How Hacks Happen

Coinbase Hack and Impending Crypto Doom

Many Worlds Productions Season 4 Episode 9

Share episode

In May 2025, Coinbase, one of the largest cryptocurrency exchanges in the world, got hacked. Or did they? It was more like a near-miss. But while we might wipe our brows in relief over this latest mishap, it doesn't bode well for the future of cryptocurrency, which is currently unregulated, uninsured, and just waiting for the next big catastrophe to leave investors crying in their collective beers over their lost millions.

Join us for a tour of some of most disastrous crypto hacks of yesteryear like Mt Gox and Bybit, and what we see coming for the future of crypto. Hint: It's not pretty.

Resources

.



Send us a text

Digital Disruption with Geoff Nielson
Discover how technology is reshaping our lives and livelihoods.

Listen on: Apple Podcasts   Spotify

Support the show

Join our Patreon to listen ad-free!

Coinbase hack

Did you hear the news? Coinbase got hacked! Or did they? A couple of days ago, the headlines were full of alarming news. Coinbase, one of the top cryptocurrency exchanges in the world got hacked. Well, at least that's what they said, but it wasn't really a hack, it was more like a breach maybe. I mean, how do we define a hack?

And it was very fortunate that they weren't hacked. Because cryptocurrency isn't insured by the government the way your bank deposits are. If your bank gets robbed, the government will step in and help you. But what if your cryptocurrency gets stolen? 

In this episode of How Hacks happen, we're going to talk about the Coinbase hack, I mean the breach, and we're going to compare it with some other famous moments in crypto catastrophe history and what it means for the future now that Bitcoin is going through the roof in value. And the value of these hacks is going to get bigger and bigger. If the government isn't stepping in, how are crypto exchanges gonna respond?

Let's start with Coinbase. On May 11th, 2025, Coinbase received an email from someone claiming to have stolen in internal documents and customer data. No actual coins, just personal information for customers.

And that email came with a ransom demand. Pay us $20 million, or the data goes public. No coins were stolen. Just things like names and addresses and the last four digits of people's social security numbers..

One of the most interesting things about this situation is the way Coinbase responded. I mean, it was in a way that made my little cybersecurity heart happy. They basically flipped the bird at the perpetrators. 

It turns out that the breach had been going on for a while before the message arrived, and the attackers didn't break into the system using some sophisticated exploit. Nah, they went old school. They bribed customer support agents to gain access.

Coinbase doesn't say where these customer support agents were located, just that they were overseas. Coinbase is based in the United States in Delaware. Delaware is on the east coast and south of New York for my international listeners, and we can only guess where the customer service agents were if they were “overseas”.

Now, this isn't a big surprise. Companies in the United States have been outsourcing customer service overseas for decades because the exchange rate is so attractive. For far lower hourly rates than they'd have to pay in the United States, they could have a whole team in India or the Philippines or any number of other countries, and they can hire smart people with decent English working for the equivalent of, say, $5 an hour, which when exchanged for their own currency is a decent living wage. But I can also see these employees not necessarily having the same level of loyalty to a company that somebody working in the main office would have.

Like, just imagine you're seeing the profits go up and up and the Instagram pics of the company party where they celebrate and you're maybe just a little bit peeved that you are still making a basic wage and no one invited you to the sales meeting in Orlando. Yeah, it's probably not the best situation for company loyalty.

And then along, and then along comes some hacker that offers you 500 bucks or maybe even 5,000 bucks to cough up some data. Again, we don't know the numbers and we don't know exactly what happened, but I can totally see that scenario happening.

But then, to Coinbase’s credit, they responded quickly to the breach. They fired the support agents and they launched an internal investigation and they contacted law enforcement right away. Then they went public, not just to alert customers, but to tell the world they were not going to bow down to the extortion.

Instead of paying the hackers $20 million, they turned around and offered a $20 million reward for information leading to the arrest of the people responsible. Hmm. That's what we like to hear. Get lost, hackers.

And Coinbase went even further to say that they themselves, all by their lonesomes, would cover any phishing-related losses. Because that's the biggest danger here, that the hackers will use the personal information about customers to send phishing emails and texts and try to get them to fake log into their account so they can grab their crypto wallets.

