> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities
Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.
>
•Name, address, phone, and email;
•Masked Social Security (last 4 digits only);
•Masked bank-account numbers and some bank account identifiers;
•Government‑ID images (e.g., driver’s license, passport);
•Account data (balance snapshots and transaction history); and
•Limited corporate data (including documents, training material, and communications available to support agents).
This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet".
My guess is that we will have a similar situation like we had with the Vastaamo data breach...
Blackmail would be the least of my worries, in France we had at least five kidnappings/attempted kidnappings related to crypto investors since the beginning of the year.
Crypto is advertised as providing irreversible transfers, and having ownership of assets solely established by ownership of keys. It shouldn't be surprising that such features would attract criminals.
You can easily establish the connection from a bank account to a person. A connection from a crypto wallet to a person is extremely difficult.
Money laundering with crypto is also much easier (and cheaper usually).
In the vast majority of cases, it's actually extremely easy. It took less than an afternoon for me to learn how to trace 90%+ of transactions on either BTC or any of the networks built on Ethereum or an Ethereum-like protocol. There are large companies that specialize in exactly this, which make tools that allow government agents who have no particular crypto expertise to trace the majority of transactions.
It is possible to make your transactions extremely difficult to trace, but you really, really,REALLY have to know what you're doing.
Law enforcement loves that people think it's easy and cheap to launder money with crypto, though. It's made it vastly easier for them to catch those people!
I never doubted that it's possible but it's way harder than identifying bank accounts.
There is a massive business behind crypto tracking, that's why companies like MasterCard have acquired CipherTrace. Some years ago there was a really good article / case study from them. I think it was related to a ransomware gang and they were able to identify the threat actor's wallets through crypto tumblers and chain hopping.
It's just a matter of how much money and time are you willing to invest into finding out and not a matter of possibility.
You can trace the BTC or Ethereal transaction of coins, but you cannot trace the criminals after it's converted to Monero or some other "privacy" chain on an exchange run on the dark web. After that you're just tracing other owners, possibly who have no idea where that it was stolen. It literally takes a few hours to wash it all out.
Seems unlikely given who has been targeted. I doubt the Ledger or Paymium guys have been evading tax on crypto given that they're publicly involved in it and likely would be scrutinised more than the average person by tax authorities.
This may seem callous, but isn't a large point of crypto that you are 'free' from the shackles imposed by the State?
And I guess that includes protection from criminals by the oppressive forces of the State (aka the police). In which case being kidnapped and having your fingers sent to your family is an integral part of your 'freedom'.
Crypto isn’t synonymous with anarchy, just like the internet isn’t synonymous with pornography. Both are cliches from long ago.
All of the victims are likely tax payers. Law and order is a fundamental service that a legitimate state must provide to all in its jurisdiction, even those who are only resident non-citizens and those that pay little to no taxes in a progressive tax system.
> Crypto isn’t synonymous with anarchy, just like the internet isn’t synonymous with pornography. Both are cliches from long ago.
Saying crypto isn’t synonymous with anarchy, like the internet isn’t with pornography, sidesteps the point. Pornography is just one use of the internet — not its central purpose.
But crypto wasn’t just built to host financial activity — it was designed to restructure it, removing reliance on central authorities. That core intent isn’t a cliché; it’s a defining feature.
Comparing it to incidental internet content is a rhetorical deflection, not a real counterpoint.
That's not what it was designed for, that's just a mixture of propaganda and confusion.
It was designed to solve the double-spending problem with digital currencies, replacing the need for "a authoritative ledger" with a one difficult to forge.
The political project around this was to provide people with a deflationary currency akin to gold, whose inflation could not be controlled by government.
The lack of government control over the inflation of this particular currency, and the lack of an authoritative ledger, are an extremely minimal sense of currency protections (, freedoms). They have as much to do with anarchy as the internet had with porn.
It was designed to avoid the need for existing financial institutions. The doublespend problem was merely the blocker that prevented people from otherwise doing it.
> A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution.
Your point is merely a non sequitur: a change in banking isn’t related to paying taxes or the state as a whole, nor anarchy.
You’re not supporting your central thesis that disintermediating finance is in any way related to removing government — and people using Coinbase, a service that is centralized and does collaborate with government regulation seems to directly counter your stereotype of the customers.
Their point is correct: people who match your fantasy wouldn’t be Coinbase customers — you’re relying on old tropes.
Most (developed states at least) don’t claim the monetary system as a taxation medium. Debasement of currency is a bug not a feature. In the US, you are not required to process your transaction in USD but only need it to pay taxes.
Failed countries (ie: Turkey) rely on the financial system for taxation. Functioning countries shouldn’t care or be bothered by it.
It seems that law-abiding citizens often bear the greatest risk by declaring their assets to tax authorities and relying on so-called "trusted custodians" for savings. Ironically, for many, the safest course of action is likely non-disclosure, though this is, of course, illegal in much of the world.
