Okay, I will get us started. Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I'm your host, Laura Shin. Here's a pause for comments, and I will also play some quick pre-roll ads from our sponsors.
It's the Bitcoin wallet from the team behind Square and Cash App. It's the first two-of-three multi-sig hardware wallet with recovery tools that replace the need for a seed phrase. Get 20% off with code Unchained.
Powered by successful products like Mantle Network and MEath Protocol, Mantle is driving the next phase of on-chain finance by supporting ecosystem products such as the Mantle Index 4 or MI4 Fund and Mantle Banking,
which brings real-world access, yield, and utility to digital assets.
An AI that speaks crypto and does the work of a team of analysts. Introducing Focal by FalconX, bringing clarity to a world of noise. Visit askfocal.com.
Hey, everyone. Thanks so much for joining us. We decided to live stream today because the Coinbase news was quite big, and this will form the basis for the May 16th, 2025 episode of Unchained.
So today's topic, as I just mentioned, is this Coinbase data breach, and here to discuss are Jameson Lopp, co-founder and CTO at Casa, James Wester, research director at Javelin, and Alexander Leishman, CEO and CTO at River.
Welcome, Jameson, James, and Alexander.
Hey, great to be here.
Hello.
Hello.
So this morning, Coinbase announced that it had been extorted for $20 million by cybercriminals who had bribed Coinbase customer service agents in India.
The number of accounts affected is less than 1% of monthly transacting users, or 84,000, as reported by Jeff Roberts of Fortune.
Coinbase Prime users are not affected.
So this attack seems to align with some reporting by Zach XBT and John T, aka Tanuki42, on X, who was also a previous podcast guest, on what they call a nine-figure social engineering scam on Coinbase users.
CEO Brian Armstrong published a video this morning in which he announced that instead of paying the $20 million ransom, Coinbase is offering that amount as a reward for information on who these attackers might be.
So I'm going to open it up to the panel.
I'd be interested in hearing the first reactions from each of you.
I know you all have kind of your own area of security that you kind of analyze or work on.
So, Jameson, why don't we start with you?
Time is a flat circle.
This has happened before and it will happen again.
So I'm not at all surprised that this has happened.
And, you know, I'm sure we'll get into the details.
I'm sure there are things that Coinbase could have done better.
My primary gripe, fundamentally, is that companies like Coinbase are forced to take this very sensitive data.
And so they have that responsibility thrust upon them, basically, by regulators, by the laws of the land.
And then, ultimately, the question is, what do they do with the data?
And it's a very, very hard problem because information wants to be free.
It's very, very difficult to keep information from leaking.
Though, as we have seen, you know, some entities are better at that than others.
Alex, what are your thoughts?
Yeah, so I completely agree with Jameson.
And but I think I would add that, you know, in an organization, security is actually very much a human issue.
A lot of people think that it's this complicated technical thing.
And to some degree, getting your computer security right is a technical problem.
But actually, I'd say 90 percent of it is having the right people at your company.
And I think what we saw here was Coinbase had just employees who were presumably in, you know, I would guess, low cost countries, easily bribed to steal customer information and share it.
And no, no, no amount of advanced cryptography or red teaming or, you know, PhDs on the security team solves that problem.
Yeah.
In the Fortune article, they said it was India and they did talk to the head of security, Philip Martin at Coinbase.
So I'm assuming that information came from them, even though the actual blog post from Coinbase didn't identify the country.
James, what about you?
My immediate first reaction was that he's doing the Mel Gibson ransom strategy.
I don't know if anybody remembers that movie where his child is kidnapped and instead of paying the ransom, he says, I'm going to pay this as a reward.
So a bold strategy.
But I think what you're going to hear from me is a strong agreement with what's already come before, which is this idea that KYC is somehow protecting us from bad things happening is itself actually something very, very bad.
And to what Alexander said, I think what's what is always a problem is it involves humans.
Humans are always going to be your weak link.
And until we figure out some way that we can take humans out of the loop for security, we're going to see these things again and again and again to what Jameson said.
We're going to see it again.
And that's, again, because we have humans in the loop.
Yeah, it's so similar to the what are they called?
