Unchained - How the Attack on Coinbase Shows the Dangers of Centralized Exchanges - Ep. 837
Episode Date: May 16, 2025Coinbase revealed on Thursday that cybercriminals bribed overseas customer support contractors to steal sensitive customer data as part of a $20 million extortion scheme. While no funds or private key...s were compromised, customer names, addresses, and ID documents were exposed for nearly 1% of the company’s 8+ million “monthly transacting users,” according to a blog post. The story raises tough questions for the entire industry. Is KYC making users more vulnerable? Can human error ever be fully eliminated? And is crypto’s real security problem… people? Security experts Jameson Lopp, James Wester and Alexander Leishman delve into: What went wrong at Coinbase Why human vulnerabilities are still crypto’s biggest risk Whether KYC makes the problem worse What companies should do next to protect their users Visit our website for breaking news, analysis, op-eds, articles to learn about crypto, and much more: unchainedcrypto.com Thank you to our sponsors! Focal by FalconX Bitkey: Use code UNCHAINED for 20% off Mantle Guests Jameson Lopp, Co-founder and CTO at CASA James Wester, Research Director at Javelin Alexander Leishman, CEO and CTO at River Links Coinbase’s blog post: Protecting Our Customers - Standing Up to Extortionists Coinbase’s SEC filing Commentary: Vance Spencer’s tweet Armani Ferrante’s tweet Timestamps: 🎙️ 0:00 Introduction and ads 🔓 2:30 How hackers tricked Coinbase’s offshore support and why humans remain security’s weakest link 🗂️ 6:49 What customer data was leaked and how hackers use it 🎯 13:14 How attackers prey on targets at weak moments 🌍 20:47 Should Coinbase move customer support back to the U.S.? 🛑 26:35 Why KYC protocols might be making users more vulnerable, not safer 🛡️ 28:48 The best defenses companies can implement to protect users 📰33:49 Weekly News Recap Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Over the past decade, we have successfully implemented best practices around security in a number of different ways.
People are generally not getting hacked as often these days.
You know, the exchanges are not getting hacked as often these days.
But, you know, security is a constant cat and mouse game.
And I think generally people in the security space would agree that right now the weakest link is, in fact, the brains of the
the people who are owning these assets.
And so that's what social engineering is.
Hi, everyone.
Welcome to Unchained,
your no-hype resource for all things crypto.
I'm your host, Laura Shin.
Every episode, we're featuring comments from all of you.
Here are some remarks on the recent market-making episode
with Jose Macedo, Omar Shakiv, and Taron, Suburwal.
On YouTube, RSL-3 wrote,
A market maker having directional bias is crazy.
Also on YouTube, one was now said,
Moral of the story. Stay in your lane,
leave a fast lane for insiders, vultures, scammers, influencers, etc.
Let them steal from each other.
If you want your comment featured, write one on YouTube, Farcaster, or X.
I might read it on a future show.
Bitkey is the Bitcoin wallet from the team behind Square and Cash app.
It's the first two of three multi-sick hardware wallet
with recovery tools that replace the need for a seed phrase.
Get 20% off with code unchained.
Powered by successful products like Mantle Network and MEETH protocol,
Mantle is driving the next phase of on-chain finance by supporting ecosystem products
such as the Mantle Index 4 or MI4 Fund and mental banking,
which brings real world access, yield, and utility to digital assets.
An AI that speaks crypto and does the work of a team of analysts.
Introducing Focal by Falcon X, bringing clarity to a world of knowledge.
noise. Visit askfocal.com. Hey everyone. Thanks so much for joining us. We decided to live stream today
because the Coinbase news was quite big, and this will form the basis for the May 16th, 2025 episode
of Unchained. So today's topic, as I just mentioned, is this Coinbase data breach, and here to
discuss are James and Lop, co-founder at CTAO at Kasa, James Wester, Research Director at Javelin,
and Alexander Leishman, CEO at River. Welcome, James and Alexander.
Hey, great to be there. Hello. Hello. So this morning, Coinbase announced that it had been
extorted for $20 million by cyber criminals who had bribed Coinbase customer service agents in
India. The number of accounts affected is less than 1% of monthly transacting users, or 84,000,
as reported by Jeff Roberts of Fortune. Coinbase prime users are not affected. So this attack seems to
line with some reporting by Zach XBT and John T, aka Tanuki 42, on X, who is also a previous
podcast guest, on what they call a nine-figure social engineering scam on Coinbase users.
CEO Brian Armstrong published a video this morning in which he announced that instead
of paying the $20 million ransom, Coinbase is offering that amount as a reward for
information on who these attackers might be. So I'm going to open it up to the panel. I'd be
interested in hearing the first reactions from each of you. I know you all have kind of your own
area of security that you kind of analyze or work on. So Jameson, why don't we start with you?
