Bloomberg focuses on Coinbase data leak, CertiK co-founder Gu Ronghui warns of private key risks and physical attacks

  • Bloomberg interviewed CertiK co-founder Ronghui Gu about the Coinbase data breach, highlighting concerns over private key vulnerabilities and physical attacks targeting digital asset holders.
  • Gu emphasized that private keys enable instant, irreversible asset transfers, making traders prime targets for criminals, especially as on-chain security improves but physical threats rise.
  • CertiK's 2024 report reveals phishing as the top on-chain attack method, causing $1.05B losses in 2023, with criminals shifting to social engineering and physical coercion.
  • Recent incidents include kidnappings of Web3.0 executives' families (e.g., France’s Paymium CEO) and Coinbase’s leak of user data (names, addresses, balances), exploited for extortion.
  • French authorities launched a Web3.0 emergency hotline and elite police support, while conferences like EthCC bolstered security with private firms and special forces.
  • U.S. firms (e.g., Coinbase, Circle) increased executive security budgets, though spending lags behind tech giants like Meta ($27.2M for Zuckerberg).
  • Security firms now offer bulletproof vehicles and social media monitoring to mitigate risks, as investors recognize digital wealth’s real-world dangers.
Summary

On May 18, Bloomberg News invited CertiK co-founder and Columbia University professor Ronghui Gu to comment on the Coinbase data breach. He pointed out: "Digital asset traders are extremely concerned about the privacy issues of data breaches, because only a private key is needed to transfer assets, and it is almost impossible to recover them, which makes them the primary target of criminals." This statement directly points to the core contradiction of the industry's security ecology - when on-chain defense technology continues to upgrade, threats from the physical world have become a new weak link.

Bloomberg focuses on Coinbase data leak, CertiK co-founder Gu Ronghui warns of private key risks and physical attacks

Although the overall level of blockchain network security has improved, criminals will not stop there. On the contrary, they will continue to explore the weak links in defense and find new attack paths. According to CertiK's "Hack3d: 2024 Annual Security Report" , phishing attacks have become the most common and most influential attack method on the chain, causing losses of about US$1.05 billion last year. This trend shows that attackers are shifting from simple technical vulnerabilities to more easily implemented and high-return attack methods, such as social engineering and physical threats. The Coinbase data leak incident and the recent frequent kidnapping and other offline threats have further highlighted the current situation where single-point protection is difficult to fully cover.

Security is never a one-dimensional competition, but an evolving offensive and defensive game. CertiK calls for the establishment of a broader security collaboration network, including the linkage of technology companies, government agencies and law enforcement agencies. As the French government’s opening of an emergency hotline for Web3.0 practitioners indicates, only by combining on-chain defense, data privacy protection and physical security measures can we cope with this “digital and physical war”.

The following is the full report:

Web3.0 tycoon hires bodyguards for a huge sum of money to prevent kidnapping

Long before Coinbase disclosed that hackers stole customers’ home addresses and account balances, Jethro Pijlman had noticed that more and more customers holding large amounts of digital assets were seeking security services such as bodyguards.

Pijlman works for Amsterdam-based Infinite Risks International, which provides physical security and intelligence services to digital asset holders. With the frequent kidnappings in the Web3.0 industry, more and more digital asset holders are worried about this: just last week, a group of attackers tried to kidnap the daughter and grandson of a French Web3.0 project executive.

“We’re getting more inquiries, some clients are choosing to start long-term partnerships, and more Web 3.0 investors who don’t want to be caught off guard and are making more proactive requests,” Pijlman said. “They realize that investing at this level and taking smart security measures are an unavoidable cost.”

The physical security risks faced by Web3.0 investors are different from those faced by traditional financial clients. Public blockchain networks such as Bitcoin and Ethereum allow for instant and anonymous transfers of assets, which means that once investors are forced to hand over their private keys or access rights, the funds may disappear within seconds, with little possibility of recovery. When traditional bank accounts are stolen, law enforcement agencies can usually help victims recover their losses by freezing accounts or other means.

Such security concerns were further heightened after Coinbase suffered a data breach. Not only did hackers gain access to customers’ names, addresses, and account balances, they could have used that information to track the locations of high-net-worth customers, further increasing the risk of physical security threats. This became a worrying situation days after an attempted kidnapping in France.

