Bitcoin: Hacking Coinbase, Cryptocurrency’s ‘Goldman Sachs, Fortune
Sean Everett wasn’t sure how his bullish bet on cryptocurrency would turn out. But he certainly didn’t expect it to be overheen so soon.
Te March, he sold all his stocks, including Apple and Amazon, and used a chunk of the proceeds to buy Bitcoin and Ethereum on a webpagina called Coinbase. The decision made Everett, the CEO of artificial intelligence startup Prome, almost instantly richer, spil the blockchain-based currencies’ value rocketed up exponentially overheen the next several weeks. But then, while he wasgoed out walking the dog after Ten p.m. on Wednesday, May 17, Everett got the call. It wasgoed T-Mobile, ringing him to confirm that it wasgoed switching his phone number to a different device.
It wasgoed a suspicious stir that Everett had most certainly not requested. But even spil he pleaded with the smeris to block the switch, it wasgoed too late. Less than five minutes zometeen, Everett’s cell service abruptly shut off, and spil he rushed to his laptop, he spotted himself being robbed ter real time. A raft of email notifications confirmed that someone had taken control of his main Gmail account, then violated into his Coinbase “wallet.” They’d gotten te with the help of his switched-over phone number: Everett’s account required him to loom ter with a two-factor authentication code sent by text message, spil a 2nd safeguard—and now the text had gone straight to the thief.
It took only two minutes for the attacker to clean Everett out of what wasgoed then a few thousand dollars’ worth of digital coins. From Everett’s perspective, the even more painful heist wasgoed what came next: Ethereum’s price quadrupled overheen the next three weeks. It had reached its all-time high of $400 just hours before I met Everett ter a Fresh York coffee shop on a humid June afternoon. Bitcoin, meantime, had cracked $Trio,000 for the very first time a day earlier, and Everett wasgoed pining for his missing digital coins. “I’m not only still out my money, I also didn’t get the rise te price,” he lamented.
Then again, the thickest verrassing for Everett—and, it would turn out, for many other Bitcoin enthusiasts—was that the theft happened on Coinbase at all. San Francisco’s Coinbase, the world’s largest exchange for trading cryptocurrency, is one of very few such companies whose own coffers have never bot hacked, a distinction that carries toegevoegd weight te the field of blockchain, where several costly breaches have made global headlines. Almost any early investor you talk to lost money ter Mt. Gox, an exchange that collapsed ter 2014 after hackers pillaged almost $500 million te Bitcoin. Last summer, thieves grabbed $72 million from Hong Kong cryptoexchange Bitfinex ter one fell swoop.
But hackers have never breached Coinbase’s own virtual fortress, and that impenetrability has earned it a reputation spil the safest place to buy Bitcoin, helping it attract more than 9 million customers who store at least $Three billion ter cryptocurrency there, and who have traded $25 billion to date on its retail brokerage spil well spil its institutional exchange, GDAX. The five-year-old Coinbase just raised $100 million ter fresh funding, valuing the company at $1.6 billion—making it the blockchain industry’s very first “unicorn.” “If you look at what they are world-class at, it’s security, trust, safety … all thesis things that, frankly, banks are good at,” Fred Wilson, the venture capitalist and one of Coinbase’s earliest and largest backers, said at a conference te March. “They’re like JPMorgan or Goldman Sachs for blockchain.”
But Coinbase’s individual customers do get burglarized—with surprising and unsettling frequency. Even Wilson himself wasgoed te for a rude awakening: While vacationing ter Europe te early June, the VC woke up to the same telltale emails that Everett eyed, signaling that an intruder wasgoed attempting to get inwards his Coinbase account. Wilson managed to lock it down before anything wasgoed stolen, but te a uncommon public chastising of a company te his own portfolio, he wrote ter a blog postbode: “I am still a bit shaken up from the practice and a fair bit more paranoid from it.”
Since then, Fortune has spoken with more than a dozen victims, including tech CEOs and well-known blockchain proponents, whose Coinbase accounts have bot targeted and hacked ter almost exactly the same style, still more have bot attacked on other exchanges. The day after Everett’s robbery, Los Angeles entrepreneur Adam Dachis’s account wasgoed wiped out of what wasgoed then $Ten,000. On July 7, thieves emptied $Legal,000 from the Coinbase wallet of blockchain adviser Mike Costache, during the four hours he slept one night while traveling overseas. Since Christmas, there have bot months when Coinbase users have bot robbed spil often spil 30 times—a rate of one robbery every single day.