Time is a flat circle. This has happened before and it will happen again. So I'm not at all surprised
that this has happened. And I'm sure we'll get into the details. I'm sure there are things that
Coinbase could have done better. My primary gripe fundamentally is that companies like Coinbase are
are forced to take this very sensitive data.
And so they have that responsibility thrust upon them,
basically by regulators, by the laws of the land.
And then ultimately, the question is,
what do they do with the data?
And it's a very, very hard problem
because information wants to be free.
It's very, very difficult to keep information from leaking.
Though, as we have seen, some entities are better at that than others.
Alex, what are your thoughts?
Yeah, so I completely agree with Jameson.
And but I think I would add that, you know, in an organization, security is actually very much a human issue.
A lot of people think that it's this complicated technical thing.
And to some degree, getting your computer security right is a technical problem.
But actually, I'd say 90% of it is having the right people at your company.
And I think what we saw here was Coinbase had just employees who were presumably in, you know, I would guess, low-cost countries easily bribed to steal customer information and share it.
And no amount of advanced cryptography or red teaming or, you know, PhDs on the security team solves that problem.
Yeah. In the Fortune article, they said it was India and they did talk to the head of security philanthropic.
Martin at Coinbase. So I'm assuming that information came from them, even though the actual
block post from Coinbase didn't identify the country. James, what about you?
My immediate first reaction was that he's doing the Mel Gibson ransom strategy. I don't know if
anybody remembers that movie where his child is kidnapped. And instead of paying the ransom,
he says, I'm going to pay this as a reward. So a bold strategy. But I think what you're going to hear
from me is a strong agreement with what's already come before, which is this.
idea that KYC is somehow protecting us from bad things happening is itself actually something
very, very bad.
And to what Alexander said, I think what is always a problem is it involved humans.
Humans are always going to be your weak link.
And until we figure out some way that we can take humans out of the loop for security,
we're going to see these things again and again and again to what James had said.
We're going to see it again.
And that's again because we have humans in the loop.
Yeah, it's so similar to the, what are they called, the sim swap hacks that honestly I first
wrote about in 2016, and they still happen today.
You know, this is where basically the attacker will sweet talk a customer service agent
into giving information.
You know, they either pretend to be the target or they will, you know, bribe somebody.
So these, again, it's like the same attack vector, even if, you know, the way they're going about it is quite different.
Let's unpack that KYCP.
So the information that the hackers were able to obtain was name, address, phone, email, masked Social Security, so the last four digits, masked bank account numbers, government ID images like driver's license or passport, account date, including balanced snapshots in transaction history.
And then some corporate data around like training material and what the support agents have in terms of, you know, they're like the resources they can turn to.
When you see that list, what are your thoughts around, you know, what dangers this particular hack presents to users?
As a spearfishing 101, like the more personal information you can get about someone, the more you can custom tailor a message to, you.
them that tricks them into thinking that you are some legitimate authority from a service provider
that they interact with, which is then how you get them to authenticate into their service provider
and send all of their money to you. And we're seeing this happen more and more frequently,
especially amongst the elderly. I mean, there have been multiple nine-figure social engineering
scams against elderly people just this year alone. And I think that this is something
that just the ecosystem in general needs to be thinking about more because over the past decade,
we have successfully implemented best practices around security in a number of different ways.
People are generally not getting hacked as often these days.
The exchanges are not getting hacked as often these days.
But security is a constant cat and mouse game.
And I think generally people in the security space,
would agree that right now the weakest link is in fact the brains of the people who are owning
these assets. And so that's what social engineering is. Instead of hacking technical information
systems, you're basically hacking somebody's brain and getting them to voluntarily bypass all
the technical security measures. And they're good at it. Hackers are very, very good at it.
I get these attempts on my phone all the time. I do this for a living and yet every once in a while I'll
question it and think, oh, maybe that was legit, probably giving away too much about how I'm a
little bit of a sucker. But I think that, you know, we have to think through that people who do this
are very, very good. And I think the other thing, too, is when we talk about the ecosystem, we have
to be aware we're going to be held to a higher standard, whether we like that or not. I did see one
tweet that went out today basically saying, well, it doesn't seem like crypto's all that secure.
Well, no cryptocurrency was cool. But when you're looking at it from the outside and you see
you know, the headline is Coinbase is hacked. Oh, well, it's a, it's another one of those things
that we have to answer for in the ecosystem, not fair. And we actually probably have the tools
to help with this across all KYC, quite frankly. But I think we need to be aware of the fact that,
yeah, this is this is an area that we need to be paying attention to. Yeah. I mean, I have a few
thoughts here. And I might say some, and I'll add some kind of maybe, not unpopular, but maybe a little
bit of a different take as well to make it interesting. I think that. I think that, I think
that when people say crypto isn't secure, I think, in it, like, and technically they're wrong.
But sort of vibe from the vibe they're saying is actually correct, right?
It's actually a very new financial paradigm in the U.S. where you have this asset that any
attacker in the world can take from you and immediately have possession of, which was not
the case with dollars in the fiat system.
