In a significant cybersecurity incident, Coinbase has confirmed that cybercriminals, aided by a group of bribed rogue overseas support agents, stole sensitive customer data in an attempt to extort the company for $20 million.
The incident came to light after the attackers contacted Coinbase via email on May 11, 2025, demanding a $20 million ransom in exchange for the stolen data.
However, the largest U.S.-based cryptocurrency exchange refused to pay the ransom and instead opted to establish a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for the attack.
What Happened
According to Coinbaseโs official blog post dated May 15, 2025, the breach occurred when a small group of rogue customer support contractors, based overseas, were recruited by cybercriminals through cash bribes to exfiltrate data for less than 1% of Coinbaseโs monthly transacting users.
Their goal was to compile a list of customers they could target by impersonating Coinbase, to deceive users into giving up their cryptocurrency. Subsequently, they attempted to blackmail Coinbase, demanding $20 million to keep the breach hidden. However, Coinbase refused the offer.
What Was Stolen
The stolen information includes:
- Name, address, phone, and email address;
- Masked Social Security numbers (last 4 digits only);
- Masked bank account numbers and some bank account identifiers;
- Government ID images such as driverโs license and passport;
- Account data balance snapshots and transaction history; and
- Limited corporate data, including documents, training material, and communications available to support agents
“Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers,”ย Coinbase wroteย in a Thursday blog post.
“No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.”
Security Measures Taken By Coinbaseย
Coinbase has said that it is taking full responsibility for protecting affected users. Impacted customers, who were notified by email on May 15, will be reimbursed if they were fooled into transferring funds to scammers due to social engineering attacks.
Further, the company is also implementing tighter withdrawal controls, as flagged accounts will now require additional identity verification for large transactions, along with new scam-awareness prompts. It is opening a new support hub in the U.S. and adding stronger security controls and monitoring across all locations.
Additionally, to prevent future breaches, the company has increased investments in insider threat detection, security threat simulation, and automated response to identify similar security threats in its infrastructure.
Standing Up To Extortion
Rather than pay the ransom, Coinbase is offering a $20 million bounty to anyone who can help bring the perpetrators to justice. The company is also working with U.S. and international law enforcement and has already fired the exchange staff involved in the breach. It will press criminal charges.
โWorking with industry partners, weโve tagged the attackersโ addresses so the authorities can track and work to recover assets,โ the company added.
Recommendation To Users
Coinbase is urging customers to stay vigilant, as imposters may try to exploit the situation by posing as Coinbase employees. The company reiterated it will never ask for passwords or 2FA codes, or ask users to move funds to assets to a specific or new address, account, vault or wallet, or call or text users to move funds to a โsafeโ wallet.
If this happens, the crypto exchange suggests users hang up on imposters, immediately lock their account in the app, and email at [email protected] to report suspicious activity.
To protect against any potential data breach, Coinbase recommends that its users enable two-factor authentication (2FA) and turn on withdrawal allow-listing for secure transfers.
“To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world class defensesโbecause that’s how we protect our customers and keep the crypto economy safe for everyone,” Coinbase concluded.
