Update: Since the article was published, more details have been provided on the theft. The story, where noted, and headline have been updated to reflect the new information.
The cryptocurrency exchange that claims to have never been hacked, Coinbase, may in fact have had its hot wallet hacked as early as 2013. [According to new information, the money was stolen through a phishing attack, and the hot wallet was not directly accessed.]
That’s according to journalist and author Jeff Roberts, who divulged the tidbit on Ep. 126 of the Unchained podcast, while promoting his book, “Kings of Crypto: Coinbase and the Coming Disruption of Finance.”
Coinbase told Decrypt, "The account is inaccurate. I can share more off the record."
Roberts claims Coinbase’s hot wallet was hacked just a year after the company’s inception in 2012, and that the hacker made away with $250,000 worth of Bitcoin. As opposed to a cold wallet, a hot wallet is a cryptocurrency wallet which is connected to the internet, and in a sense, “live.” This leaves it much more prone to attack by hackers.
Roberts explained on Unchained: “Coinbase likes to boast they’ve never been hacked—that’s not actually true.”
“In the early days when there were just five of them; Charlie Lee and Brian [Armstrong] and Fred Ehrsam, and a couple of other folks. One of their vendors did get in and rob their hot wallet to the tune of $250,000. I can’t remember how many Bitcoins it was at the time, but it was a lot,” said Roberts, adding, “This was a long time ago of course, this was 2013 or 2014.”
["Saying that it’s a hack and the hot wallet was stolen is just plain wrong. There was no vendor break in. Nobody broke into our system and stole private keys," a person familiar with the situation told Decrypt. "Instead what happened was that a customer support agent was phished. The attacker used the customer support account to credit his account with some BTC and tried to withdraw. Due to our withdrawal restrictions, he had to do multiple withdrawals. And we caught it very fast and only one withdrawal went out. I don’t remember how much, but it was not a lot of BTC."]
["Soon after, we added better controls for customer support such as approvals for crediting customer accounts and better protection from phishing and social engineering attack," they added.]
Based on the fluctuations in Bitcoin’s price between 2013 and 2014, the $250,000 haul could equate to 200 Bitcoin, or over 2,000. If it were the latter, that would have given stolen coins a value of over $40 million in December 2017—when one Bitcoin was priced at $20,000.
Roberts said that despite the hack, Coinbase’s reputation and security remain strong. However, they can no longer “boast” of having never been hacked. “Coinbase is very secure and has a good reputation—but they haven’t been infallible, that’s for sure,” said Roberts.
As Decrypt reported last year, Coinbase hires third party firms to try to break into its own systems. These firms will even pose as workers, with only Coinbase CEO Brian Armstrong and Coinbase’s head of security aware of the infiltration. If they do find any security weaknesses, they report back to Coinbase, which fixes them.
This level of security has paid off. In August 2019, Coinbase revealed how it prevented a sophisticated hacking attempt that tried using emails to infect computers at the exchange with a virus.