So, you know, for people who understand computer security, while it's not, you know, the crypto is actually secure,
but the actual sort of vibe of it all, actually, for a lot of people, isn't secure.
And it's, as Jameson said, I think the onus is on companies like ours to do what we can to prevent people getting taken advantage of to prevent people being socially engineered.
And there's actually sort of a catch-22 to some of this stuff.
Even if regulators didn't require companies like ours to collect KYC information, which,
would be a win, by the way. A lot of this information is also very helpful for preventing people
from being taken advantage of, right? Knowing who somebody is, if you have a custodial service,
right, which I think we can debate whether or not that's, you know, that those should be had.
But if you have a custodial service, you actually need to know who your client is because
what if they forget their password and they need to get into their account some other way?
You need some way to identify who this person is. You want to know, is this person an older person,
who should have enhanced security on their account.
If they're buying Bitcoin from you, your client service agent needs to know, well, some of their
bank account information so that they can help them.
So there's, to some degree, you can't escape some of this stuff.
And I think the companies are just going to have to get smarter about who they let work there
and automating away the things that required large armies of sort of offshore workers to do.
Just to add to that, I do think one of the things,
that's a little surprising to me.
So you gave a list of all of the things that were taken.
One of the things that really jumps out to me is government issued ID.
They're PDFs, basically.
They're pictures of government identity.
So one of the things that was taken were, you know, we have this idea that we have
these rigorous K-YC checks and that we're doing everything in a very digital way.
And yet, how are we proving who we are?
We're taking pictures of our driver's licenses, which seems to be, you know, something that we would think of from, you know, 25, 30 years.
years ago that that piece of paper or that piece of plastic matters. And so that's part of the issue
that we have here is we have to rethink a whole lot in terms of not just how do we protect identity,
but how do we even view identity and how we identify ourselves. Yeah, I mean, I think, so I definitely
recognize that that is a problem, although at least in some of my interactions with different
crypto companies, it looks like they're moving more toward a model of you hold it up and then you have
to like blink or, you know, whatever, just to make a video of yourself. But even that now with
AI, like there's a lot that people can do to fake that. I actually just want to make some comments
about how good they are at getting people when they're vulnerable or, you know, basically
hacking the brains, as we discussed. So I've interviewed a lot of people who were hacked in this
kind of way who are pretty sophisticated people in crypto and have a lot of experience.
like never thought that they would be a victim. And, you know, some of the themes that I've heard are
things like the hackers will play upon a sense of urgency. Like, oh, this very serious event is
happening. You have to do this right away. Or they'll say, like, oh, if you do this thing,
it will make your account more secure. So, like, it plays upon crypto people's like paranoia.
They'll do things like they'll send these communications at times when they know, like, oh,
that person works for this or that place. And that organization is like,
having a party or like, you know, and so there have been people where, yeah, they're kind of like
on this high and like they check their phone and like they're not really registering what's
happening and they think that, oh, you know, whatever, this is like a transaction with someone
I know or, you know, whatever. And then one that I got recently, and well, so by the way,
one other thing I wanted to mention here was that this group, they apparently to actually do
each of the individual social engineering scams that they're doing on these users whose information
was leaked. They've kind of like made a whole replica of the Coinbase website. So like when you go to
this URL, it looks really, you know, like you're in a legit place. And then I actually tweeted
about this a little while ago. Whoever was trying to get me on this was very, very smart because
they sent an email from a super official looking X account saying that we had committed a like
a copyright or trademark violation, which,
is like core to my business. That's like something we would be very attuned to. And even then,
I remember thinking, like, but what could it be? And sure enough, I did some sleuthing on the
email. And yeah, even though it all looked like it was coming from a legitimate X email,
when you hit reply in the Gmail interface, it would literally say like this looks like a fake thing
because it understood that actually you were applying to a totally different domain. So anyway,
point is just like, you know, and yeah, I've gotten ones that are super legitimate looking from
ever know, like all kinds of, I've gotten a lot of these. But the point is like they are very,
very sophisticated and they know all the different little ways that our minds work that would make us
vulnerable. And they can iterate time after time after time too. So if it's not working,
this is what they do. They are testing on us all the time. So the idea that you might not have
responded to one, they are going to continue to do those things that until they, and they will
eventually find one that's very successful and they will run that. It doesn't cost them much to
track. Exactly. We only have to succeed one time. I'll say, you know, what you pointed out was
it's very easy for anyone with a modicum of technical sophistication to impersonate online accounts,
websites, emails, so on, so forth, where, you know, non-technical people may not dig into the things like
the email headers to see if everything checks out.
Or, you know, we've even seen them actually using like real legitimate Google hosted websites
to send messages and like all of the SPF and DCM and other email records are legit because
it really is coming from Google.
But I think one very simple thing that anyone can do to help protect them from fishing is
use a password manager.
You and not just like a password manager in your browser, but any of the big name brand,
well-veted password managers like key pass or one-password or whatever.
