Coinbase Foils Extortion Attempt, Reinforces Bug Bounty Program

A self-proclaimed "hacker" demanded $450,000 after falsely claiming to be in possession of sensitive Coinbase customer data.

AccessTimeIconNov 30, 2022 at 5:14 p.m. UTC
Updated Nov 30, 2022 at 7:36 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

Coinbase (COIN), the largest cryptocurrency exchange in the U.S. by trading volume and the first crypto exchange to go public on a U.S. stock market, is raising awareness of its bug bounty program after a recent extortion attempt.

A malicious actor emailed both Coinbase and CoinDesk earlier this month, claiming to have “dehashed” and “decrypted” sensitive data from 306 million Coinbase user accounts (Coinbase says it’s not mathematically possible to “dehash” or “decrypt” data). The individual threatened to go public if Coinbase didn’t shell out $450,000.

Coinbase’s security team contacted the extortionist and later confirmed claims of a breach were unfounded. (Coinbase confirmed it typically collaborates with law enforcement in such cases but didn't elaborate on whether charges might be filed.)

“This is an absolutely baseless extortion attempt. The individual is falsifying information to come across as legitimate, and they're just trying to extort money out of companies. I'm sure we're not the first company on their list or the only scam they have running,” Jeff Lunglhofer, chief information security officer at Coinbase, told CoinDesk in an interview.

Indeed, last month, Uber’s former chief security officer, Joe Sullivan, was convicted of two felonies for allegedly covering up a $100,000 extortion payment to hackers after a 2016 breach of the ride-sharing firm’s database.

Both the Uber scandal and the recent email incident prompted Lunglhofer to reiterate the importance of a robust bug bounty program in a new Coinbase blog post. A bug bounty is a reward that companies pay to individuals or outside security teams who discover and alert them to vulnerabilities in their systems.

“In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts,” Lunglhofer wrote. “We thought we would share some of the best practices for responsible disclosure, illustrated by a recent (fraudulent) extortion attempt we received.”

You’ve spotted a bug. Now what?

If an individual discovers a vulnerability on any of Coinbase’s platforms, Lunglhofer emphasizes providing a detailed and accurate description of the alleged bug.

“We can’t evaluate a submission that lacks sufficient detail,” he states.

The details Lunglhofer typically looks for are things like access paths to sensitive information or to actual crypto assets, as well as an indication of potential damage from the vulnerability.

Once an individual collects all pertinent details, the second step is ensuring Coinbase has sufficient time to patch the bug before disclosing its existence to anyone else.

“A responsible security researcher will always provide a reasonable amount of time for us to respond to and fix a security issue before disclosing the details to any other party,” Lunglhofer says.

Finally, Lunglhofer stresses the importance of remaining lawful. Attempting to extort or blackmail a company for $450,000 is blatantly criminal.

“A bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings,” Lunglhofer says. “Ransom demands are an entirely different matter.”

Coinbase’s bug bounty program marked its 10-year anniversary last month. The program has found and fixed more than 600 bugs and paid out more than $400,000 in bounties this year alone. The largest bounty from the program, a cool $250,000, was paid this past February to an independent researcher who discovered a vulnerability in Coinbase’s trading interface.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Frederick  Munawa

Frederick Munawa was a Technology Reporter for Coindesk. He covered blockchain protocols with a specific focus on bitcoin and bitcoin-adjacent networks.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.