The SimSwap hacks that honestly I first wrote about in 2016 and they still happen today.
You know, this is where basically the attacker will sweet talk a customer service agent into giving information.
You know, they either pretend to be the the the target or they will, you know, bribe somebody.
So so these again, it's like the same attack vector, even if, you know, the way they're going about it is quite different.
Let's unpack that KYC piece.
So the information that the hackers were able to obtain was name, address, phone, email, masked social security.
So the last four digits masked bank account numbers, government ID images like driver's license or passport, account date, including balanced snapshots and transaction history.
And then some corporate data around like training material and what the support agents have in terms of, you know, they're like the resources they can turn to.
When you see that list, what what what are your thoughts around, you know, what dangers this particular hack presents to users?
As a spear phishing 101, like the more personal information you can get about someone, the more you can custom tailor a message to them that tricks them into thinking that you are some legitimate authority from a service provider that they interact with, which is then how you get them to authenticate into their service provider and send all of their money to you.
So, and we're seeing this happen more and more frequently, especially amongst the elderly, I mean, there have been multiple nine figure social engineering scams against elderly people just this year alone.
And I think that this is something that just the ecosystem in general needs to be thinking about more, because over the past decade, we have successfully implemented best practices around security in a number of different ways.
You know, people are generally not getting hacked as often these days, you know, the exchanges are not getting hacked as often these days.
But, you know, security is a constant cat and mouse game.
And I think generally, people in the security space would agree that right now, the weakest link is, in fact, the brains of the people who are owning these assets.
And so that's what social engineering is.
It's instead of hacking technical information systems, you're basically hacking somebody's brain and getting them to voluntarily bypass all of the technical security measures.
And they're good at it.
Hackers are very, very good at it.
I get these these attempts on my phone all the time.
I do this for a living.
And yet every once in a while, I'll question it and think, oh, maybe that was legit.
Probably giving away too much about how I'm a little bit of a sucker.
But I think that, you know, we have to think through that people who do this are very, very good.
And I think the other thing, too, is when we talk about the ecosystem, we have to be aware we're going to be held to a higher standard, whether we like that or not.
I did see one tweet that went out today basically saying, well, it doesn't seem like crypto is all that secure.
Well, no, cryptocurrency is secure.
But when you're looking at it from the outside and you see, you know, the headline is Coinbase is hacked.
Oh, well, it's a it's another one of those things that we have to answer for in the ecosystem.
Not fair.
And we actually probably have the tools to help with this across all KYC, quite frankly.
But I think we need to be aware of the fact that, yeah, this is this is an area that we need to be paying attention to.
Yeah. I mean, I have a few thoughts here and I might say some and I'll add some kind of maybe not unpopular, but maybe a little bit of a different take as well to make it interesting.
I think that when people say crypto isn't secure, I think technically they're wrong, but sort of from the vibe they're saying is actually correct.
Right. It's actually a very new financial paradigm in the US where you have this asset that any attacker in the world can take from you and immediately have possession of, which was not the case with dollars in the fiat system.
So, you know, for people who understand computer security, while it's not, you know, the crypto is actually secure, but the actual sort of vibe of it all actually for a lot of people isn't secure.
And and it's as Jameson said, you know, I think the onus is on companies like ours to do what we can to prevent people getting taken advantage of, to prevent people being socially engineered.
And there's there's actually sort of a catch 22 to some of this stuff, even if regulators didn't require companies like ours to to collect KYC information, which would be a win, by the way.
A lot of this information is also very helpful for preventing people from being taken advantage of.
Right. Knowing who somebody is, if you have a custodial service.
Right. Which I think we can debate whether or not that's, you know, that those should be had.
But if you have a custodial service, you actually need to know who your client is, because what if they forget their password and they need to get into their account some other way?
You need some way to identify who this person is, you want to know, is this person an old, an older person who who should have enhanced security on their account?
If they're buying Bitcoin from you, your your client service agent needs to know, well, some some of their bank account information so that they can help them.
And so there's to some degree, you can't escape some of this stuff.
And I think the companies are just going to have to get smarter about who they let work there and automating away the things that required large armies of sort of offshore workers to do.
