How Coinbase responds to industry-wide crypto security threats

It’s not about competition when it comes to crypto security

By Matt Muller, Head of Security Operations, Coinbase

At Coinbase we believe that a healthy and safe crypto industry is critical to growing and maturing the cryptoeconomy. Malicious threats against any crypto business are bad for the industry as a whole, not only Coinbase.

That’s why it’s important to have a community mindset when we see security threats in the wild. As they say, rising tides lift all boats.

Security incidents aren’t unique to crypto but when they happen, the crypto industry has the unique advantage of being able to immediately analyze how stolen funds have moved on the relevant blockchains. This allows us to work with each other to freeze funds and return stolen assets to victims.

Earlier this month, Poly Network, a cross-chain DeFi protocol, and Liquid, a Japanese crypto exchange, reported sophisticated cyberattacks against their platforms. In both of these cases, Coinbase rapidly mobilized our teams to scope the situation, provide analysis and international cross-team collaboration to determine and mitigate the impact on the crypto industry (to be clear neither attack impacted the Coinbase threat platform.)

Coinbase works with industry partners to offer intelligence analysis on attacker tactics, techniques and procedures (TTPs), as well as blockchain analysis. For example, we regularly help connect victims of cyber intrusions (whether crypto exchanges or decentralized finance (DeFi) projects) to the appropriate communication channels with the rest of the virtual asset service provider (VASP) community to make sure swift and decisive action is taken.

Our specific responses depend on the type of attack, but in the case where funds are stolen, Coinbase will:

  • Block any addresses that are identified as a part of the attack from sending funds to Coinbase customers
  • Identify these addresses in our Coinbase Analytics tool (which propagates to internal and external customers of that tool)
  • Track the movement of funds using Coinbase Analytics and other analysis tools
  • Proactively reach out to ecosystem partners for additional information that might be useful in identifying the attacker

Coinbase has built relationships with the compliance, security, and other investigations functions at several exchanges and ecosystem organizations, which has helped create a trusted network of intelligence professionals that benefit from shared information when appropriate.

Sharing intelligence and analysis quickly is the most effective manner of disrupting unauthorized use of crypto exchanges and protecting our collective community of customers. By exchanging information about attacks, we can learn about attackers’ tactics and techniques, which ultimately help us defend Coinbase. Collaboration also improves our relationship with other exchanges for future incidents and helps make the crypto ecosystem more secure.

Although we’ve seen a steady decline in the financial impact of cryptocurrency exchange compromises over the past two years, there are advanced, persistent groups that continue pursuing new targets. By staying vigilant and working together we have successfully countered the actions of bad actors. For example, last September, KuCoin experienced an attack which led to the loss of $281,000,000 in funds. Ultimately, KuCoin was able to recover a large portion of stolen funds by working closely with exchange and asset issuer partners. Similarly, Liquid has already announced that $16,130,000 of the stolen ERC-20 assets have been frozen through collaboration with the cryptocurrency ecosystem.

When it comes to cybersecurity threats, it’s most important that we work together and self-regulate during these events. We encourage all organizations experiencing or suspecting a cyberattack to reach out to our security team at security@coinbase.com, in case we can help with blockchain analysis, incident response and investigation, and attacker attribution/identification.


How Coinbase responds to industry-wide crypto security threats was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.