In a May 15 post on social media, Wang revealed how attackers impersonate exchange staff using personal data obtained through a recent internal breach. Individuals contacted him, claiming to represent Coinbase and warning of a supposed compromise on his account before conducting identity verification steps.
Under the guise of assisting with wallet setup, the attackers provided a pre-generated seed phrase, giving them full control once the user moved the assets.
Wang said he called the scammers out at the end of the call:
“I called them out at the end of the call telling them they need to step up their game cuz this scam is retarded. They told me [they] had made $7m that day.”
Information included names, contact details, identity documents, and masked banking and social security data.
Instead, the firm is offering a $20 million reward for information leading to the perpetrators’ arrest. Coinbase also stated it will reimburse affected users.
Despite the reimbursement promises, Wang called for Coinbase to treat the potential exposure of users’ home addresses and government-issued IDs as a personal safety issue, which is worth “way more than loss of funds.”
Based on current data, the company’s preliminary estimates place remediation costs and voluntary customer reimbursements between $180 million and $400 million.
Additionally, Coinbase reiterated in the document that it would not pay the ransom demanded by the attackers. The company stated it intends to pursue all legal avenues against the individuals responsible for the attack and is continuing its investigation into the full scope of the incident.