I think just to add to that, I think I do think one of the things that's a little surprising to me.
So you asked about you gave a list of all of the things that were taken.
One of the things that really jumps out to me is government issued ID.
They're PDFs, basically.
They're pictures of government identity.
So one of the things that was taken when we have this idea that we have these rigorous KYC checks and that we're doing everything in a very digital way.
And yet, how are we proving who we are?
We're taking pictures of our driver's licenses, which seems to be, you know, something that we would think of from 25, 30 years ago, that that piece of paper or that piece of plastic matters.
And so that's part of the issue that we have here is we have to rethink a whole lot in terms of not just how do we protect identity, but how do we even view identity and how we identify ourselves?
Yeah, I mean, I think, so I definitely recognize that that is a problem, although at least in some of my interactions with different crypto companies, it looks like they're moving more toward a model of you hold it up and then you have to like blink or, you know, whatever, just to make a video of yourself.
But even that now with AI, like there's a lot that people can do to fake that I should just want to make some comments about how good they are at getting people when they're vulnerable or or, you know, basically hacking these the brains as as we discussed.
So I've interviewed a lot of people who were hacked in this kind of way, who are pretty sophisticated people in crypto and have a lot of experience, like never thought that they would be a victim.
And, you know, some of the themes that I've heard are things like the hackers will play upon a sense of urgency.
Like, oh, this this very serious event is happening.
You have to do this right away.
Or they'll say, like, oh, if you do this thing, it will make your account more secure.
So, like, it plays upon crypto people's like paranoia.
They'll do things like they'll send these communications at times when they know, like, oh, that person works for this or that place.
And that organization is like having a party or like, you know, and and so there have been people where, yeah, they're kind of like on this high and like they check their phone.
And like they're not really registering what's happening.
And they think that, oh, you know, whatever, this is like a transaction with someone I know or, you know, whatever.
And then one that I got recently and well, so, by the way, one other thing I wanted to mention here was that this group, they apparently to actually do each of the individual social engineering scams that they're doing on on these users whose information was leaked.
They kind of like made a whole replica of the Coinbase website.
So, like, when you go to this URL, it, like, looks really, you know, like you're in a legit place.
And then I actually tweeted about this a little while ago.
Whoever was trying to get me on this was very, very smart because they sent an email from a super official looking X account saying that we had committed a like a copyright or trademark violation, which is like core to my business.
That's like something we would be very attuned to.
And even then I remember thinking like, but what could it be?
And sure enough, I did some sleuthing on the email.
And yeah, the even though it all looks like it was coming from a legitimate X email, when you hit reply in the Gmail interface, it would literally say like this looks like a fake thing because it understood that actually you were applying to a totally different domain.
So anyway, point is just like, you know, and yeah, I've, I've gotten ones that were super legitimate looking from ever know, like all kinds of, I've gotten a lot of these.
But the point is like, they are very, very sophisticated and they know all the different little ways that our minds work that would make us vulnerable.
And they can iterate time after time after time too.
So if it's not working, this is what they do.
They, they are testing on us all the time.
So the idea that you might not have responded to one, they are going to continue to do those things that until they, and, and they will eventually find one that's very successful and they will run.
Yeah, it doesn't cost them much to try.
Exactly.
You only have to succeed one time.
I'll say, you know, what you pointed out was it's very easy for anyone with a modicum of technical sophistication to impersonate online accounts, websites, emails, so on and so forth, where, you know, non-technical people may not dig into the things like the email headers to see if everything checks out.
Or, you know, we've even seen them actually using like real legitimate Google hosted websites to send messages and like all of the SPF and DKIM and other email records are legit because it really is coming from Google.
But I think one very simple thing that anyone can do to help protect them from phishing is use a password manager.
And not just like a password manager in your browser, but any of the big name brand well-vetted password managers like KeePass or 1Password or whatever.
And this provides you an extra layer of protection because even if they're doing really crazy like DNS lookalike domains that look the same to the human eye but use other weird characters, your password manager can tell the difference.
And your password manager will not auto-fill your password on a domain that you haven't registered it to.
So that's just like an extra stopgap there to prevent you from accidentally giving your credentials away.