And this provides you an extra layer of protection because even if they're doing really crazy
like DNS look-alike domains that look the same to the human eye but use other weird characters,
your password manager can tell the difference.
And your password manager will not auto-fill your password on a domain that you haven't registered
it to.
So that's just like an extra stopgap there to prevent.
you from accidentally giving your credentials away.
Oh, that's so interesting because what about the breaches that those companies have had?
You still feel like it's worth a risk?
I think most of those breaches happened at last pass, so I don't really recommend last
pass.
They're kind of shady, not as transparent to some of the other password managers.
Okay, yeah, one thing, by the way, I wanted to add about that, like, trademark violation
or whatever that we got from this super legitimate-looking X email.
The funny thing about that one is that since I didn't respond, a few days later, they responded, like, follow up. And they were like, you did not respond. Like, you have 24 hours or, you know, whatever it was. So again, it was like, you're doing something wrong. You have to get back to us. But my guess is that even though you had done the deep dive, you still got that. And there was a part of your brain that said, oh, wait, maybe there's, is there just that tiny percentage? Yeah. Well, it made me check everything on the email again, like just to make sure that I am correct.
assessing, you know, but also I'm so lucky. I have, I know so many crypto security people,
so I can reach out to any of them and ask for help. So, you know, obviously I'm not the average
user. So in a moment, we are going to talk more about this issue about getting smarter about
who you're hiring, but first, quick word for the sponsors to make this show possible.
BitKee is the only Bitcoin wallet on Time Magazine's best inventions list of 2024.
Built by the team behind Square and Cash app, BitKee is a two of three multi-signature wallet
and the first hardware wallet with an innovative recovery suite that eliminates the need for seed phrases in self-custody.
Their new inheritance feature means BitKee's not just the easiest way to self-custody or Bitcoin,
it's the easiest way to ensure it ends up in the hands of loved ones when it's time for it to leave yours.
Learn more at bitkey.world.
E-K-E-Y-D-Wold.
Use code unchained for 20% off.
Mantle is driving the next phase of on-chain finance
by supporting ecosystem products such as the Mantle Index 4 or MI4 Fund and Mantle Banking.
Mental Banking is an all-in-one fiat and crypto account
that simplifies how users spend, save, and invest.
And MI4 is a tokenized index fund that offers institutional grade exposure to top
crypto assets with built-in yield strategies.
Together, they address long-standing frictions in financial access
while unlocking a future shaped by composability, efficiency, and real-world utility.
Follow X.com slash mantle underscore official.
If you haven't checked it out yet, my market-making episode with Jose, Omar, and Taran
was absolutely fascinating.
Here are some comments we got on X.
Democracy Maker wrote,
Most investors are not as much investing positions as they are in sit-and-weight positions,
So asking for transparency is a bit like asking monkeys to stop loving bananas or giraffes to hide under a bush when they are scared by thunder.
And Kevin Erickson said, honestly, at this point, investing is like the lottery.
There's almost no certainty.
We want to hear from you.
Write a review or leave a comment on an episode on YouTube, Parcaster, or X.
Read everyone.
All right.
So I'm back with James and Alexander.
So let's talk about this hiring issue.
You may have seen Vance Spencer tweeted,
trust me, bro, we're going to hire support agents from other countries
where the standard of living is one-tenth of the U.S.,
but they won't be susceptible to bribes, bro.
Just trust me, bro.
And then he wrote, just hire U.S. staff, you absolute dingalings.
That was a very pointed comment.
But then I saw Armani Farrante of Backpack responded,
Coinbase serves people around the world in many languages and many jurisdictions.
Many regulators require you to have local support on the ground in a country.
Just hiring U.S. support staff is literally impossible.
They shouldn't have allowed support access data they don't need, but that's a totally separate
problem.
What do you think of these two positions?
I think that this isn't because of regulatory reasons that Coinbase had a lot of a big team
in India probably.
They were trying to save on cost.
My think is it's important to structure your business and build it in a way so that you
can have only high quality people working there.
At River, you know, we keep it pure.
We're Bitcoin only.
We reduce complexity.
It allows us to have operate with a much smaller team.
You know, imagine trying to train up a service staff that can support millions of tokens
and know how to intelligently communicate with clients about that stuff.
You need armies of people.
It's very complicated.
And it probably doesn't, the unit economics don't make sense in the US.
And so I think at the end of the day, what's going to happen is just huge investments in
automation.
to delete the headcount instead of reshoring it, is my guess, on what Coinbase is going to do.
I was just going to say, I think, I think bribery is an issue regardless of where you put somebody.
I think so long as you have, again, humans in the mix, there is always going to be an issue with that.
And I think that as we begin to see, especially vast amounts of money begin.
We think that, you know, it's a vast amount of money now, but just wait until this becomes institutional,
wait until we start seeing more average people.
I mean, most of us who have been in crypto for a while,
we understand it a little bit better.
