Cryptocurrency exchange Coinbase, which serves over 100 million users, has revealed it was the target of a sophisticated cyberattack involving bribed support agents. The attackers stole sensitive customer data and demanded a $20 million ransom for not releasing the stolen information.
The company refused to pay the ransom but announced a $20 million reward fund for any credible leads that help identify those responsible for the breach.
The extortion attempt came to light after the attackers contacted Coinbase on May 11, threatening to publish stolen data unless the ransom was paid. According to Coinbase, the breach was made possible by contractors or support staff based outside the U.S., who were bribed to access internal systems.
Although the rogue insiders were fired after unauthorized access was detected, they had already exfiltrated personal data of up to 1% of Coinbase’s customers, which equates to approximately 1 million individuals.
What Was Stolen?
In a filing with the U.S. Securities and Exchange Commission (SEC), Coinbase confirmed the breach exposed:
- Names, addresses, phone numbers, and email addresses
- Masked Social Security numbers (last four digits only)
- Masked bank account numbers and some account identifiers
- Government-issued ID images (e.g., passports, driver’s licenses)
- Account data including balances and transaction history
- Limited internal documentation and training materials
Despite the breach, no passwords, private keys, or funds were accessed, and Coinbase Prime accounts as well as hot and cold wallets remain secure.
Social Engineering Attacks and Financial Impact
Coinbase says some affected customers were tricked into sending funds to the attackers through follow-up social engineering scams. The company has pledged to reimburse those retail customers after a verification process.
The overall financial toll of the incident is still being calculated, but estimated losses range between $180 million and $400 million, covering remediation efforts and customer reimbursements.
Strengthening Security and Customer Protection
In response, Coinbase is:
- Launching a new U.S.-based support center
- Enhancing insider-threat detection systems
- Increasing investment in automated security response tools
- Recommending customers enable two-factor authentication and withdrawal allow-listing to prevent unauthorized fund transfers
The company also warned users to stay alert for scammers impersonating Coinbase staff, emphasizing that it never requests passwords or two-factor codes, nor does it pressure users into transferring assets.
“To the customers affected, we’re sorry for the worry and inconvenience this incident caused,” Coinbase stated. “We’ll continue to own issues when they arise and invest in world-class defenses to protect our customers and secure the crypto economy.”
Interestingly, despite the breach disclosure, Coinbase stock surged 24% following news that the company was added to the S&P 500, a major U.S. stock market index of leading companies.