Oh, that's so interesting because what about the breaches that those companies have had?
You still feel like it's worth a risk or?
I think most of those breaches happened at LastPass, so I don't really recommend LastPass.
They're kind of shady, not as transparent as some of the other password managers.
Okay.
Yeah.
One thing, by the way, I wanted to add about that like trademark violation or whatever that we got from this super legitimate looking ex-email.
The funny thing about that one is that then since I didn't respond, a few days later, they responded like follow up.
And they were like, you did not respond.
Like you have 24 hours or whatever it was.
So again, it was like, you're doing something wrong.
You have to get back to us.
And my guess is that even though you had done the deep dive, you still got that.
And there was a part of your brain that said, oh, wait, maybe there's, is there just a tiny percentage?
Yeah.
Well, it made me check everything on the email again, like just to make sure that I'm correctly assessing, you know, but also I'm so lucky.
I have, I know so many crypto security people, so I can reach out to any of them and ask for help.
So, you know, obviously I'm not the average user.
So in a moment, we are going to talk more about this issue about getting smarter about who you're hiring.
But first, a quick word for the sponsors to make this show possible.
Picture this.
The crypto market just got wrecked by billions in liquidations.
You need to figure out what happened and what's next.
But where do you even start?
Meet Focal by Falcon X, your AI-powered crypto analyst.
It's like having a legion of experts at your fingertips, ready to break down market-moving events, chart DeFi protocol TVL, or explain why Solana Mindshare is rising.
Get clarity in a world of noise with Focal.
Learn more at askfocal.com.
BitKey is the only Bitcoin wallet on Time Magazine's Best Inventions list of 2024.
Built by the team behind Square and Cash App, BitKey is a two-of-three multi-signature wallet and the first hardware wallet with an innovative recovery suite that eliminates the need for seed phrases in self-custody.
Their new inheritance feature means BitKey's not just the easiest way to self-custody your Bitcoin.
It's the easiest way to ensure it ends up in the hands of loved ones when it's time for it to leave yours.
Learn more at bitkey.world.
B-I-T-K-E-Y dot world.
Use code UNCHEINED for 20% off.
Mantle is driving the next phase of on-chain finance by supporting ecosystem products such as the Mantle Index 4 or MI4 fund and Mantle Banking.
Mantle Banking is an all-in-one fiat and crypto account that simplifies how users spend, save, and invest.
And MI4 is a tokenized index fund that offers institutional-grade exposure to top crypto assets with built-in yield strategies.
Together, they address long-standing frictions in financial access while unlocking a future shaped by composability, efficiency, and real-world utility.
Follow x.com slash Mantle underscore official.
All right, so I'm back with Jameson, James, and Alexander.
So let's talk about this hiring issue.
You may have seen Vance Spencer tweeted,
Trust me, bro.
We're going to hire support agents from other countries where the standard of living is one-tenth of the U.S.,
but they won't be susceptible to bribes, bro.
Just trust me, bro.
And then he wrote,
Just hire U.S. staff, you absolute ding-a-lings.
So that was a very pointed comment.
But then I saw Armani Ferrante of Backpack responded,
Coinbase serves people around the world in many languages and many jurisdictions.
Many regulators require you to have local support on the ground in a country.
Just hiring U.S. support staff is literally impossible.
They shouldn't have allowed support access data they don't need, but that's a totally separate problem.
What do you think of these two positions?
Well, I can give my thoughts.
I think that, you know, this isn't because of regulatory reasons that Coinbase had a lot of big team in India, probably.
They were trying to save on cost.
My take is it's important to structure your business and build it in a way so that you can have only high-quality people working there.
At River, you know, we keep it pure.
We're Bitcoin only.
We reduce complexity.
It allows us to operate with a much smaller team.
You know, imagine trying to train up a service staff that can support millions of tokens and know how to intelligently communicate with clients about that stuff.
You need armies of people.
It's very complicated.
And it probably doesn't, the unit economics don't make sense in the U.S.
And so I think at the end of the day, what's going to happen is just huge investments in automation to delete the headcount instead of reshoring it, is my guess on what Coinbase is going to do.
