5月15日,Coinbase披露,有不法分子窃取了数万名客户的个人信息,成为该公司有史以来最为严重的一次安全事件,预计损失高达4亿美元。此次数据泄露事件之所以引人关注,不仅是因为事件的规模,更因为其手法格外罕见:黑客通过贿赂海外客服人员,获取了机密的客户资料。
Coinbase已公开宣布悬赏2,000万美元追缉此次数据盗窃事件的幕后黑手。这些不法分子还试图以此勒索公司,要求其隐瞒事件真相。但Coinbase尚未披露有关黑客身份或其如何精准锁定公司客服人员的具体细节。
《财富》杂志近期的一项调查,通过查阅Coinbase与其中一名黑客之间的邮件往来,揭示了有关该事件的更多细节。这些信息强烈暗示,一个由讲英语的年轻黑客组成的松散组织可能要对此次事件负部分责任。同时,调查也凸显出所谓“BPO”(业务流程外包)公司,成了科技公司安全运营中的薄弱环节。
“内鬼”作案
事件的起点是一家名为TaskUs的小型上市公司,总部位于得克萨斯州新布朗费尔斯。与其他BPO公司一样,TaskUs通过雇佣海外员工,以低成本为大型科技公司提供客户服务。据该公司发言人透露,今年1月,TaskUs在印度印多尔的服务中心裁减了226名为Coinbase提供服务的员工。
根据提交给美国证券交易委员会(Securities and Exchange Commission)的文件,自2017年以来,TaskUs一直为美国加密货币巨头Coinbase提供客户服务人员,这一合作为后者大幅节省了人力成本。但问题也随之而来:当客户发送邮件咨询账户或Coinbase的新产品时,回复他们的可能是身处海外的TaskUs员工。由于这些客服人员的薪资远低于美国本土员工,事实证明他们更容易受到贿赂诱惑。
TaskUs发言人在回应Coinbase事件时对《财富》杂志表示:“今年年初,我们发现有两人非法获取了我们某一客户的信息。我们认为,这两人是被一个规模更大、组织严密的针对该客户的犯罪活动所招募,这起犯罪活动还波及到为这位客户提供服务的其他多家机构。”
根据Coinbase提交的监管文件,TaskUs在1月的裁员发生于Coinbase发现客户数据被盗之后不到一个月。上周二,在纽约提起的一项代表Coinbase客户的联邦集体诉讼指控TaskUs在客户数据保护方面存在重大疏忽。TaskUs发言人表示:“虽然我们无法就诉讼发表评论,但我们认为相关指控毫无根据,并将积极应诉。我们始终将保障客户及其用户的数据安全置于最高优先级,并持续加强我们的全球安全机制与培训项目。”
一位了解此次安全事件的知情人士表示,黑客还曾以其他BPO公司为目标,在部分情况下曾经得手,且每次窃取的数据性质各不相同。这位人士因希望坦率发言要求匿名。
这些被窃数据尚不足以让黑客攻破Coinbase的加密货币金库,却为犯罪分子提供了大量信息,帮助他们冒充Coinbase客服人员联系客户,并诱导客户交出加密货币资金。Coinbase表示,黑客共窃取了超过6.9万名客户的数据,但并未透露其中有多少人成了所谓“社会工程诈骗”的受害者。
在此次事件中,社会工程诈骗的手法包括:犯罪分子利用窃取的数据冒充Coinbase员工,骗取受害者的信任,并诱骗受害者转移其加密货币资金。
Coinbase在一份声明中表示:“正如我们此前已披露的,我们近期发现有不法分子自2024年12月起唆使海外客服人员获取客户账户信息。我们已通知受影响用户和监管机构,终止了与涉事TaskUs员工及其他相关海外客服人员的合作,并加强了内部管控。”Coinbase还表示,公司将对在诈骗中遭受资金损失的客户予以赔偿。
Coinbase补充指出,其公开引用的4亿美元这个数字是其对数据泄露总成本预估范围的上限,下限估算为1.8亿美元。
虽然冒充公司员工实施“社会工程诈骗”的方式并不新鲜,但此次黑客以BPO公司目标所达到的规模之大实属罕见。尽管目前尚未有确切证据指向具体作案者,但多条线索均指向了一个由讲英语的年轻黑客组成的松散组织。
“他们来自电子游戏世界”
在5月中旬Coinbase数据泄露事件曝光后的几天里,《财富》杂志通过Telegram与一名自称“puffy party”的人士进行过信息交流,对方声称自己是此次黑客事件的参与者之一。
两位与该匿名黑客有过交流的安全研究人员对《财富》表示,他们认为此人的话具有可信度。其中一人表示:“根据他分享给我的内容,我认为他的说法值得重视,且未找到证据证明他的陈述是虚假的。”两位研究人员均要求匿名,理由是担心因与疑似黑客接触而收到法院传票。
在交流中,此人分享了大量据称是与Coinbase安全团队之间的电子邮件截图。其与公司沟通时使用的姓名为“Lennard Schroeder”。他还分享了一名Coinbase前高管的账户截图,显示了该账户的加密货币交易记录以及大量个人信息。
Coinbase方面并未否认这些截图的真实性。
这位自称黑客的人士分享的邮件中,包括要求支付价值2,000万美元的比特币的勒索威胁,但Coinbase已拒绝支付。邮件中还嘲讽称,该黑客团伙将用部分赎金为Coinbase光头首席执行官布赖恩·阿姆斯特朗购买假发。黑客在邮件中写道:“我们愿意赞助他去植发,让他能带着一头新发优雅地走遍世界。”
在Telegram上的对话中,这位黑客(《财富》杂志从一位安全研究员处得知其存在)还表达了对Coinbase的蔑视。
虽然许多加密货币劫案通常由俄罗斯犯罪团伙或朝鲜军方实施,但这名所谓的黑客表示,此次事件是由一群松散联系的青少年和二十出头的年轻人所为,他们自称为“Comm”或“Com”——即“Community”(社区)的简称。
过去两年间,关于Comm组织的报道不断出现在其他黑客事件的媒体报道中。本月早些时候,《纽约时报》的一篇报道中,一名涉嫌参与多起加密货币盗窃的嫌疑人自称为该组织成员。另据《华尔街日报》报道,2023年,调查人员确认一批与“Comm”有关的黑客曾入侵拉斯维加斯多家赌场的线上系统,并试图向米高梅度假村(MGM Resorts)勒索3,000万美元。
与主要以牟利为目的的俄罗斯或朝鲜加密货币黑客不同,“Comm”组织成员的动机往往源于追求关注度,或者制造恶作剧带来的刺激感。他们有时协作发动攻击,有时则彼此竞争,看谁能盗走更多资产。
加密货币调查取证机构Cryptoforensic Investigators的调查主管乔希·库珀-达克特表示:“他们最初来自电子游戏世界,然后把游戏里的‘高分’带到了现实中。在现实世界里,他们的‘高分’就是偷到多少钱。”