But now what we're doing is inviting an entire new group of people into cryptocurrencies.
You're going to see even more money with more money being thrown around for things like bribery.
So I think it's can we figure out ways to minimize the human in this?
I think that's going to be a bigger issue than worrying about where those humans are.
So there are some problems here.
here. One is you generally want to follow the principle of least privilege. So, you know,
people should not have access to data or systems unless they absolutely need it. And even then,
it needs to be, you know, highly restricted and logged and have monitoring and alerting around it.
Laura, you already mentioned the SIM swapping problem. That was where U.S. employees were getting
bribed. These are probably retail level people making around minimum wage or somewhere in that
area. And so the asymmetry there of value when we're talking about accounts of worth potentially
millions of dollars per attack versus someone who's making 20 bucks an hour, you don't have to pay them
that much to get a massive ROI. And there have been multiple lawsuits against telecoms as a result
of their poor internal security practices.
These telecoms, I think some of them have tens of thousands of employees, and all of those
employees essentially have root access, which means like they can see everything.
They have God mode.
They can reassign phone numbers from anyone to anyone else with no actual checks and balances
in the system.
And that caused massive damage, tens, if not hundreds of millions of dollars worth of losses
due to SIM jacking.
And I think that what any of the exchanges, really any financial entities that are dealing
with crypto plus KYC data, they need to take a lesson from that, right?
They need to avoid getting into that same situation where they could potentially be a really
leaky sieve of data.
And so I think Coinbase is starting to realize that now.
and hopefully they will start to implement a lot of safeguards around it.
Yeah, but I do think there's nuance here.
And it's not like it's not like it's you either have controls internally or you don't.
There's a lot of tradeoffs with all of this stuff, right?
The more controls and least privilege access you have, the harder it is for people to do their jobs, right?
And I think that lots of people have worked at companies where there's like lots of red tape to do something that has built up over the years.
And so often you're actually choosing between better data controls and worse service or
better service and worse data controls.
And so there's no silver bullet here.
That's why I always go back to small numbers
of very high quality people with with like reasonable data
controls is actually like the best happy medium,
but it really depends on the organization.
Yeah.
And I will say one thing,
the difference between what we're seeing on financial services
versus a telco is a lot of the things that we say,
okay, we shouldn't have people allowed access
to certain stuff.
Well, within telco, that may be
be because, you know, for whatever reason, they put those policies in. But when you're talking about
financial services, you're required to have those things. It's a compliance issue. So it's not something
that you can say, well, we don't want people to have to give us this information. Well, from a KYC
compliance standpoint, you may have to have that. So that's where I think one of the things we're trying
to solve is this issue with, you know, a brand new paradigm in the way that we send and receive and have
money, but we're building it upon these compliance requirements that go back decades.
And so I think that's a part of the problem, too.
So it sounds like what I'm hearing is that you're never going to completely cure the, you know, human fallibility issue, even if you have customer service agents in the U.S.
So it sounds like you all seem to think that really the root issue is more around these requirements about around KYC.
So, or so Alex, you.
It doesn't help. It makes the problem a lot more difficult.
Yeah, it doesn't, I agree with that. It certainly doesn't help.
makes the problem worse, it's not a sober bullet. Companies serving your financial needs need
to know something about you. There will be information that's sensitive, whether it's required by
regulators or not. They're sort of like just, you know, an impossibility result here to some
degree. Like, if you're delegating any sort of trust for your money to an institution,
it's going to be a hot potato. You're basically taking your hot potato and giving it to somebody
else a company, you know, to handle. So by making that compromise,
you're to some degree signing up for this risk, period.
And so then it's a matter of which company do you trust to handle that risk?
And then the next step is then, is there some risk mitigation that you can put in there?
Is there something you can do in case that happens?
And I do think that's one of the issues we have with crypto is, you know, there are things
like reggie, if you have a payment that is a bad payment in the regular world, in legacy,
We don't really have that. And so that's a part of what we need to start thinking through as well is,
is there some sort of risk mitigation? Is there going to be somebody who's on the hook for this to make someone whole?
So that's going to be a bigger issue. But I also think that so long as we are thinking through this,
what Alice was saying, that you have to turn over some information. I think that right now we think of
what we turn over and how it's validated from a very centralized way of looking at things too.
and I do think that there are going to be some ways that we can implement something like decentralized
identity where we don't have to turn over everything when we try to validate who we are.
That's going to take a little bit of time now, a lot of time, because it's going to change the way we look at identity completely.
So in an ideal world, can you each kind of go through what you think would be the best solution?
And I understand, yes, it will take a while to get there.
But, you know, so, by the way, I just, we're kind of running out of time.
But for those of you who don't follow Jameson, you should know he does a great job following all the quote unquote wrench attacks, which are physical attacks on people where people are trying to physically threaten people in order, like attackers are trying to physically threaten victims in order to obtain their crypto.