I think that, I was just going to say, I think bribery is an issue regardless of where you put somebody.
I think so long as you have, again, humans in the mix, there is always going to be an issue with that.
And I think that as we begin to see, especially vast amounts of money begin, and we think that, you know, it's a vast amount of money now, but just wait until this becomes institutional.
Wait until we start seeing more average people.
I mean, most of us who have been in crypto for a while, we understand it a little bit better.
But now what we're doing is inviting an entire new group of people into cryptocurrencies.
You're going to see even more money, with more money being thrown around for things like bribery.
So I think it's, can we figure out ways to minimize the human in this?
I think that's going to be a bigger issue than worrying about where those humans are.
So there are some problems here.
One is you generally want to follow the principle of least privilege.
So, you know, people should not have access to data or systems unless they absolutely need it.
And even then, it needs to be, you know, highly restricted and logged and have monitoring and alerting around it.
Laura, you already mentioned the SIM swapping problem.
That was where U.S. employees were getting bribed.
You know, these are probably retail level people making around minimum wage or, you know, somewhere in that area.
And so the asymmetry there of value when we're talking about accounts of worth potentially millions of dollars per attack versus someone who's making 20 bucks an hour.
You don't have to pay them that much to get a massive ROI.
And, you know, there have been multiple lawsuits against telecoms as a result of their poor internal security practices.
These telecoms, I think some of them have tens of thousands of employees.
And all of those employees essentially have root access, which means like they can see everything.
They have God mode.
They can reassign phone numbers from anyone to anyone else with no actual checks and balances in the system.
And that caused massive damage, tens if not hundreds of millions of dollars worth of losses due to SIM jacking.
And I think that what any of the exchanges, really any financial entities that are dealing with crypto plus KYC data, they need to take a lesson from that, right?
Is that they need to avoid getting into that same situation where they could potentially be a really leaky sieve of data.
And so I think Coinbase is starting to realize that now.
And hopefully they will start to implement a lot of safeguards around it.
Yeah, but I do think there's nuance here.
And it's not like it's not like it's you either have controls internally or you don't.
There's a lot of tradeoffs with all of this stuff, right?
The more controls and least privilege access you have, the harder it is for people to do their jobs, right?
And I think that lots of people have worked at companies where there's like lots of red tape to do something that has built up over the years.
And so often you're actually choosing between worse service or better data controls and worse service or better service and worse data controls.
And so there's no silver bullet here.
That's why I always go back to small numbers of very high quality people with like reasonable data controls is actually like the best happy medium.
But it really depends on the organization.
Yeah, and I will say one thing, the difference between what we're seeing on financial services versus say telco is a lot of the things that we say, okay, we shouldn't have people allowed access to certain stuff.
Well, within telco, that may be because, you know, for whatever reason, they put those policies in.
But when you're talking about financial services, you're required to have those things.
It's a compliance issue.
So it's not something that you can say, well, we don't want people to have to give us this information.
Well, from a KYC compliance standpoint, you may have to have that.
So that's where I think one of the things we're trying to solve is this issue with, you know, a brand new paradigm in the way that we send and receive and have money.
But we're building it upon these compliance requirements that go back decades.
And so I think that's a part of the problem, too.
So it sounds like what I'm hearing is that you're never going to completely cure the, you know, human fallibility issue, even if you have customer service agents in the U.S.
So it sounds like you all seem to think that really the root issue is more around these requirements about around KYC.
So or so, Alex, you.
It doesn't help.
It makes the problem a lot more difficult.
Yeah, it doesn't.
I agree with that.
It certainly doesn't help.
It makes the problem worse.
It's not a silver bullet.
But companies serving your financial needs need to know something about you.
There will be information that's sensitive, whether it's required by regulators or not.
There's sort of like just, you know, an impossibility result here to some degree.
Like if you're delegating any sort of trust for your money to an institution, it's going to be a hot potato.
You're basically taking your hot potato and giving it to somebody else, a company, you know, to handle.
So by making that compromise, you're to some degree signing up for this risk, period.
And so then it's a matter of which company do you trust to handle that risk?
And then there and then the next step is then, is there some risk mitigation that you can put in there?
Is there something you can do in case that happens?
