Hacking incident could cost Coinbase $400 million, $20 million reward offered

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Leading cryptocurrency exchange Coinbase disclosed a cyber attack involving the theft of internal data and customer information, with a potential financial impact ranging from $180 million to $400 million. 

The company said it refused a $20 million extortion demand and is working with law enforcement to investigate the incident.

Coinbase described the breach as an “extortion attempt. " It is said to have started when criminals bribed overseas support contractors to extract internal data affecting less than 1% of monthly transacting users. 

The attackers reportedly obtained names, addresses, phone numbers, masked Social Security and bank account information, government ID images, and account data.

Coinbase emphasized that the attackers did not gain access to passwords, two-factor authentication codes, private keys, or customer funds.

“Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident,” the company said.

Coinbase said it traced the improper access to individuals hired for support roles outside the United States, whose activity had already triggered internal security alerts in prior months. Those employees were terminated immediately.

Coinbase said it would reimburse any eligible customers who mistakenly sent funds to scammers posing as Coinbase agents. Coinbase has launched a $20 million reward fund for information leading to the attackers’ arrest and conviction. (Sam Boughedda / Investing.com)

Related: SEC.gov, Coinbase, Fortune, The Street, TechCrunch, Reuters, CNBC, Bloomberg, Coindesk

Google warned that hackers using Scattered Spider tactics against retail chains in the United Kingdom have also started targeting retailers in the United States.

"The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider," John Hultquist, Chief Analyst at Google Threat Intelligence Group, said in a statement.

"The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note."

UK retailers Marks and Spencer, Harrods, and The Co-Op have all been claimed by the DragonForce ransomware operation that uses the same social engineering techniques as Scattered Spider.

The UK NCSC has yet to attribute these incidents to a specific hacking group or threat actor and said it's still working with victims to determine that. (Sergiu Gatlan / Bleeping Computer)

Related: Cyber Daily, Reuters, Computer Weekly, The Guardian, National Technology News, The Independent, Digit, The Record, NBC News

According to the hackers who claimed responsibility, widely understood as the cybercrime group DragonForce, UK grocery chain Co-op narrowly averted being locked out of its computer systems during the cyberattack that stole customer data and left store shelves bare.

The revelation could help explain why Co-op has started to recover more quickly than fellow retailer M&S, which had its systems more comprehensively compromised and is still unable to process online orders.

Hackers who claimed responsibility for both attacks told the BBC that they tried to infect Co-op with malicious software known as ransomware but failed when the firm discovered the attack in action.

The gang sent the BBC a long, offensive rant about their attack.

In it, they expressed anger that Co-op's IT team decided to take computer services offline, preventing the criminals from continuing their hack.

"Co-op's network never ever suffered ransomware. They yanked their own plug - tanking sales, burning logistics, and torching shareholder value," the criminals said. (Joe Tidy / BBC News)

Related: The Register, Silicon UK

Haowang Guarantee, the crypto-fueled crime bazaar more widely known by its original name, Huione Guarantee, announced on its website that it would be shutting down.

The move comes in response to Telegram's action on Monday to ban thousands of accounts and usernames that served as the infrastructure for the sprawling marketplace of third-party vendors. Many of these vendors provided money laundering and other services to the burgeoning industry of East Asian crypto scammers.

“Telegrame were blocked all of our NFT, Channels and group on May 13th 2025, Haowang Grarantee will cease operation from now,” the company wrote on its website in a short, typo-ridden statement in English, apparently using the acronym NFT to refer to the blockchain-based non-fungible tokens that serve as proof of ownership for certain Telegram usernames. “Thank you for your attention.”

Prior to its abrupt shutdown, Haowang Guarantee—which despite its rebrand was still partially owned by Huione Guarantee and its Cambodia-based parent company Huione Group—had allowed third-party vendors to sell a wide variety of services to crypto scammers, all via Telegram, using deposit and escrow systems to “guarantee” the transactions. (Andy Greenberg / Wired)

Related: Hwdb, CoinDesk, Elliptic, The Block, Blockonomi, crypto.news, Cointelegraph, Decrypt, Invezz

The Consumer Financial Protection Bureau (CFPB) has canceled plans to introduce new rules designed to limit the ability of US data brokers to sell sensitive information about Americans, including financial data, credit history, and Social Security numbers.

