Outside Insider Threats
5–19–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, May 19, 2025, and we’ve got some good detail on threats that we’re probably all “notionally” aware of but not actively managing. It’s time to get active.
Outside Insider Threats
We’re talking about Insider Threats (yes, again), but this time with more detail on both the activities of North Korean hackers and the risk that outsourced / offshore support services can pose.
The first threat here, from North Korea, is receiving some renewed attention due to two recent publications. The first is a joint notice from the US Department of Treasury, State, and the FBI warning of these attacks. If, for some reason, this hasn’t crossed your radar yet, there’s a good summary of what the threat is and how it works.
Essentially, North Korean hackers are getting remote jobs at US tech companies, routing their connections through “laptop farms” within the continental US, and then returning both their salaries and their access to the goals of the DPRK, namely building nuclear weapons.
It’s not so much the salaries here that we’re worried about, though that’s admittedly not great, it’s that legitimate insider access that these folks are now holding.
There are some great pointers on red flags within this notice, and it was a top conversation topic at the recent RSA conference, and there was also a great discussion from some security leaders at SentinelOne about how security vendors themselves are now being actively targeted by these threat actors.
This is a great chance to get with your HR folks and make sure you’ve got a handle on how you’re vetting new employees and ensuring that you’re not either supporting this sanctioned regime or giving up legitimate credentials to these threat actors.
Speaking of giving up access, we’ve got a bit of a twist on a common theme with news that Coinbase has seen a breach stemming from their outsourced customer support teams.
As a publicly traded company, they have, of course, filed their 8-K with the SEC. Coinbase got a ransom note from the attacker demanding $20M. Their filing notes that the “threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities.”
They note “The Incident did not involve the compromise of passwords or private keys, and at no time were any of the targeted contractors or employees able to access customer funds. While the Company is still investigating the affected data, it included:
•Name, address, phone, and email;
•Masked Social Security (last 4 digits only);
•Masked bank-account numbers and some bank account identifiers;
•Government‑ID images (e.g., driver’s license, passport);
•Account data (balance snapshots and transaction history); and
•Limited corporate data (including documents, training material, and communications available to support agents).”
Here’s the twist: instead of paying the ransom, however, Coinbase is owning this event, and has noted that not only will it not pay, but that it intends to offer its own $20M bounty back for information on these hackers, and that it intends to reimburse users for lost crypto assets out of their own pockets, at a cost of between $180M and $400M.
I’m sure having high profile customers like Sequoia partner Rolef Botha impacted drew extra eyes, but “Coinbase said it was opening a new U.S.-based support hub and will strengthen its security defenses.”
Now, of course, not all companies will have pockets deep enough to do what Coinbase has done here, but in a world where we see companies working hard to even obfuscate that attacks have happened, seeing Coinbase own the events - even in their 8-K filing - and make proactive changes, including shelling out for impacted customers and working to take the hackers off the board for every other potential future victim, it’s a refreshing change, to say the least.
Perhaps this will motivate others to take these types of actions?
For you and I, who aren’t putting up $20M bounties (or sitting on $8B in cash, per the latest numbers) - we should focus on these areas where others might have access to our sensitive data. Remote employees and offshore support are both prime targets for this risk, and having strong controls in place is one of the many ways we can manage it down to a place we can accept the risk without taking on too much friction.
Fundraising
We had a quiet week last week, but have more than made up for that with almost $32B in newly committed capital, including lots of multi-billion dollar announcements, including:
Pemberton, who raised a total of €8.4b for three direct lending funds;
Kayne Anderson, raised $2.3b for its third energy income fund;
Northleaf Capital Partners putting up $2.6b for its fourth infrastructure-focused PE fund;
Crestline Investors of Dallas raising $3.5b for its fourth direct lending fund; and
Blue Owl Capital raising $7b for its third digital infrastructure fund.
Congrats to those teams and look forward to seeing that capital get deployed.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://ofac.treasury.gov/media/923126/download?inline
https://www.politico.com/news/2025/05/12/north-korea-remote-workers-us-tech-companies-00340208
https://risky.biz/video/wide-world-of-cyber-how-state-adversaries-attack-security-vendors/
https://www.sec.gov/Archives/edgar/data/1679788/000167978825000094/coin-20250514.htm
https://www.darkreading.com/cyberattacks-data-breaches/coinbase-extorted-20m-hackers