Te each case, the same blindsiding realization arrives, bringing the inherent paradox of blockchain into concentrate. The quintessential strength that sets cryptocurrency exclusief from traditional money—that transactions are instant and irreversible—is also its fatal flaw. “One of [Bitcoin’s] reasons for existence is that it’s censorship-resistant,” says Tom Robinson, cofounder and chief gegevens officer of Elliptic, a London-based blockchain intelligence rock hard. That means no one, not even a government or central bankgebouw, can zekering a digital currency transaction from happening. And therefore the fraud protections traditional canap depositors rely on are mostly unavailable. “Any zuigeling of charge-back and reversibility would be the antithesis of what Bitcoin wasgoed created to achieve,” says Robinson.
That’s one reason that, when criminals want to pull a heist, they’re increasingly choosing cryptocurrency overheen real dollars. Ter 2016, $28 million te losses from crimes involving virtual currency were reported to the FBI’s Internet Crime Complaint Center, more than triple the 2015 total. And that figure is based powerfully on voluntary reports by individual victims. It doesn’t include large-scale thefts from exchanges like the Bitfinex hack, so it likely underestimates the true damages by many orders of magnitude.
Cybercrime is rising at traditional financial institutions too: For example, thefts through so-called account takeovers, a crime analogous to the Coinbase hacks, rose 61% last year to $Two.Trio billion, according to Javelin Strategy &, Research. But hacking losses are a blip relative to the trillions of dollars kept te banks. Hackers are stealing a much larger proportion of the cryptocurrency pie, whose total market value is only about $135 billion. Te the past 12 months, for example, criminals have absconded with 1% of Ethereum’s total market value, or $225 million, according to cybersecurity rigid Chainalysis, the Bitcoin toll is estimated to be even higher.
Brick and mortar bankgebouw robbers have “two problems: stealing the money and hiding the evidence,” explains Moran Cerf, a professor of business and neuroscience at Northwestern’s Kellogg Schoolgebouw of Management and a former corporate hacker. “Bitcoin solves the 2nd one for you because everyone there is anonymous.” Bitcoin diehards seem resigned to the reality of irreversible transactions—and its drawbacks. “I think of that spil a feature and not a bug,” says Chris Burniske, a blockchain investor and author of forthcoming book Cryptoassets—even tho’ his own accounts were looted te December for digital coins that would now be worth overheen $100,000.
But when victims observe their money up and leave into the digital wallet of a nameless stranger, it becomes more than just a problem for Coinbase: It’s a threat to the promise of Bitcoin itself. Spil the value of cryptocurrency soars, more investors are grappling not just with how to profit from it, but how to hold on to it at all. “Coinbase looks like a canap, talks like a handelsbank, and takes millions of dollars te metselspecie like a canap, but, te practice, it functions like a dimly lit underground gokhal,” says Cody Brown, whose account wasgoed hacked for $8,000 ter the span of just 15 minutes te May. “You don’t realize that the balanced fonts, sleek blue gradients, and endless copy about trust mean absolutely nothing—until you are robbed vensterluik.”
Coinbase, for its part, won’t discuss specific cases except to say that it investigates all account takeovers. But Brian Armstrong, Coinbase’s 34-year-old CEO and founder, says Brown’s and Wilson’s practices were “helpful” ter training the company how to improve. Its security measures already match or exceed those at banks—from using machine learning to detect dubious activity, to mandating dual-factor authentication. Yet Armstrong recognizes that Coinbase is also a juicier target: “We need to be held to a higher standard,” he tells Fortune, “because digital currency is so fresh and interesting and powerful that it is attractive to a lotsbestemming of people out there to attempt to steal it.”
If Bitcoin were a religion, its omschrijving of “What would Jesus do?” would be “BYOB: Be your own canap,” an unofficial slogan widely embraced ter the industry. The original blockchain wasgoed launched te 2009, by the mysterious founder (or founders) going by the name Satoshi Nakamoto, spil a utopian form of electronic specie that could switch arms, spil Nakamoto wrote te a legendary white paper, “without going through a financial institution.”
But that ideal also attracted a subversive factor, repelling many potential adopters. That’s where Armstrong spotted an chance to bring grind to an industry run by “hackers and cryptoanarchists” at the time, he says: “If this wasgoed going to go mainstream, it needed something that had a more trusted brand around it.”