And Coinbase is setting aside $420 million to handle just that. And to that I say, this is a class act. They're not asking for help. They're not blaming anybody else. They're not whining to the government to give them money. They're just handling it themselves.

It gives us something we don't necessarily feel in the world of crypto very often, and that is trust. Now I'm not even going to think about how a company could have $420 million lying around just to set aside. I guess they know their business.

But anyway, let's talk about another hack that didn't end so well and that is the Bybit hack. 

Bybit is a crypto exchange established in 2018 in Singapore. It's around the same size as Coinbase in trading volume, accounting for around 7% of all the traffic worldwide.

In February 2025, just a few months before I'm recording this, Bybit reported a breach that resulted in $1.5 billion worth of Ethereum and other cryptocurrency being stolen. Ethereum is the second most traded cryptocurrency after Bitcoin, currently trading around 2,500 US dollars per coin. This was another one of those cryptocurrencies that has increased in value a lot over the past few years.

Like, it's now worth around 10 times what it was in its early days. Not the same level as Bitcoin, but still nothing to sneeze at, I mean, if you were inclined to sneeze at coins. 

But anyway, Bybit announced this $1.5 billion breach in February, but the breach actually happened weeks before. Unlike Coinbase, Bybit was a lot slower to respond. Their customer notification came five days after they knew something was wrong. They did freeze withdrawals temporarily and released a plan for new security audits going forward.

But here's the issue: it's still unclear whether Bybit can cover these losses. 

I mean, what about the people who lost their Ethereum? Are they gonna get any of it back? Bybit is reportedly in talks with investors and insurers, but there's no funds that have been returned to customers as of this recording.

So oof. You know, that's, oh boy. I don't know what's gonna happen there. 

So how did this happen? Apparently, it was North Korean hackers. In the episode “Sony Hack”, I talked about how these North Korean hackers attacked Sony for the sole purpose of preventing the release of the film, the interview, which makes fun of their supreme leader.

That hack was actually, to me, just more amusing than anything. Nobody lost any money and the demands from the hackers were just, they were funny, like, which is so like, just, just listen to the episode if you wanna hear about their demands.

Those same North Korean hackers that I made fun of a few years ago, these seem to have gotten a lot more sophisticated in the past few years, and they got into Bybit for $1.5 billion, which last time I checked buys a significant number of, you know, tanks and missiles and things. 

So that's Bybit. Now let's rewind to one that you know about, if you listened to an episode a few months ago called “Social Media Smoke: Razzlekhan, Dutch, and the $4 Billion Heist,” that hack took place on the Bitfinex Exchange. Bitfinex was founded in 2012 and it's based in Hong Kong. Back in 2016, Bitfinex lost nearly 120,000 Bitcoin to a hack about 4.5 billion in today's value.

And the hackers were Ilia Lichtenstein and Heather Morgan, otherwise known as Dutch and Russell Cot, a couple who lived a quiet life in New York City while attempting to launder the money bit by bit. And, and eventually they got caught.

They weren't very good at money laundering, thus the getting caught part. But hey, laundering crypto is hard. It actually is because of the fact that you can trade it anonymously all you want, but when you go to cash it out, you can be identified.

They gave it back 'cause they hadn't spent very much of it. And Bitfinex survived.

And that raises the big What if? What if Bitfinex hadn't gotten most of the coins back? Would they be able to pay back their customers in the same way Coinbase is protecting their customers? 

And this one brings us to the mother of all cautionary tales in Bitcoin: Mount Gox. Never heard of Mount Gox? Oh, you are one lucky little princess, then. Enjoy the bliss of your ignorance for this brief moment in time because, I'm about to end it. 

15 years ago, Mount Gox was the thing. It was the man, the bomb. It was the largest Bitcoin exchange in the world. Up until Mount Gox, if you wanted to trade crypto, you had to like write code. And while some people were down for that, not everyone was. So enter Mount Gox, just like a regular crypto exchange, it had a pretty user interface and you could just type in a few details about yourself and voila, you could buy and sell crypto.

And Mount Gox took off like a rocket. At its peak, Mount Gox was trading in over 70% of all Bitcoin transactions worldwide. Woo. Good for them. 

The name had kind of a silly origin. In 2006, a guy named Jed McCaleb bought the domain because he liked to play a fantasy card game called Magic the Gathering, and he wanted to set up a place to trade these cards.