Several victims of the Coinbase data breach declined to be interviewed by Bloomberg, fearing that making their identities public would further endanger their safety.

"Digital asset traders are particularly sensitive to privacy concerns after data breaches," said Ronghui Gu, co-founder of blockchain security company CertiK and professor of computer science at Columbia University. "As long as the private key is in hand, digital assets can be transferred instantly and are almost impossible to recover, making digital asset traders a prime target for criminals."

As online security measures continue to upgrade, some attackers have begun to turn to more direct physical threats. Sentinel CEO Charles Marino pointed out that the rapid development of the Web3.0 industry has made it extremely difficult to break through network defenses, so that criminals have to obtain assets through physical attacks.

"Currently, the threat situation in the Web 3.0 industry is very severe," said Marino.

This high emphasis on security is also reflected in the security spending of industry leaders. According to a regulatory filing in April, Coinbase spent $6.2 million on the personal security of its CEO Brian Armstrong last year, far more than the CEOs of traditional financial and technology giants such as JPMorgan Chase, Goldman Sachs and Nvidia.

Representatives for Coinbase did not respond to requests for comment.

Although Coinbase claimed that the breach affected less than 1% of active users, hackers had obtained customers' names, addresses, ID images, transaction records, and account balances for months. Some Indian customer support staff even provided hackers with access to the company's internal data in exchange for bribes.

Criminals have used this information to trick some Coinbase customers into disclosing account access or directly transferring their tokens. Similar to data breaches at traditional banks, this personal information can also be used for online fraud and identity theft. However, physical threats are particularly worrying for Web3.0 investors who have long participated in the market anonymously.

In last week's attempted kidnapping in Paris, criminals targeted the family of the CEO of French digital asset exchange Paymium. Although the operation was ultimately thwarted, it was just the latest in a series of similar incidents. In January this year, David Balland, co-founder of French Web3.0 wallet startup Ledger SAS, and his partner were severely injured in a kidnapping incident, and Balland even lost a finger.

In response to this escalating threat, the French government has begun to take emergency measures. French Interior Minister Bruno Retailleau said last Friday that a priority emergency hotline will be set up for the Web3.0 industry, and elite police forces will be organized to provide security checks and protection advice for Web3.0 executives and their families.

On social media, the recent Coinbase attack and the kidnapping in France have sparked widespread discussion, and many digital asset traders have said they will try to avoid traveling to France in the near future. EthCC, the annual blockchain conference in Cannes, has also strengthened security measures for this summer's events. A spokesperson for the event said that the conference will not only cooperate with local police, but will also coordinate French law enforcement forces, special forces and private security companies to deal with potential threats, which is different from previous years' practice of relying mainly on local police.

However, this type of problem is not unique to France. Bitcoin security expert Jameson Lopp has long maintained a public database of physical attacks on digital asset holders, which has recorded more than 20 similar incidents around the world this year alone.

Some digital asset-related companies in the United States have also begun to increase their investment in security for executives. For example, Circle Internet Group spent about $800,000 on personal security for its CEO Jeremy Allaire in 2024, while Robinhood Markets invested $1.6 million in its CEO Vlad Tenev.

Although these figures are not low, they are still inferior to those of technology giants. Meta CEO Zuckerberg spent as much as $27.2 million on personal security last year, and Alphabet's Sundar Pichai spent $8.2 million, far more than any Web3.0 company.

In addition to bodyguard services, Pijlman's company, Infinite Risks International, also provides bulletproof vehicles, home security assessments and social media monitoring to help clients avoid inadvertently revealing their location.

“Often customers don’t realize the severity of the threat until they experience it themselves or see it in the news, but once they understand it, they take it very seriously,” Pijlman said. “People are realizing that digital wealth also carries real-world risks.”

Share to:

Author: CertiK

This article represents the views of PANews columnist and does not represent PANews' position or legal liability.

The article and opinions do not constitute investment advice

Image source: CertiK. Please contact the author for removal if there is infringement.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
6 hour ago
10 hour ago
11 hour ago
14 hour ago
16 hour ago
17 hour ago

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe

Curated Series

App内阅读