So, you know, it's like even if you decide that you're going to opt out of the system of having another entity,
custody or crypto, then the self-custody solution also has its own pitfalls. So can each of you just
kind of describe what your ideal solution would be, and then we can wrap? I think we're all a little
reluctant to come up with what we think is perfect because the first thing that'll happen is
somebody will, of course, attack it. But I think that what we really need to do is start rethinking
what KYC is built on and begin to unpack that for things like financial services. And that would
include better ways of identifying ourselves that don't necessarily require us to have,
you know, a driver's license that we use to show who we are and, um, and some type of,
a better way of doing, uh, identification. Yeah, I mean, that's, that's a, I think an admirable
long-term goal. In the medium term, though, assuming we can't change any of the root
identity issues, I think, uh, you know, better data classification, like different tiers of
sensitivity, the higher the tier of sensitivity, the more restriction there should be around it. I mean,
in general, you should eliminate single points of failure. So, you know, you shouldn't allow really
any employee to unilaterally be able to do highly sensitive, potentially damaging things. There
should be checks and balances. Preferably, you have some sort of peer review sign-off that is then
audited so that, you know, there's, this is, this is, this. This is, this is. This is. This is, this. This is,
This is how you prevent collusion, right?
Is that you require multiple employees to have to sign off on any sensitive actions.
And, you know, perhaps if this was like an overseas issue, you could help mitigate that
by having, you know, employees that don't work together in the same physical office have to
sign off and essentially co-sign on sensitive actions.
And then, you know, we don't know what they're doing internally.
Supposedly, you know, this was.
minimized somehow. We don't know the details, but there's always more room for improvement around
basically monitoring the actions, especially now with AI. You know, you can implement monitoring
to basically look for any sort of anonymous, anonymous activity that is happening within your
infrastructure. If you have every event that gets logged and then you're ingesting it and you're
saying, okay, this particular activity is spiking up more than usual and doesn't correspond
to other types of authorization and requests that should have spurred those events from happening
in the first place. Yeah, my take is that any company that holds your money is going to need
to know who you are. Otherwise, how can this money be legally titled to you? And so there's just like
an impossibility result there, right? Just from like how property rights work. And so then I think
I think the companies are going to come to the conclusion that the most secure employee is an employee that doesn't exist, right?
And so they're going to be deleting headcount.
They're going to, like, that's going to be the conclusion that these companies come to is like, no, it's not going to be, it's going to be short term, add a bunch of controls to, you know, the customer service admin panel, but the long term answer, you're going to delete the office in India or the Philippines or whatever.
is that that's what's going to be their long-term goal and continually to improve their internal controls.
But they're going to have to have some data.
And I don't think, and I think that's how they're going to be thinking about it.
All right.
Well, thank you all so much for joining us and coming on Unchained.
Thanks for having us.
Don't forget.
Next up is the weekly news recap.
Today, presented by Unchained producer Pam Magimdar.
Stick around for this week in crypto after this short break.
Picture this.
Crypto market just got wrecked by billions in liquidations. You need to figure out what happened
and what's next. But where do you even start? Meet Focal by Falcon X, your AI-powered crypto
analyst. It's like having a legion of experts at your fingertips, ready to break down market-moving
events, chart Defi Protocol TVL, or explain why Solana Mindshare is rising. Get clarity in a world
of noise with Focal. Learn more at askfocal.com.
Welcome to this week's Crypto Roundup. In today's recap, Coinbase makes history as the first
crypto-native company to join the S&P 500. Movement Labs promises large portions of its token supply to early
insiders. J.P. Morgan completes its first public blockchain treasury settlement transaction using
chain link and onto finance. A wave of crypto mergers and public listings grabs headlines across
North America. Tether doubles down on Bitcoin with a major purchase for 21 capital. BitGets
morphed blockchain faces leadership turmoil and spending controversies. The SEC opens public comment
on Black Rock's Bitcoin ETF redemption model. Plus, new security incidents hit Lido, Curve, and ZKSink,
and one trader wins dinner with the president through a meme coin stunt. Thanks for tuning in to the
weekly news recap. Let's begin. Coinbase joins S&P 500 suffers extortion scheme.
Coinbase is set to become the first crypto-native company to join the S&P 500, replacing
Discover Financial Services. The change will take effect before trading begins on Monday, May 19.
Quote, joining this prestigious index reflects how far Coinbase and the industry have come,
said Alicia Haas, Coinbase's chief financial officer. CEO Brian Armstrong also acknowledged the
achievement on social media, stating, quote, crypto is here to stay. Coinbase met the S&P 500's
listing requirements, including sustained profitability and a market capitalization exceeding $18 billion.
dollars. Its shares surged nearly 15% following the announcement, adding over $8 billion to its market
value. Leaked documents reveal secret token deals at Movement Labs. Movement Labs, a blockchain startup
backed by Donald Trump's World Liberty Financial, secretly promised large portions of its moved
tokens apply to early insiders, according to internal documents obtained by CoinDesk. Two signed
agreements reveal the advisors Sam Thapalilla and Vinit Perik were promised up to 10%
of Moves' token supply, valued at over $50 million. These deals were never disclosed to investors
or the public. The Pahlia, described by insiders as a, quote, shadow co-founder is now threatening
legal action to claim his share. Movement Labs told CoinDesk, the agreements were, quote, non-binding,
but the documents include termination clauses requiring mutual consent. The revelations add to the fallout
from movement's earlier market manipulation controversy involving Chinese market maker Web3Port.