Thus mtgox.com stood for Magic the Gathering Online Exchange. Then four years later, in 2010, when McCaleb realized the domain really wasn't doing much, he thought, Hey, I think I'll start a crypto exchange. Now, realize back in 2010, Bitcoin was worth next to nothing, so this was just another fun thing to do.

You could kind of liken it to, you know, kids trading candy on a playground or something. In the website's first trades, Bitcoin was worth 5 cents and McCaleb wasn't super focused on security. Like, I mean, so what? You lose a few Bitcoin, just so you lose $2.

And then in 2011 when the value of Bitcoin started to inch its way up to $200, $500, a thousand dollars per coin, this guy named Mark Karpeles bought Mount Gox from Jed McCaleb and, then some things happened. Karpeles admittedly didn't know what he was doing. You see, managing crypto transactions requires rock-solid code and good security practices if you don't want hackers all up in your business, and if you don't really know what you're doing well, you know.

That's around the time when Mount Gox reported that 25,000 Bitcoin, worth about $400,000 at the time, had mysteriously vanished. And oh, surprise, surprise. That was just the beginning.

Later that same year, someone got into the system using stolen credentials, and the breach was so disruptive that the price of Bitcoin on Mount Gox briefly crashed to one cent. One cent on the world's biggest crypto exchange!

But then the real catastrophe really hit in February of 2014. That's when Mount Gox suddenly froze all withdrawals, saying that there was some “suspicious activity” in their digital wallets.

It turns out 850,000 Bitcoin had disappeared. Just poof, gone. Hundreds of millions of dollars’ worth of Bitcoin at the time, and worth billions now. And with that, Mount Gox was done. They filed for bankruptcy, and even now, years later, people are still trying to get their Bitcoin back.

It's been dragging through international legal systems, and as of this podcast, there have been some people that were offered to settle for around 20% of their holdings, but other people haven't gotten any offer at all.

This must be so frustrating for them, especially in light of Bitcoin's price appreciation since 2014 when the hack occurred. Bitcoin has risen by more than 10,000% in value. So, yeah, the consequences of this hack were not insignificant. I know that if I had had any Bitcoin in Mount Gox back then, I would be quite annoyed. 

The whole story of Mount Gox, and specifically Mark Karpeles, is an incredible one on its own. Got more twists and turns than an Agatha Christie novel. Carpel is, has been convicted of fraud multiple times and was even once accused of being the successor to Ross Ulbricht as the owner of the Silk Road website, which sold illegal drugs on the dark web, but Mark Karpeles is a story for another time. Let's go back to the Bitcoin hacks.

Dealing with hacks today is easier in some ways because we now have the ability to trace cryptocurrency transactions with tools that will follow them through the blockchain. Now, the blockchain is anonymous in the sense that a wallet and its transactions are identified only by the wallet number and not by a person, but you can trace the cryptocurrency from wallet to wallet as it bounces around until somebody goes to cash it out, a person, an identity, an actual physical being standing there. And when they do, that's when we can find out who they are. That's what happened to the couple in the Razzlekhan episode where the feds trace the wallets where the stolen crypto went, and they were able to track it to those specific individuals.

In recent years, crypto exchanges in the United States and the UK and other countries have been required to follow something called KYC.

KYC stands for Know Your Customer. As in know your customer's names and addresses and have some reliable way to verify their identities the same way banks do.

Banks are required by law to know who's opening an account with them, because the Bank Secrecy Act says so.

The Bank's Secrecy Act, or BSA, goes all the way back to 1970, which might seem like a long time ago, but we're only talking about like 50 years. Before that banks were just expected to know all their customers by site at the branch level.

Now, I'll confess, I'm old enough to remember going to the bank with my mom in the late 1960s and all the tellers greeting her by name because back then if you wanted to do anything with the bank, you had to physically present yourself and talk to a teller or a manager. My mom made the deposits for my dad's business. We put the whole thing in a plastic pouch that had the bank's name stamped on it. And then we'd walk in and everyone was like, hi, Mrs. Bousquet, and they'd give me a lollipop. Oh, those were the days. 

Now, back then, if you wanted a loan, you had to make an appointment and sit down with another human being who would review your financial history with you and talk to you about your options.

