The Help Desk Is the Hack: How Cybercriminals Are Buying Their Way In Through Support Staff

On criminal forums right now, there are job postings. They're looking for people who work at Kraken, Coinbase, and Binance. The pay is up to $15,000. The only requirement is access.

‍

Coinbase and Kraken, two of the largest cryptocurrency exchanges in the world, were both compromised through the same vector: their customer support desks. No zero-days, no malware, no brute force. Just cash and access. And in two of the most notable insider data breaches of the past year, that was enough.

‍

A bribed support agent doesn't trip a firewall. They don't trigger an intrusion detection alert. They log in with valid credentials, open the tools they use every day, and start pulling records. From a permissions standpoint, everything looks normal. From a behavioral standpoint, it doesn't.

‍

‍

Coinbase: $400 Million and Counting

‍

Cybercriminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. The breach didn't originate in a server room. It started with a cash offer to someone at a help desk who had read access to customer accounts. By the time Coinbase discovered the insider data breach, it had been running undetected for nearly six months.

‍

A data breach filing with the Maine Attorney General's office confirms the breach occurred on December 26, 2024, and wasn't detected until May 11, 2025. The filing describes it explicitly as "insider wrongdoing." 69,461 Coinbase customers were affected. The company estimated its financial exposure from customer reimbursement and remediation could range from $180 million to $400 million.

‍

The attackers' goal was downstream fraud through social engineering, tricking users into authorizing transfers to attacker-controlled accounts. A verified-looking customer list combined with stolen personal details is all you need to run a convincing impersonation scheme at scale.

‍

Kraken: The Same Playbook, Twice

‍

Less than a year later, the pattern repeated. Two separate insider data breach incidents involving customer support staff led to terminations and an extortion attempt from a criminal group threatening to release internal recordings unless their demands were met.

‍

The first incident dates to February 2025, when Kraken received a tip about a video circulating on a criminal forum. A second similar incident was detected more recently. In both cases, the employee was identified, access was revoked, and affected users were notified. Kraken's CSO Nick Percoco was clear: funds were never at risk and the exchange would not negotiate.

‍

What Percoco also noted deserves attention. The investigation revealed a coordinated insider recruitment operation targeting not only crypto platforms but also gaming and telecommunications companies. This isn't opportunistic. It's organized. Those darknet job postings offered $3,000 to $15,000 based on access level, with no malware required and anonymity guaranteed. Support staff aren't executives, but they have legitimate, credentialed, audit-clean access to customer records. That's enough.

‍

Why Traditional Security Misses Insider Data Breaches

‍

When the person doing the damage already has valid credentials and a legitimate reason to access the data, the alarm doesn't sound. And by the time the fraud surfaces, the data is already gone. Fraud monitoring applied at the perimeter rather than at the point where data is actually moving misses this entirely. Once a persona was trusted, runtime constraints on actions were weak or absent.

‍

Trusted identity, unconstrained actions. That's the gap.

‍

What Actually Catches This

‍

This is where endpoint monitoring changes the equation. InnerActiv monitors behavior directly at the endpoint, capturing activity in real time regardless of the application being used or the channel the data moves through. User behavioral monitoring, fraud detection, and user activity tracking with risk analysis are built for exactly this kind of threat. When a support agent starts querying customer records at unusual volume or accessing data outside their normal scope, that activity is visible from minute one. No plugins, no proxies, no waiting for a log aggregator to catch up.

‍

Someone who queries 500 customer accounts in an hour looks perfectly fine to a permissions-based system. It looks very different to a platform that has been watching that employee's behavioral baseline for weeks, scoring activity against risk thresholds, and flagging the moment something shifts. When something does shift, security teams get the forensic detail they need to act: what was accessed, when, how much of it, and what happened to it after. The fraud investigation starts before the extortion demand arrives and before a single customer gets a call from someone pretending to be their bank.

‍

The Coinbase breach ran for six months before anyone outside the company noticed. A platform like InnerActiv would have flagged the anomalous access patterns in real time, long before the data volume reached breach territory. The questions that matter aren't "did this person have permission?" They're "why is this person's behavior different today?"

‍

The Takeaway

‍

Coinbase and Kraken both did a number of things right after the fact. They refused to pay ransoms, cooperated with law enforcement, and invested in stronger controls. But the insider data breaches still happened, the data was still stolen, and the downstream fraud still affected real customers.

Map every role with read access to customer records. Reduce data exposure in support tools. Implement fraud monitoring at the endpoint, not just at the perimeter. And make sure your security stack is watching behavior, not just permissions, because the next bribed support agent won't look any different from the outside until it's too late.

The support desk has become the soft underbelly of enterprise security. The attackers already know that. The question is whether your security program does too.

‍