https://gizmodo.com/crypto-exchange-coinbase-says-it-made-a-mistake-buying-1833083372
"Let's buy this analytics firm that's run by grey/black hat hackers who deal with oppressive governments and also the FBI (but I repeat myself), and whose main business is selling PII to those same. What can go wrong?"
There's so much to unpack here. Let's see...
So CoinBase announce that they're going to acquire an analytics firm. CoinBase users (who are very privacy concerned) raise red flags with "whoa those guys um seriously you know they hack and sell PII right?" CoinBase either ignores or doesn't hear those concerns, and buys the firm anyways.
CoinBase brings on some of the firms employees and leaders and puts them into high-level positions. These are the people that CoinBase users were afraid of.
People also point out that since that firm sells software & information to the FBI, there is now a zero-degrees-of-seperation between the FBI and CoinBase. CoinBase users are really unhappy about that-- y'know, since the majority sentiment is that they want to untether from government, stay anonymous, and believe the FBI can put backdoors in (hint: they can and have for other things in the past).
Acquisition was done Feb 19th. So there's been, like, 3 weeks of access that the Hacking Team had,
Only now does CoinBase announce that those Hacking Team employees will "transition out" of CoinBase. There's no word on what that means, or when it will happen.
CoinBase puts out a public statement that amounts to "whoopsie doodle our bads". Actually, if they had just put out that statement in those words (in baby voice), it still would have been better than what they did say. Quothe their blag post:
we had a gap in our diligence process. While we looked hard at the technology and security of the Neutrino product, we did not properly evaluate everything from the perspective of our mission and values as a crypto company."
“We took some time to dig further into this over the past week,” said Armstrong, adding that those who previously worked at Hacking Team “will transition out of Coinbase.”
I know when I'm looking for someone to trust with my money, I love hearing they aren't able to do their basic due diligence on any acquisitions. Whoopsie doodle, hired a bunch of black hat hackers because we didn't even bother to google their names. If they didn't do something that simple, what else did they overlook?
Unless, and surely this couldn't be the case, CoinBase was lying about not doing due diligence. That's be bad for a company that's based on "trust", right-- because it'd mean not only did they willingly let risky people into the business, but also tried to cover it up (and the lie they chose was that they are incompetent). Can't be that at all. o wait... there's a Motherboard article from February reporting on CoinBase's horrible decision. Here's a choice quote, from a CoinBase spokesperson:
“We are aware that Neutrino’s co-founders previously worked at Hacking Team, which we reviewed as part of our security, technical, and hiring diligence,” the spokesperson said.
So... they did know? Or they were lying when they said they did their diligence? Or their diligence process sucks?
And that isn't even touching the statement about them "digging further" over the course of a week. You didn't dig deep enough during the initial diligence? But you were able to make massive employee decisions in a dime-turnaround? What did you dig up? That they were part of a hacking team? You didn't dig that up. You knew it already. People told you. You told them you knew. So maybe you dug up that they were doing something malicious with CoinBase? But again, how did you find that out so fast? And if you did, why aren't you disclosing the hack? And why are those employees still there being "transitioned out" rather than shitcanned immediately?
I can't think of a single scenario where the whole situation DOESN'T completely tank their reputation.
And a nice little cherry on top: when crypto users raised concerns about their PII being sold to third parties, CoinBase's oddly very specific response was:
“never shared our customers’ personally identifiable information with any third-party blockchain analysis vendors.”
Things that are ok under that statement:
- Providing personal (but not identifiable) information to third part blockchain analysis vendors
- Providing PII to third party vendors who aren't blockchain analysis
- Proving PII to any third party, like the FBI
- Providing PII to the Hacker Team, since they are now technically FIRST-PARTY vendors after the acquisition
- Having the PII stolen or leaked, which isn't technically "sharing"