And you know, their son probably went to school with your sister and you'd run into each other at the annual spring middle school Easter Gala Concert and Bake Sale or something. It was a different time. 

Prior to 1970, banks just decided on their own how much ID they required. Then the 1960s happened and there was an uptick in money laundering and mafia activity and bank fraud. So the US government stepped in and voila, the Bank Secrecy Act was born. 

Speaking of banks, let's talk about another protective mechanism for banks that wasn't always around the FDIC. Hey, I know we're grooving on the seventies music, but can we have something more like 1930s?

Oh yeah, that's perfect.

If you have money in a bank, that money is insured.

If you have money in a bank, that money is insured against things like robbery and bank failure by the Federal Deposit Insurance Corporation or FDIC. Back in the early 1930s during the Great Depression, hundreds of banks failed in the United States. People lost their life savings and trust in the banking system just went down the tubes.

If you want some easy context, watch the Frank Capra film “It's a Wonderful Life” starring Jimmy Stewart which shows a run on a bank where basically everyone tries to take their money out at once. And that could cause a bank to go under because they don't necessarily have everybody's money stored there at the same time. In 1933, the US government passed the banking Act, which included the creation of the FDIC, which is an independent US government agency that ensures deposits at FDIC insured banks.

So if everyone tries to withdraw all their money at once, they got it covered. Or if a bunch of masked men run into a bank and steal all the cash, it's insured. Also, if your bank goes bankrupt because the executives take all the money to Aruba for a lifelong vacation, you're still covered. 

At first, the insurance limit was just $2,500, but now it's $250,000 per depositor, per insured bank for each account ownership category.

Now the idea is simple. You shouldn't lose your money just because your bank is irresponsible or unlucky, and because of that promise, people trust banks.

If you walk into pretty much any bank in the US even today, you'll see a big sign that says “Protected by the FDIC” at every teller window.

And I remember, I remember asking a teller a lot of questions about this FDIC sign after they gave me my lollipop. I was still learning to read and I was trying to sound out the word. I asked a lot of questions. I'm surprised they didn't put my little self on an FBI watch list.

Back to know your customer. In the case of Bitfinex, the one in the Razzlekhan hack, they were a little loosey goosey with KYC when they started in 2012, but they started enforcing it for realsies in 2017. That was the year after the Razzlekhan hack for context.

Not that having KYC would've had any effect on the hack whatsoever, but just saying it took them a minute to catch up with security practices.

And because of KYC and the tools that make it easier to track wallets, exchange exchanges are now able to work with law enforcement to flag wallets or shut them down. I say this all the time on YouTube channels like Coffee Zilla who tracks crypto pump and dump schemes, and Kit Boga, who tracks scammers, who try to get people to pay fraudulent bills with Bitcoin.

And Catfished, where unsuspecting people are duped into sending money to crypto wallets in the name of love. 

So now we have exchanges that are more secure and we have the ability to track wallets as the stolen crypto moves around. So where does that leave us?

Well, things are better, but not necessarily perfect. Coinbase responded fast to their relatively small breach and they owned it, and they put money on the table to cover any potential losses. Now that's as far as you can get from Mount Gox who can only cover 20% of the losses due to a hack, which happened years ago.

Coinbase really stepped up. But will that always be the case? Some exchanges don't have Coinbase’s size or cash reserves. I mean, look at what Bybit is going through right now. 

And crypto is still global, decentralized, and often poorly regulated, which means that your cryptocurrency might someday be funding a hacker group in North Korea, helping their supreme leader s stock up on nuclear weapons or something. All while you're crying into your beer and watching the value of the Bitcoin, you no longer own going up and up and up. 

Because the next hack, it's coming. And when it does, the question won't be how it happened. It'll be, what is the exchange going to do to recover? How are they going to return everybody's cryptocurrency to them? 

That's it for today. I think it's enough. This is how hacks happen. And this is Michele Bousquet and I dedicate this episode to my dear sweet departed mom who was unfailingly polite to scammers on the phone, but refused to give them any money. And who wouldn't have known a Bitcoin from a Beatle. 

If you liked this episode, please leave a review or share it with a friend, maybe one who's thinking about investing in crypto. See you next time on How Hacks Happen.