An early engineer at Airbnb, Armstrong abandon te 2012 to create the “Gmail for digital currency.” His strategy: making it lighter and safer to store, and then buy and sell, cryptocurrency. While early Bitcoin wallet companies made people keep track of their own private keys—the secret 64-character passwords that alone provide access to one’s cryptocurrency—Coinbase’s pioneering innovation wasgoed its opoffering to store keys on customers’ behalf. That also came with risk, spil customers wouldn’t need to know their actual key, but rather just a password, to get to their Bitcoins—and neither would a hacker. “That’s a big responsibility to take on,” the fresh-faced CEO admits. “But I also think it’s necessary to help the industry scale and make digital currency accessible to the next 100 million or billion people.”
Coinbase has demonstrated a unique capability to bring the fresh asset class to the masses. Its base of customers, most of whom are ter the U.S., has grown 50% just ter the past five months, with spil many spil 50,000 signing up te one day, trade volume te July alone wasgoed twice spil much spil all last year. Coinbase, which makes money by charging transaction fees, is said to be nearing profitability, and Armstrong ranks No. Ten on this year’s Fortune 40 Under 40 list. But he is pretty clear about his company’s thresholds. “The average person may at a high level think of us spil a digital currency canap, but we’re not a canap,” he says. Coinbase doesn’t lend money, spil banks do. And critically: Coinbase, which is regulated spil a money transmitter like PayPal or Western Union, isn’t covered by the FDIC or tied by all the consumer protection laws that govern banks.
Armstrong has long taken 100% of his salary te Bitcoin, he now cashes out enough into dollars each month to voorkant his rent. Many of his employees do the same. They understand the security issues better than just about anyone, yet protecting customers is proving to be a gnarly challenge: Technically, because hackers are breaching accounts from the consumer end, exploiting weaknesses at companies like Verizon and Spurt, the hacks aren’t directly Coinbase’s fault. “Within the field of reason, it’s very difficult for us to prevent their account from being drained,” says one executive.
Still, Coinbase can’t afford to disregard the problem—literally. Even however it is not a bankgebouw, Coinbase still bears the cost of banking-system protocols, when traditional financial institutions yank back fraudulent payments induced by hackers. For example, when Dachis wasgoed robbed, a Coinbase customer support rep complained right back to him by email that “Coinbase has suffered a $1,657.41 USD loss due to canap reversals” of transactions subsequently reported spil fraud. “Coinbase is left holding the bag,” Soups Ranjan, the company’s head of gegevens science, said at a latest industry event. Problems like this—along with unauthorized credit card purchases of cryptocurrency—cost Coinbase a stunning 10% of all revenue it collects, a fraud-loss rate 20 times spil high spil PayPal’s. “I stiffly believe,” Ranjan added, “we have the hardest payment fraud and user security problem te the world right now.”
To combat that, Coinbase has bot using analytics to predict which customers have the highest risk of fraud and charge-backs, and preemptively limiting their purchasing power or locking their accounts. But that method comes with a downside of its own ter the form of frustrated customers—and a backlog of help-desk requests that has opened up into the ems of thousands. With about 180 employees, the company hasn’t bot able to hire prompt enough to keep up with request and is now looking to pack another 100 positions. Coinbase doesn’t even have a phone number for customer support, tho’ it plans to add one ter September.
At the same time, Coinbase finds itself plunging headfirst into the expectations that come with being the closest thing cryptocurrency has to Goldman Sachs. The IRS has gone to court seeking Coinbase user records, after only 802 U.S. taxpayers reported Bitcoin profits on their tax comes back te 2015. Ter June, Coinbase had its very first “flash crash,” with Ethereum’s price collapsing to Ten for a epistel, panicky open up, the company said that all trades “were executed properly” but eventually agreed, spil a courtesy, to reimburse traders who had lost money owing to margin calls. And ter early August, when a “hard fork” of the Bitcoin blockchain created another currency called Bitcoin Specie, Coinbase originally said it wouldn’t support it. Hours straks, a denial-of-service cyberattack—which some perceived spil retaliation—knocked the exchange downright offline, and customers began menacing to sue. Coinbase talent ter: Account holders will be able to withdraw their Bitcoin Metselspecie by 2018. “We’re ter a period of hypergrowth, and it’s superexciting and a little chaotic,” Armstrong says.
For many blockchain enthusiasts, the Coinbase hacks have bot a reminder of the danger of letting anyone else store your cryptocurrency. “If you don’t own the private keys, you don’t own the coin,” says Jonathan Smith, the chief technology officer of Civic, a company that uses blockchain tech for identity verification. Then again, Bitcoin has a dirty little secret: For an asset that epitomizes the future, managing your coin yourself can feel like a journey into the troglodytic past.