在Telegram对话中,这位自称的黑客表示,“Comm”组织内部各成员在黑客行动中分工明确。他所在的小组负责贿赂客服人员并收集客户数据,然后将这些信息交给其他擅长实施“社会工程诈骗”的团队操作。他补充道,这些与“Comm”有关的不同团体通过Telegram和Discord等社交平台协调各自负责的环节,并约定好分赃方式。
加密货币调查公司Tracelon的创始人塞尔希奥·加西亚对《财富》杂志表示,这位黑客对Coinbase被攻击事件的描述,与他所观察到的“Comm”组织运作模式及其他加密诈骗案例高度一致。一位了解安全事件的知情人士补充道,近期针对客户实施“社会工程诈骗”的攻击者所使用的是无口音的北美英语。
据一位了解BPO行业薪资情况的知情人士透露,TaskUs在印度的员工每月薪资在500至700美元之间。TaskUs对此拒绝置评。尽管这一收入水平高于印度人均国内生产总值,但Tracelon创始人加西亚对《财富》杂志表示,如此低的薪资使客服人员更容易受到贿赂诱惑。
他补充道:“显然,这就是整个链条中最薄弱的环节,因为他们有接受贿赂的经济动机。”(财富中文网)
译者:刘进龙
审校:汪皓
On May 15, Coinbase revealed that criminals had stolen personal data from tens of thousands of customers—the biggest security incident in the company’s history, and one that is poised to cost it as much as $400 million. The breach is notable not only for its scale, but the way the hackers went about it: Bribing overseas customer support agents to share confidential customer records.
Coinbase has responded by publicly announcing it had put a $20 million bounty on those who stole the data, and who sought to blackmail the company so as not to reveal the incident. But it has shared few details about who carried out the attack or how the hackers were able to target its agents so successfully.
A recent investigation by Fortune, including a review of email messages between Coinbase and one of the hackers, has uncovered new details about the incident that strongly suggest a loose network of young English-speaking hackers are partly responsible. Meanwhile, the findings also highlight the role of so-called BPOs, or business process outsourcing units, as a weak link in tech firms’ security operations.
An inside job
The story starts with a small but publicly traded company based in New Braunfels, Texas, called TaskUs. Like other BPOs, it provides customer services to big tech at a low cost by employing staff overseas. In January, TaskUs laid off 226 staff members working for Coinbase from its service center in Indore, India, according to a company spokesperson.
Since 2017, according to a filing with the Securities and Exchange Commission, TaskUs has provided customer service personnel to Coinbase, an arrangement that reaps the U.S. crypto giant significant savings in labor costs. But there’s a catch, of course: When customers email to inquire about their accounts or a new Coinbase product, they’re likely talking to an overseas TaskUs employee. And because these agents earn low wages compared to workers in the U.S., they’ve proved susceptible to bribes.
“Early this year we identified two individuals who illegally accessed information from one of our clients,” a TaskUs spokesperson told Fortune, in reference to Coinbase. “We believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.”