And I do think that's one of the issues we have with crypto is, you know, there are things like Reg E.
If you have something, a payment that is a bad payment in the regular world, in legacy payments, we don't really have that.
And so that's a part of what we need to start thinking through as well is, is there some sort of risk mitigation?
Is there going to be somebody who's on the hook for this to make someone hold?
So that's going to be a bigger issue.
But I also think that so long as we are thinking through this, what Alex was saying, that you have to turn over some information.
I think that right now we think of what we turn over and how it's validated from a very centralized way of looking at things, too.
And I do think that there are going to be some ways that we can implement something like decentralized identity, where we don't have to turn over everything when we try to validate who we are.
That's going to take a little bit of time, though, a lot of time, because it's going to it's going to change the way we look at identity completely.
So in an ideal world, can you each kind of go through what you think would be the best solution?
And I understand. Yes, it will take a while to get there.
But, you know, so and by the way, I just we we're kind of running out of time.
But for those of you who don't follow Jameson, you should know he does a great job following all the, quote unquote, wrench attacks, which are physical attacks on people where people are trying to physically threaten people in order like attackers are trying to physically threaten victims in order to obtain their crypto.
So, you know, it's like even even if you decide that you're going to opt out of the system of having another entity custody or crypto, then the self custody solution also has its own pitfalls.
So can you should you just kind of describe what your ideal solution would be?
And then we can wrap.
I think we're all a little reluctant to come up with what we think is perfect, because the first thing that will happen is somebody will, of course, attack it.
But I think that what we really need to do is start rethinking what KYC is built on and begin to unpack that for things like financial services.
And that would include better ways of identifying ourselves that don't necessarily require us to have, you know, a driver's license that we use to show who we are and and some type of a better way of doing identification.
Yeah, I mean, that's, that's, that's a, I think an admirable, admirable long term goal in the medium term, though, assuming we can't change any of the root identity issues.
I think, you know, better data classification, like different tiers of sensitivity, the higher the tier of sensitivity, the more restriction there should be around it.
I mean, in general, you should eliminate single points of failure.
So, you know, you shouldn't allow really any employee to unilaterally be able to do highly sensitive, potentially damaging things, there should be checks and balances, you know, preferably you have some sort of peer review sign off that is then audited, so that you know, there's, this is, this is how you prevent collusion, right?
Is that you require multiple employees to have to sign off on any sensitive actions, and you know, perhaps if this was like an overseas issue, you could help mitigate that by having, you know, employees that don't work together in the same physical office, have to, to sign off and essentially co sign on sensitive actions.
And then, and you know, we don't know what they're doing internally, supposedly, you know, this was minimized somehow, we don't know the details, but there's, there's always more room for improvement around, basically monitoring the actions, you, especially now with AI, you know, you can implement monitoring to basically look for any sort of anonymous, anonymous, anonymous, anonymous activity.
That is happening within your infrastructure, if you have every event that gets logged, and then you're ingesting it, and you're saying, okay, this particular activity is spiking up more than usual, and doesn't correspond to, you know, other types of authorization requests that should have spurred those events from happening in the first place.
Yeah, my take is that any company that holds your money is going to need to know who you are, otherwise, how can this money be legally titled to you?
And so there's just like an impossibility result there, right? Just from like, how property rights work. And so then I think, I think the companies are going to come to the conclusion that the most secure employee is an employee that doesn't exist, right? And, and so they're going to be deleting headcount, they're going to, like, that's going to be the conclusion that these companies come to is like, no, it's not going to be, it's going to be short term, add a bunch of controls to, you know, the customer service.
Admin panel, but the long term ants are going to delete the, delete the office in India or the Philippines or whatever.
Is that, is that, that's what's going to be their long term goal. And, and, and continually to improve their internal controls, but they're going to have to have some data. And I don't think, and I think that's how they're going to be thinking about it.
All right. Well, thank you all so much for joining us and coming on Unchained.
Thanks for having us.
And thanks to everyone who's in the live stream. This will come out on the podcast tomorrow. And
there's something with my interface where I can, oh, there's the button to end the live stream. Okay.
Okay. Thanks everyone. Bye.