Coinbase suffers data breach, gets extorted (but won’t pay)
Cryptocurrency exchange platform Coinbase has suffered a breach, which resulted in attackers acquiring customers’ data that can help them mount social engineering attacks, the company confirmed today by filing a report with the US Securities and Exchange Commission (SEC).
The attack did not involve the compromise of company systems or networks. Instead, the data was accessed by a group of malicious support agents.
How did the attack happen?
According to the US-based company, criminals bribed some customer support agents to copy customer data and share it with them.
“Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto. They then tried to extort Coinbase for $20 million to cover this up,” Coinbase shared, and declared that they did not and will not pay the ransom.
“Instead of paying the $20 million ransom, we’re establishing a $20 million reward fund for information leading to the arrest and conviction of the attackers.”
The compromised data
On May 11, 2025, Coinbase received an email from the attackers, asking for money in exchange for not publicly disclosing the compromised information.
“The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities,” company said in the SEC filing.
Ostensibly, Coinbase’s own security monitoring flagged instances of personnel accessing data without business need in the months before. They terminated those agents and warned customers whose information was potentially accessed.
The rogue agents got their hands on customers’ name, address, phone number, emails address, the last 4 digitls of their Social Security number, masked bank account numbers and some bank account identifiers, images of government-issued IDs, and some account data (transaction history, snapshots of customers’ Coinbase account balance).
They did not have access to customers’ login credentials and 2-factor authentication codes, private keys, hot or cold wallets, Coinbase Prime accounts, nor did they have the ability to move or access customer funds.
Coinbase’s reaction
Coinbase is the one of the world’s leading crypto exchanges and it and its 100+ million customers are often targeted by attackers adept at social engineering.
Unfortunately, the compromised data is enough to allow the scammers to credibly impersonate Coinbase support agents and try to trick or pressure customers into moving their funds.
Thus, the company has advised them to be on the lookout for scammy emails, texts or phonecalls, and reiterated that a legitimate Coinbase employee would never ask them to share their password, 2FA codes, or give them new seed phrase or wallet address to move their funds to.
“Coinbase will voluntarily reimburse retail customers who mistakenly sent funds to the scammer as a direct result of this incident prior to the date of this post, following a review to confirm the facts,” the company said.
Aside from setting up the reward fund for information on the criminals, Coinbase is working on tracking stolen funds and recovering them.
They have also put in place additional measures to detect insider threats, increased security controls and monitoring across all company locations, and have added protections to the accounts of the “less than 1% of monthly transacting users” whose data has been compromised.
“Flagged accounts now require additional ID checks on large withdrawals and include mandatory scam‑awareness prompts. As we monitor high risk transactions, you may experience delays,” the company stated, and added that they will be pressing criminal charges against the fired employees.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!