2 days ago
Coinbase Hack Exposes 3 Insider Threat Enablers
Cybercriminals bribed Coinbase employees and contractors for customer data access.
Bankrolling cybersecurity may soothe momentary leadership angst, but often does little to address rising insider threats and basic internal control failures.
Coinbase joined a long and growing list of hacked companies undermined by bribed, planted or tricked employees. The crypto exchange giant disclosed that cybercriminals gained access to sensitive customer account data by 'paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities.'
Coinbase declined to pay the hackers $20 million ransom. Instead, the company posted a $20 million reward to catch and convict the extortionists. Despite the bold stance, remediation, reimbursement and indemnification costs are preliminarily estimated 'to be within the range of approximately $180 million to $400 million.' That's a hefty financial and reputational hit – even for a market-leading entity which closed 2024 with $9 billion in cash reserves and a penchant for spending heavily on cyber investments.
The nefarious methods may seem novel, but the case is neither isolated nor unique. The 2025 Ponemon-Sullivan Security Report found almost half of insiders had more access than needed. While no cyber defense is impenetrable, fixating on technical design proves futile when incentives, incompetence and indifference undermine internal controls design, implementation and effectiveness.
Data are digital era treasure. That's what hackers know, yet too many company directors and executives underestimate. While internal controls were first established to curb asset misappropriation, sharpen business processes and maintain financial integrity, they are widely viewed as mere compliance requirements. That's a dangerous mindset as IT systems and safeguards are often highly technical and considered 'invisible.'
Compounding that AI-age naivete is excuse-making that insider threats are "rogue bad actors.' As reported on Forbes, Coinbase CEO Brian Armstrong lamented 'the criminals have been approaching our overseas customer support agents, looking for a weak leak , someone who would accept a bribe in exchange for sharing customer information with them. Unfortunately, they were able to find a few bad apples.' The problem wasn't that low-paid, offshored workers were susceptible to payola. Rather, access controls were inadequate, insufficient and/or non-existent. Even worse, the deficiencies were exploitable (and monetizable) for several months without detection.
Those gaps are widespread. The 2023 Ponemon-Sullivan Security Report found that cyber incidents due to employee negligence (55%) outnumbered the combined total incidents involving criminal or malicious insiders (25%) and credential theft (20%).
Fraud requires opportunity, incentives/pressure and rationalization -- cybercriminals and their AI tools prowl for such juicy vulnerabilities. Antidotes require meaningful assessment and action. That's far more than hollow audit committee charters, toothless assurance models and self-congratulatory periodic reporting. Effective defenses, supported by stewardship workplace cultures, learn and adapt to pre-empt problems.
Boards and c-suites need to ask serious questions and expect credible answers about how incentives, incompetence and indifference – the three common corporate post-mortem culprits – enable insider threats that put their organizations at risk.
Hostile actors will do what they can to bribe, trick or, worse, plant employees. While payoffs cost Coinbase, in 2023, an employee impersonator verbally convinced MGM's IT help desk to share system access credentials. The subsequent breach shuttered casino operations costing over $100 million, spawning a lengthy remediation quagmire.
Yet, planting real or fictitious employees is also a real challenge, especially from cash-desperate regimes. In February, Christina Chapman pled guilty in federal court to allegedly running a 'laptop farm' from her Arizona home which posed North Koreans as U.S. workers in remote IT positions at more than 300 U.S. enterprises, including multiple Fortune 500 companies.
Chapman's three-year purported scheme netted over '$17 million in illicit revenue' for her and the Hermit Kingdom. The payroll largess was falsely reported to the tax agencies in the names of over seventy identify theft victims.
Clearly, a few hundred organizations were susceptible to adding 'ghost' employees. Shay Colson, Intentional Cybersecurity managing partner, advises tech leaders to collaborate with HR to 'vet new employees and ensuring that you're not either supporting this sanctioned regime or giving up legitimate credentials to these threat actors.' That's a foundational step towards competence, care and control.
Here are starter questions that boards can independently ask IT, HR and audit leaders:
(Non) answers and 'not my job' responses will be quite telling. Digital era danger necessitates coordinated, prepared and tested defenses – well before a breach.
Countless case examples, benchmarking data, tabletop exercises and technical performance reports hold little lasting value, if companies lack credible, strategic tech leaders who can articulate the competitive, financial, reputational and business consequences of cybersecurity inaction. Perhaps worse are gilded executive teams fixated on strategy (and compensation) acceleration, while risking everything by settling for disincentivized, demotivated, distracted and disloyal staff. Et tu, IT?