The CFPB proposed the new rule in early December under former director Rohit Chopra, who said the changes were necessary to combat commercial surveillance practices that “threaten our personal safety and undermine America’s national security.”

The agency quietly withdrew the proposal, publishing a notice in the Federal Register declaring the rule no longer “necessary or appropriate.” (Dell Cameron and Dhruv Mehrotra / Wired)

Related: Federal Register, TechCrunch, Cyberscoop

In an SEC filing, North Carolina-based steelmaker Nucor said it had halted certain production at various locations after identifying a cybersecurity incident that involved unauthorized third-party access to certain information technology systems it used.

The company said it is restarting the affected operations as it investigates the incident along with external cybersecurity experts.

Nucor has notified federal law enforcement authorities and is taking the potentially affected systems offline, while also implementing other containment, remediation, or recovery measures, it said in the filing. (Bill Toulas / Bleeping Computer)

Related: SEC, The Register, Reuters, The Record, Cybernews

Europol announced that law enforcement agencies in five regions have joined forces to take down an organized crime group responsible for defrauding scores of victims of over €3m ($3.4m) by a criminal network offering them high returns on fake investment opportunities.

The operation began nearly three years ago in Germany, when a married couple reportedly notified local police that they had fallen for the scam. An action day on September 6, 2022, led to searches in Belgium and Latvia and the arrest of two suspects.

Crucially, evidence was seized, which helped police identify seven other members of the network, including the managers of call centers used in the scams.

It took over two-and-a-half years before a second action day, on Tuesday, May 13, 2025, when police conducted eight searches simultaneously in Albania, Cyprus, and Israel.

One suspect was arrested in Cyprus, and police also seized evidence, including electronic devices, documents, and cash, Europol said.

Working with criminal justice agency Eurojust, the group supported law enforcement agencies in Israel, the UK, Cyprus, Albania, and Germany. (Phil Muncaster / Infosecurity Magazine)

Related: Europol, TechRadar

OpenAI launched the Safety evaluations hub, a web page showing how the company’s models score on various tests for harmful content generation, jailbreaks, and hallucinations.

OpenAI says that it’ll use the hub to share metrics on an “ongoing basis” and intends to update it with “major model updates” going forward.

“As the science of AI evaluation evolves, we aim to share our progress on developing more scalable ways to measure model capability and safety,” wrote OpenAI in a blog post. “By sharing a subset of our safety evaluation results here, we hope this will not only make it easier to understand the safety performance of OpenAI systems over time, but also support community efforts⁠ to increase transparency across the field.”

OpenAI says that additional evaluations may be added to the hub over time. (Kyle Wiggers / TechCrunch)

Related: CNBC, OpenAI, Tech in Asia, Maginative

Gaming giant Valve declared that a reported data leak did not breach Steam systems, confirming that no action is required to secure users' accounts.

Reports had suggested that Steam was the target of a massive data breach and suggested that private account information, which may have included password information, payment details, or personal data.

Valve said there was a leak, but it “consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to.”

Although personal phone numbers look to have been accessed, Valve added that “the leaked data did not associate the phone numbers with a Steam account, password information, payment information, or other personal data.” (Josh Challies / Insider Gaming)

Related: Notebookcheck, Times of India, GameRant, PCGamer, Engadget, Windows Central, XDA, Gaming on Linux, Apple Insider

Researchers at Palo Alto Networks Unit 42 report that the rise of agentic AI systems is already having dramatic repercussions on the cybersecurity threat landscape, as advances are allowing for rapid automation of cyberattacks.

The research team spotted multiple instances in which threat actors employ artificial intelligence (AI) platforms to make their attacks more numerous, effective, and challenging to catch.

The researchers say there are multiple ways in which the threat actors have been employing agentic AI tools.

In some cases, attackers use AI to rapidly infiltrate and exfiltrate data. Unit 42 estimated that between 2021 and 2024, the mean time needed to exfiltrate data dropped from nine days to just two days. In 20% of observed cases, the threat actors required less than one hour to go from initial infiltration to completed exfiltration of the target’s data.

Ransomware negotiations are one of the more interesting ways agentic AI is being used. The team found that some cybercrime groups use AI translation tools to better communicate with their victims when extracting a better price to prevent data disclosure. (Shaun Nichols / SC Media)

Related: Palo Alto Networks

Google has released emergency security updates to patch a high-severity vulnerability in the Chrome web browser that could lead to complete account takeover following successful exploitation.