The scandal has also fueled the termination of movement's co-founder Rushi Manche.
Crypto MNA and IPO wave accelerates.
Crypto merger and acquisition activity surged this week,
highlighted by five major announcements across North America and beyond.
Robin Hood revealed plans to acquire Canadian crypto firm WonderFi for nearly $179 million in cash.
The deal includes Wonderfie's platforms, BitPie and Coin Square,
boosting Robin Hood's push into Canada's crypto market.
Anchorage Digital announced it is acquiring Mountain Protocol,
the issuer of the $48 million USDM Stablecoin,
which is now being wound down.
Anchorage CEO Nathan McCauley said the deal, quote,
supports institutional stablecoin adoption.
Web 3 investment giant Anna Mocha Brands is preparing a U.S. public listing.
Executive Chairman Yatsu told the Financial Times,
the company is exploring opportunities under what he called a, quote, unique moment in U.S.
crypto policy.
Meanwhile, David Bailey, a Trump crypto advisor, raised $710 million to launch Nakamoto,
a Bitcoin investment company set to go public later this year.
Lastly, American Bitcoin, backed by the Trump family, announced it will go public through a merger
with Griffin Digital Mining, adopting the NASDAQ ticker, quote, ABTC.
J.P. Morgan executes first public block.
blockchain treasury settlement. J.P. Morgan has completed its first settlement of tokenized
U.S. treasuries on a public blockchain. The transaction used Ondo Finances platform and
ChainLink's cross-chain technology to connect J.P. Morgan's private Kinexas payments network
with a public blockchain ecosystem. The settlement involved Ondo's tokenized OUSG treasuries
and used a delivery versus payment method, which ensures both payment and asset transfer happen
simultaneously. Sergei Nazarov, co-founder of ChainLink,
told Fortune, quote, this is the beginning of something big.
Leadership struggles and lavish spending stall Morf blockchain.
BitGetz's highly anticipated blockchain project, Morph, is facing major challenges as leadership disputes,
excessive spending, and unclear decision-making slow its progress, according to a BlockWorks report.
Initially launched to rival platforms like Coinbase's base, Morph raised $20 million in seed funding last year,
from investors including Dragonfly and Pantera.
internal tensions between co-founders Azeem Khan and Cecilia Suez reportedly disrupted operations,
with former employees describing Khan as a, quote, ghost founder and pointing to Forrest Bay of Forsyte Ventures as the real decision maker behind the scenes.
Quote, it felt like Bai was the shadow CEO, one former staff member told Blockworks.
Despite high-profile events and celebrity partnerships, including performances by K-pop Group Triple S,
Morf had struggled to deliver key milestones like its token launch.
Employee turnover, budget cuts, installed business initiatives have fueled further uncertainty.
Still, Morph remains backed by BitGET and continues to tease a token launch later this year,
keeping investors and users watching for its next move.
Pump. Dot Fund offers new revenue split as report flags widespread fraud.
Solana-based memecoin platform Pump. Fund has introduced a new revenue sharing model,
offering token creators 50% of trading fees generated on its decentralized exchange, PumpSwap.
Under the program, creators will earn 0.05% of trading volume and solve for every trade involving
their token, with payouts delivered instantly. For example, a token reaching $10 million in trading
volume would generate $5,000 in creator rewards. The announcement comes alongside troubling
findings from a report by Solidus Labs, which claims nearly 99% of tokens launched on pump.
Pump. Fund collapse into pump and dump schemes. The report warns that, quote, a staggering 98.6% of
tokens on Pump. Dot Fund collapse into worthless pump and dump schemes shortly after launch,
highlighting the extreme risk traders face. Despite these risks, Pump. Pump. Dot Fund continues
to attract high activity. According to Adun Analytics dashboard, its daily trading volume has
stayed above $100 million almost every day since February. Yuga Labs transfers crypto punks to new
Digital Art Foundation. Yuga Labs is officially handed over the intellectual property rights of
Cryptopunks to the Infinite Node Foundation, marking a major shift in the future of one of the most
recognizable NFT collections. This move comes roughly three years after Yuga acquired cryptopunks from
Larva Labs in 2022. The nonprofit, backed by $25 million in funding, plans to showcase all 10,000
Cryptopunks in a new 12,000 square foot exhibition space in Palo Alto, California.
Quote, this purchase secures long-term stewardship for Cryptopunks.
