Cock.li Data Breach Exposes One Million Email Records With Direct Consequences for Crypto Users

A privacy-focused email provider that serves both cybersecurity professionals and cybercriminals has confirmed a major data breach with direct implications for cryptocurrency users. On June 16, 2025, Cock.li disclosed that a threat actor exploited vulnerabilities in its Roundcube webmail platform to exfiltrate records belonging to 1,023,800 users — every person who had logged into the service since 2016. The attacker, operating under the alias Satoshi, subsequently offered the stolen databases for sale at a minimum price of one Bitcoin, valued at approximately $92,500 at the time of the disclosure.

The Exploit Mechanics

The breach was facilitated by CVE-2021-44026, a SQL injection vulnerability in Roundcube that had been publicly disclosed for years. Cock.li, a Germany-based free email hosting provider run by a single operator known as Vincent Canfield since 2013, had failed to apply the necessary patches to its webmail infrastructure. The SQL injection flaw allowed the attacker to query and extract the entire user database, including email addresses, first and last login timestamps, failed login attempts and counts, language preferences, and serialized blobs containing Roundcube settings and email signatures.

For approximately 10,400 accounts, the breach also exposed contact names, email addresses, vCards, and comments. An additional 93,000 users had their contact entries compromised. Cock.li confirmed that passwords, email content, and IP addresses were not exposed, as these data points are not stored in the database tables that were accessed.

The timing of the breach coincided with Cock.li’s own analysis of CVE-2025-49113, a critical remote code execution vulnerability in Roundcube that was being actively exploited in the wild. That analysis prompted the service to permanently remove Roundcube from its platform. As Cock.li stated in its disclosure: the service should not have been running Roundcube in the first place.

Affected Systems

Cock.li occupies a unique position in the cybersecurity ecosystem. Marketed as a privacy-focused alternative to mainstream email providers with minimal moderation, the service attracts a diverse user base: information security professionals, open-source developers, privacy advocates, and — notably — cybercriminals. Affiliates of Dharma, Phobos, and other ransomware gangs have been known to use the platform.

For cryptocurrency users specifically, the breach is concerning for several reasons. Many crypto enthusiasts use privacy-focused email services for their exchange registrations, wallet recovery options, and two-factor authentication systems. A compromised email address linked to a cryptocurrency exchange account provides attackers with a starting point for social engineering attacks, password reset attempts, and SIM swapping operations. With Bitcoin trading at $106,800 and Ethereum at $2,540 on the day of disclosure, the potential financial exposure is enormous.

The exposed metadata — specifically login timestamps and patterns — can also be valuable for intelligence gathering. Law enforcement and security researchers may use the breach data to correlate ransomware affiliates and other cybercriminals who used the platform. Conversely, the data could also be used by criminal groups to identify and target security researchers.

The Mitigation Strategy

For current or former Cock.li users, immediate action is required. Reset your account password immediately, even though passwords were not directly exposed. If you used the same password on any other service — especially cryptocurrency exchanges — change those passwords as well. Review and update recovery email addresses and phone numbers on all cryptocurrency accounts.

More broadly, the breach highlights the risks of relying on single-operator email services for critical financial accounts. Cryptocurrency users should consider using dedicated, hardened email accounts from established providers with robust security infrastructure — including hardware-based two-factor authentication, advanced phishing protection, and active security monitoring.

For organizations, the Cock.li breach serves as a case study in the consequences of deferred patching. The vulnerability exploited was years old and had a known patch available. Implement automated vulnerability scanning and enforce strict patching SLAs — no more than 48 hours for critical vulnerabilities and 30 days for medium-severity flaws.

Lessons Learned

The Cock.li incident illustrates three fundamental security principles that the cryptocurrency community frequently overlooks. First, legacy software with known vulnerabilities is an attacker’s best friend. Roundcube’s SQL injection flaw was years old, yet it remained exploitable on a platform serving over a million users. Second, single points of failure — whether a single operator managing an email service or a single email account securing all your cryptocurrency holdings — create catastrophic risk. Third, privacy-focused does not mean security-focused. A service that values privacy through minimal logging and lax moderation may simultaneously neglect the security practices necessary to protect its users.

The breach data is now in the hands of a threat actor who has demonstrated financial motivation by attempting to sell it for Bitcoin. This data will likely circulate in underground markets for years, creating long-term exposure for affected users.

User Action Required

If you have ever used Cock.li — even once since 2016 — assume your email address and metadata are compromised. Take inventory of every cryptocurrency exchange, wallet service, and DeFi platform where you used your Cock.li email address. Change the email on those accounts to a more secure provider. Enable hardware-based two-factor authentication on every account that supports it. Monitor your accounts for unusual activity and consider using a dedicated hardware security key for all cryptocurrency-related logins.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.