The TaskUs firings in January came less than a month after Coinbase discovered theft of customer data, according to a regulatory filing from the company. On Tuesday, a federal class action suit filed in New York on behalf of Coinbase customers accused TaskUs of negligence in protecting customer data. “While we cannot comment on litigation, we believe these claims are without merit and intend to defend ourselves,” a TaskUs spokesperson said. “We place the highest priority on safeguarding the data of our clients and their customers and continue to strengthen our global security protocols and training programs.”
A person familiar with the security incident, who asked not to be identified in order to speak candidly, said the hackers had also targeted other BPOs, in some cases successfully, and that the nature of the data stolen varied according to each incident.
This stolen data was not enough for the hackers to break into Coinbase’s crypto vaults. But it did provide a wealth of information to help criminals pose as fake Coinbase agents, who contacted customers and persuaded them to hand over their crypto funds. The company says the hackers stole the data of over 69,000 customers, but did not say how many of these had been victims of so-called social engineering scams.
The social engineering scams in this case involved criminals who used the stolen data to impersonate Coinbase employees and persuade victims to transfer their crypto funds.
“As we’ve already disclosed, we recently discovered that a threat actor had solicited overseas agents to capture customer account information dating back to December of 2024. We notified affected users and regulators, cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls,” said Coinbase in a statement, adding it is reimbursing customers who lost funds in the scams.
Coinbase also stated that the $400 million figure it has cited publicly as the overall cost of the breach is at the top end of its estimates, and that its low-end figure is $180 million.
While social engineering scams that revolve around impersonation of company representatives are hardly new, the scale at which hackers targeted BPOs does appear to be novel. And while no one has definitively identified the perpetrators, a number of clues point strongly to a loosely affiliated network of young English-speaking hackers.
‘They come from video games’
In the days following the disclosure of the Coinbase breach in mid-May, Fortune exchanged messages on Telegram with an individual who called himself “puffy party” and who claims to be one of the hackers.
Two other security researchers who spoke with the anonymous hacker told Fortune they found the individual to be credible. “Based on what he shared with me, I took his statements seriously and was unable to find evidence that his statements were false,” said one. Both researchers requested anonymity because they were afraid of receiving subpoenas for speaking with the purported hacker.
In the exchanges, the individual shared numerous screenshots of what they said were emails with Coinbase’s security team. The name they used to communicate with the company was “Lennard Schroeder.” They also shared screenshots of a Coinbase account belonging to a former executive of the company that displayed crypto transactions and extensive personal details.
Coinbase did not deny the authenticity of the screenshots.
The emails shared by the purported hacker include the blackmail threat for $20 million in Bitcoin, which Coinbase refused to pay, and mocking comments about how the hacking group would use some of the proceeds to purchase hair for Brian Armstrong, the company’s bald CEO. “We’re willing to sponsor a hair transplant so that he may graciously traverse the world with a fresh set of hair,” wrote the hackers.
In the Telegram messages, the person—whose existence Fortune learned of from a security researcher—expressed contempt for Coinbase.
Many crypto robberies are carried out by Russian criminal gangs or the North Korean military, but the alleged hacker says the job was pulled off by a loose affiliation of teenagers and 20-somethings alternatively called the “Comm” or “Com” —shorthand for the Community.
In the last two years, reports of the Comm have bubbled up in media reports about other hacking incidents, including a New York Times story earlier this month in which one of the alleged perpetrators of a series of crypto thefts identified himself as a member of the group. And in 2023, hackers, whom investigators identified as part of the Comm, targeted the online operations of a handful of Las Vegas casinos and tried to extort MGM Resorts for $30 million, according to the Wall Street Journal.
Unlike the Russian and North Korean crypto hackers, who are typically seeking only money, members of the Comm are often motivated by attention seeking or the thrill of mischief as well. They sometimes collaborate on hacking attacks but also compete with each other to see who can steal more.
“They come from video games, and then they bring their high scores into the real world,” said Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators. “And their high score in this world is how much money they steal.”
In the Telegram messages, the purported hacker said that members of the Comm specialize in different parts of a heist. The hacker’s team bribed the customer support agents and gathered the customer data, which they gave to others outside of their group who are well-versed in carrying out social engineering scams. They added that different Comm-affiliated groups coordinated on social platforms like Telegram and Discord about how to carry out different portions of the operation and agreed to split the proceeds.
Sergio Garcia, founder of the crypto investigations company Tracelon, told Fortune that the hacker’s description of the Coinbase exploit mirrors his observations of how the Comm operates and other crypto social engineering scams. The person familiar with the security incidents said those who targeted customers in recent social engineering scams spoke in unaccented North American English.
TaskUs workers in India are paid between $500 and $700 per month, according to a source familiar with the BPO workers’ wages. TaskUs declined to comment. Even though that amounts to more than India’s gross domestic product per person, the low wages of customer support agents often make them more susceptible to bribes, Garcia told Fortune.
“Obviously that’s the weakest point in the chain, because there is an economic reason for them to accept the bribe,” he added.