The foundation said in a statement, outlining plans to partner with museums and elevate
digital art globally.
Node's advisory board includes prominent figures such as Larva Labs founders Matt Hall and John
Watkinson, Boardape Yacht Club co-founder Wiley Aronow and Art Block's creator Eric
Calderon.
Chair Mickey Malca emphasized the foundation's goal to make Cryptopunks accessible
to scholars and curators, stating, quote, we intend to future-proof this landmark work.
Hugo Labs framed the sale as part of its renewed focus on developing its other side
metaverse project. In related news, Rohan, quote, Frank de God's Vora stepped down as head of
Degods and Ute's NFT projects after three years marked by controversies ranging from insider
trading allegations to experimental policies such as taxing floor price sales.
SEC opens public comment on BlackRock's Bitcoin ETF redemption model.
The U.S. Securities and Exchange Commission is requesting public feedback on BlackRock's proposal
to shift its I-Share's Bitcoin Trust from cash base to in-kind redemptions.
The move pauses any immediate decision as the SEC launches a legal and policy review under Section 19B of the Securities Exchange Act.
Currently, BlackRock's Bitcoin ETF operates on a cash redemption basis. This process requires the fund
to sell Bitcoin and distribute cash to investors who redeem shares. BlackRock now seeks permission
to offer income redemptions, allowing authorized participants to redeem ETF shares directly for
Bitcoin instead of cash. The SEC stated it is seeking additional analysis to determine if
this change would uphold investor productions and market integrity. Meanwhile, new SEC chair Paul Atkins
announced the regulator will shift away from enforcement-led crypto policy by introducing clear rules on
token issuance, custody, and trading to keep blockchain innovation in the U.S. instead of driving it
offshore. Tether strengthens Bitcoin bet with big purchase. Tether has confirmed the purchase of
$4,812 Bitcoin valued at nearly $500 million at this week's prices as part of its funding
commitment to 21 capital. The Bitcoin was acquired at an average price of $95,319 per coin,
according to disclosures from Canter Equity Partners, which is managing the firm's upcoming SPAC merger.
Once the merger is finalized, 21 capital will trade under the ticker symbol XXI.
The firm's holdings have now grown to 36,312 Bitcoin, positioning as the third largest corporate
Bitcoin holder behind Michael Saylor's strategy and mining firm Mara Holdings.
Quote, Tether and Bitfinex are major stakeholders in 21, while SoftBank has committed $900 million
in support, said Canter Equity Partners and her.
a regulatory filing. Led by Strikes, CEO, Jack Mallor's, 21 Capital aims to expand financial
services around Bitcoin lending, reserves management, and public market exposure. The company is
targeting a total holding of 42,000 Bitcoin, valued at over $4 billion at current prices.
Security incidents shake defy and layer two platforms. Several leading crypto projects faced
security challenges this week, prompting emergency responses and user warnings. Lido Dow, which
oversees Ethereum's largest liquid staking protocol, launched an emergency on-chain vote after
detecting a compromised Oracle key. The breach allowed attackers to drain 1.46Eath from a wallet
managed by validator-operator-operator Corus 1. While user funds remained safe, Lido quickly moved
to replace the compromised key. Quote, full post-mortem will be published after the investigation
is concluded, a Lido operations member stated. Meanwhile, Kerr Finance warned users to avoid its
official website after discovering a DNS hijack that redirected visitors to a malicious site
capable of draining wallets. Curve confirmed its smart contracts remained secure as efforts to regain
domain control continued. In related incident, ZKSink and developer batter labs had their official
ex accounts hacked. The attackers posted false claims about regulatory investigations,
briefly pushing ZKSink's token down nearly 5% before the team regained control and removed the misleading
posts. Time for fun bits. Trader buys dinner with the president for just $1,200. A crypto trader has turned
a political controversy into a bargain night out with the president of the United States.
Morton Christensen and four friends will be flying to Virginia next week to dine with President
Donald Trump at his national golf club. Their winning move? A classic crypto hedge. They bought and
shorted Trump's official meme coin at the same time, locking in leaderboard positions with just $1,200
in trading fees. I didn't even think it was in the possibility I'd go in to meet the president of the
United States, Christensen told Bloomberg. The dinner is part of a reward for the top 220 meme
coin holders with the top 25 earning a White House tour. While critics in Congress call it a,
quote, pay to play scandal, Christensen is treating it as a weekend with friends saying, quote,
if we get to meet Baron, it will be amazing. And that's all. Thanks so much for joining us today.
If you enjoyed this recap, go to Unchained Crypto.Behive.com.
That is Unchangedcrypto.bhive.com and sign up for our free newsletter so that you can stay up to date with the Lazed in Crypto.
Unchained is produced by Laura Shin with help from Matt Pultured, Waneranovich, Margaret Curia, and me, Pamajumdar.
The weekly recap was written by Waneranavich and edited by Stephen Erlich.
Thanks for listening.