While it's unclear if this security flaw has been used in attacks, the company warned that it has a public exploit, which is how it usually hints at active exploitation.

"Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild," Google said in a Wednesday security advisory.

The vulnerability was discovered by Solidlab security researcher Vsevolod Kokorin and is described as an insufficient policy enforcement in Google Chrome's Loader component that lets remote attackers leak cross-origin data via maliciously crafted HTML pages.

Although the company says the security updates will roll out over the coming days and weeks, they appeared to be immediately available.

Users who don't want to update Chrome manually can also let the browser automatically check for new updates and install them after the next launch. (Sergiu Gatlan / Bleeping Computer)

Related: Security Week, Indian Express, Techi

Ivanti warned customers to patch their Ivanti Endpoint Manager Mobile (EPMM) software against two security vulnerabilities chained in attacks to gain remote code execution.

The first security flaw (CVE-2025-4427) is an authentication bypass in EPMM's API component, allowing attackers to access protected resources on vulnerable devices. The second (tracked as CVE-2025-4428) is a remote code execution vulnerability that allows threat actors to execute arbitrary code on targeted systems via maliciously crafted API requests.

Ivanti says customers can mitigate the two zero-day flaws by installing Ivanti Endpoint Manager Mobile 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.

The company added that, while it's still investigating these attacks and cannot provide indicators of compromise, customers should contact the support team for further guidance.

While Ivanti said the two vulnerabilities are "associated" with two open-source libraries used by EPMM, it didn't share their names in the advisory. (Sergiu Gatlan / Bleeping Computer)

Related: Ivanti, Dark Reading, The Register, CSO Online, TechRadar, The HIPAA Journal, Help Net Security

Nova Scotia Power says it has begun to notify customers whose data was compromised in a cyber breach discovered last month.

The utility said customer information, including addresses, phone numbers, birth dates, driver's license and social insurance numbers, and banking information, was taken by an "unauthorized third party" that accessed its systems.

Information taken will vary depending on what each customer has provided to the utility.

Nova Scotia Power said while there is no evidence that the data has been misused, it has arranged to have TransUnion provide affected individuals with a free, two-year subscription to a credit monitoring service. (CBC News)

Related: Nova Scotia Power, The Record, The Cyber Express, The Chronicle Herald

The Belgian Court of Appeal ruled that the “Transparency & Consent Framework” (TCF) to obtain “consent” for data processing, which is mostly known for delivering annoying consent popups that are live on 80% of the internet, is illegal.

The decision arises from enforcement by the Belgian Data Protection Authority, prompted by complainants coordinated by Dr Johnny Ryan, Director of Enforce at the Irish Council for Civil Liberties.

Ryan said, "Today's court's decision shows that the consent system used by Google, Amazon, X, Microsoft, deceives hundreds of millions of Europeans. The tech industry has sought to hide its vast data breach behind sham popups. Tech companies turned the GDPR into a daily nuisance rather than a shield for people."

The court said, "For seven years, the tracking industry has used the TCF as a legal cover for Real-Time Bidding (RTB), the vast advertising auction system that operates behind the scenes on websites and apps. RTB tracks what Internet users look at and where they go in the real world. It then continuously broadcasts this data to various companies, enabling them to keep dossiers on every Internet user. Because there is no security in the RTB system it is impossible to know what then happens to the data. As a result, it is also impossible to provide the necessary information that must accompany a consent request." (Irish Council for Civil Liberties)

Related: Data Protection Authority, Engadget, Hacker News (ycombinator), r/privacy

Best Thing of the Day: The Original Guy Was Better, But OK

Sources say that weeks after the ouster of the head of US Cyber Command and the National Security Agency, the Trump administration could begin installing new leadership atop both entities as soon as this week.

Worst Thing of the Day: Just What We Need, More Warrantless Surveillance

Flock, the automatic license plate reader (ALPR) company whose cameras are installed in more than 5,000 communities in the US., is building a product that will use people lookup tools, data brokers, and data breaches to “jump from LPR [license plate reader] to person,” allowing police to much more easily identify and track the movements of specific people around the country without a warrant or court order.

Closing Thought