I only have to declare crypto < 1 year in my holding which means that, while technically illegal to buy 1 second after the new tax year start and not declaring it, in practice, obviously, no-one cares about that. Especially as crypto is not a 1 second buy; it can take hours.
This may be surprising, but I actually don't think opting for a payment method with less consumer protections (that I pay cap gains tax on when if I dispose of it for a profit) is me ceding my right to be protected by the police. You're right that it does seem extremely callous and is honestly a disturbing mindset to have. Hopefully you never experience terror like the victims of the last few months in France experienced in your life.
> You're right that it does seem extremely callous and is honestly a disturbing mindset to have. Hopefully you never experience terror like the victims of the last few months in France experienced in your life.
Thanks for the tone-policing. But instead of implicitly suggesting that my mindset or tone is inappropriate, it would be great if we discussed the substance of the points.
> it would be great if we discussed the substance of the points.
Sure, just read the sentence from my response that you skipped over.
To be clear: I didn't implicitly suggest that your mindset of people who use crypto somehow ceding their right to protection from the state was inappropriate, I stated outright that it was a disturbing and callous mindset.
It's like suggesting that people who protest against police brutality shouldn't get protection from the police in emergency situations, or believe people who are racist to healthcare workers should lose all right to healthcare. The type of mindset held by those who care more about retribution against those who hold different views than a just society.
You can argue that once you are 'free' to own guns, defend yourself, and seek revenge. The state limits your ability to protect yourself, so it has to assume that responsibility.
The persons in France probably paid their taxes. So no, your premise is wrong in that the state will help vs. in a crypto no-tax world. Actually the de-jour crypto paradise didn’t have any kidnappings so far and you don’t have to pay taxes either.
Depends on if they cashed out and how they did it. There was a big trend for a while to go live in Portugal for a while, enough to be considered a tax resident there, and then cash out there because (at the time, idk if it's still true), they had no (or little) tax on crypto cash out.
Yeah, I know two French people who did it (one of them avoided UK taxes as he was paid in crypto while working in the UK, the other it's muddier). I know three people in the space, and only those two were on the financial side, so to me, while Blockchain is still a legit tech, anybody using cryptocurrency I peg as a tax evader.
Good thing we have courts, lawyers and judges for that. It’s funny everyone here hates on Trump but as soon as something align with their view, they want a defacto no due process application.
Sorry if i implied anything, i must have missed part of the conversation, i was just confirming that did happen (taking the portugese residency to avoid crypto tax) a few years ago. In my opinion, police should protect even violent criminals from violence when possible, so of course i'm not advocating for anything to happen on tax "avoiders", and they should be protected. I was just stating that i know people in the crypto space, and if you are, i immediately peg you as a small-time sociopath from my past experience.
Also i don't care about them getting judged for tax evasion, i know they won't be and honestly, good for them. I also don't care for nonviolent thieves and think the same thing about them. Profiteering was not how i was raised, but i understand different people have different standards (and parents, luckily mine are great, it's not the case for everybody). People do what they need to do, i found some comportment sociopathic, but as long as it is nonviolent, i'm not mad.
Which state are you talking about? The 0% tax bracket for long-term capital gains in the U.S. for 2024 for single filers was $47,024, never mind the standard deduction. Then it goes up to 15%, then 20%.
It way worse. The US companies, pay $3-$6 per hour to outsource their support to the Philippines. The companies which provide the service have very high turnover rate. For some companies the employees stay on average about 6 months. There is absolutely no reason to be loyal.
We are getting zero government regulations on AI, no punishment data breaches, and no human protections against wide scale abuse. The opposite is happening.
I suspect to see America in chaos from these disruptions in the very near future.
Beyond the Philippines low wage, the point is that there is a price for "everybody" if it were in the US it will be a much higher price, and most probably paying for higher attack benefits.
This is perfect advertising for the Ladybird browser. I hope that some of the developers (if this really goes live on the release channel) will join other projects. I can understand that Mozilla needs money, but I don't think this feature fits with Firefox and what it stands for.
It's bad press for Firefox, but honestly it just makes me want to use the internet less. Ladybird is cool, but the incompatibility with badly-made websites only intensifies the more niche your browser gets. Librewolf or the resurrected Sero browser feels like the next best thing, but even so it feels like a losing battle.
The website uses "Enter your 6-digit authentication code" as an example and then shows a 4-digit auth code in the text field
https://imgur.com/a/u4STHPe
I don't understand why the software is built how it's built. Why would you want to implement licensing in the future for a software product that only creates fake processes and registry keys from a list: https://pastebin.com/JVZy4U5i .
