timeline with emails, recordings, and evidence showing Coinbase was aware of the breach months before their official "discovery" date.

6 comments

jclarkcom

Reply
nightpool  11 hours ago

You mentioned that the DKIM headers "passed validation for coinbase.com". How could that have been possible, if the email was a phishing email? I'm not sure I understood that part, especially because you didn't provide any examples of the header data you received from the attacker.

  • Cantinflas  10 hours ago

    Yeah this is very confusing for me too, how could the attackers create a valid DKIM signature for coinbase.com? Either there is a huge misconfiguration or it's not possible. Am I missing something?

scottiebarnes  11 hours ago

Are you going to be suing?

  • jclarkcom  11 hours ago

    I would consider it but I'm not sure what my options are on this.

    • tyre  11 hours ago

      You’d need to prove harm, which is somewhat nebulous here.*

      Matt Levine has a prescient and depressing quote about the only recourse for being being shareholder lawsuits:

      > I find all of this so weird because of how it elevates finance. [Various cases] imply that we are not entitled to be protected from pollution as citizens, or as humans. [Another] implies that we are not entitled to be told the truth as citizens. (Which: is true!) Rather, in each case, we are only entitled to be protected from lies as shareholders. The great harm of pollution, or of political dishonesty, is that it might lower the share prices of the companies we own.

      * To be clear, I don’t think it is nebulous, and you’re right to feel harmed. But, legally, I don’t know the harm in “they didn’t respond to my emails” after there’s no concrete damage.

    • criddell  11 hours ago

      Were you harmed?

      I've never looked at the Coinbase agreement that's presented when you open an account, but chances are you would have to go through arbitration first. That's not necessarily a bad thing.