The limitation to 3 processes and license dialog make me feel uncomfortable using the software. All the processes are 14.1MB in size (and basically the scarecrow_process.dll - https://www.virustotal.com/gui/file/83ea1c039f031aa2b05a082c...). I just don't understand why you create such a complex piece of software if you can just use a Powershell script that does exactly the same using less resources. The science behind it only kinda makes sense. There is some malware that is using techniques to check if there are those processes are running but by no means is this a good way to keep you protected. Most common malware like credential stealers (redline, vidar, blahblah) don't care about that and they are by far the most common type of malware deployed. Even ransomware like Lockbit doesn't care, even if it's attached to a debugger. I think this mostly creates a false sense of security and if you plan to grow a business out of this, it would probably only take hours until there would be an open source option available. Don't get me wrong - I like the idea of creating new ways of defending malware, what I don't like is the way you try to "sell" it.
They know that if this idea catches on, a dozen completely free imitations will crop up, so ... the time to grab whatever cash can be squeezed out of this is now.
McAfee/Norton/etc. could license signed "scarecrow" versions of their products for use with something like this so that it's impossible for the malware to distinguish a scarecrow version of MacAfee from the real thing (and they would get a cut/kickback).
I would pay a small amount for a scarecrow version of AV software if a) it had zero footprint on my system resources, and b) it really did scare away malware that checks for such things.
Either way, though, it makes malware more onerous to develop since it has to bundle in public keys in order to verify running processes are correctly signed.
Are you telling me this thing spawned 50 new processes on your computer? Could you zip up all the executable files and whatever it installed and upload it somewhere so we can analyze the assembly?
Is there a way for me to curl their executable into my UNIX terminal so I can read the assembly? Or does Any Run keep the samples to themselves? I know a lot about portable executable but very little about these online services.
To your point, I made this a few years ago using powershell. I just created a stub .exe using csc on install and renamed it to match a similar list of binary names. Maybe I will dig it up...
Honestly as a user I will avoid any app that is trying to offer me a purchase outside the App Store.
Users mostly don't care about the issues between the developers and Apple and at least I am willing to pay more for my IAPs and be able to use Apple as my payment processor (sure - I can pay with Apple Pay but switching to another app for paying is a step more than needed).
Isn’t everyone here a developer? Aren’t you frustrated Apple can essentially take 30% of your revenue just for the privilege of strengthening their monopoly?
I’m a user more than I’m a developer. And there’s lots more users than developers.
I’m going to pay 3-5% for payment processing no matter how I look at it. So paying apple 15% to handle that is acceptable to me.
It’s one of those things that should be cheaper and is too much, but better than the alternative.
The payment part is the worst part of the purchase experience for me. I play a game that has a Mac version through Epic and an iOS version. Buying on iOS is easy, one click. Buying on Mac is a pain with some modal web frame pop up to a payment processor where I have to enter my payment info every time. EVERY TIME! I’ve already logged in. They know me.
Of course the price to me is the same in both situations.
So alternate payment processors will just be shittier for users. Bad UX, riskier data, and the same price.
Unless you only ever use your own apps and nothing else, some of us are also “users” (in the general consumer sense).
Unless you jumped straight from school into a company with the goal to make mad money and nothing else, some of us became developers precisely because computer technology shaped our lives and became our passion.
We want to give our users the best experience possible, and don’t really care about their email addresses and credit card numbers and shit. And Apple’s IAP is closest to the ideal system:
• Minimal clicks and no jarring exits out of the app into third-party websites
• No need to re-enter payment and personal info at multiple places
• Biometric verification
• Preserves privacy and protects financial info
• Shows all receipts and subscriptions in one place
Even if Apple took a 50% I would still want the users of my app to have access to those benefits, because that’s what I would like all other devs to give me in their apps.
Well... That's the same amount of money you have to give to Google, Microsoft and Amazon if you want to use their services.
Google and Apple both take 15% if you make less than 1.000.000$/year.
Again - As a user I also don't have a problem with the AppStore monopoly because
1. When I bought the device I knew that I can only use the apps that are available on the AppStore
2. Every time I open the Microsoft Store I'm thankful that the guidelines on iOS are so strict
3. Freedom to install everything you ""want"" has at least the same amount of bad use cases than good ones (usually it's mostly used for modding or piracy).
When it comes to Apple privacy trumps ownership/monopoly. Its like a benevolent dictator. It can do no bad, if something is bad, then actually its good!.
Based on the information present in the breach, I think it's likely that the source was their customer support in the Philippines. Monthly salary is usually < 1000$/month (entry-level probably even less than 500$) and a 5000$ bribe could be more than a year worth of money, tax-free. Considering the money you can make with that dataset now, this is just a small investment.
> •Name, address, phone, and email; •Masked Social Security (last 4 digits only); •Masked bank-account numbers and some bank account identifiers; •Government‑ID images (e.g., driver’s license, passport); •Account data (balance snapshots and transaction history); and •Limited corporate data (including documents, training material, and communications available to support agents).
This is every threat actor's dream. Even if you only had email addresses and account balances, this is a nightmare. Instead of blackmailing the company, you can now blackmail each individual user. "Send me 50% of your BTC and I won't publish all of your information on the internet". My guess is that we will have a similar situation like we had with the Vastaamo data breach...
https://en.wikipedia.org/wiki/Vastaamo_data_breach