Coinbase, a publicly traded company that operates the largest US-based cryptocurrency exchange with over 100 million users, disclosed a major cybersecurity incident that exposed sensitive user data. The company estimates the remediation will cost it from $180 million to $400 million.
On May 11th, 2025, Coinbase received ransom demands from an unknown threat actor “claiming to have obtained information about certain Coinbase customer accounts, as well as internal Coinbase documentation, including materials relating to customer-service and account-management systems,” according to the 8-K filing with the US Securities and Exchange Commission (SEC).
The hackers demand money for silence, or as a company put it, “in exchange for not publicly disclosing the information.”
Coinbase suspects the threat actor paid multiple contractors or employees working in support roles outside the US to steal information from internal Coinbase systems, which they had access to.
The company’s monitoring systems independently detected “these instances of such personnel accessing data without business need” in the previous months.
“Upon discovery, the Company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information,” the filing reads.
Coinbase’s ongoing investigation confirmed that the threat actor’s email is credible, and prior instances of improper data access were part of a single campaign
“The Company has not paid the threat actor’s demand and is cooperating with law enforcement in the investigation of this Incident,” the company said.
The company didn’t disclose the exact number of affected users but said it affects “less than 1% of Coinbase monthly transacting users.” However, the exfiltrated data is very sensitive and includes the following:
- Name, address, phone, and email;
- Masked Social Security (last 4 digits only);
- Masked bank-account numbers and some bank account identifiers;
- Government‑ID images (e.g., driver’s license, passport);
- Account data (balance snapshots and transaction history);
- Limited corporate data (including documents, training material, and communications available to support agents).
Cyber criminals bribed and recruited rogue overseas support agents to pull personal data on <1% of Coinbase MTUs. No passwords, private keys, or funds were exposed. Prime accounts are untouched. We will reimburse impacted customers. More here: https://t.co/SidVn59JCV
undefined Coinbase 🛡️ (@coinbase) May 15, 2025
The company assures that passwords and private keys were not involved in this data security incident.
Coinbase intends to voluntarily reimburse affected customers who directly lost funds to the hackers as a result of this incident.
“The Company is also in the process of opening a new support hub in the United States and taking other measures to harden its defenses to prevent this type of incident,” Coinbase said.
While the breach did not affect operations, Coinbase estimates it could cost between $180 million and $400 million for recovery and reimbursements. Though this figure may “meaningfully” change as the investigation continues and unveils other potential losses, indemnification claims, and potential recoveries.
“As the Company’s investigation is ongoing, the full impact of these events are not yet known.”
Coinbase also notes that it is continuing “to review and bolster its anti-fraud protections,” and it plans to “aggressively pursue all remedies.”
Instead of paying hackers $20 million, Coinbase offers the sum as a bounty
Coinbase says it will not pay the $20 million ransom demand it received.
“Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack,” the company explains in a blog post.
Coinbase offers a reward for any information leading to the arrest and conviction of the attackers.
“Cybercriminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers.”
The company further explains that “a small group of insiders” copied data for “less than 1% of Coinbase monthly transacting users.”
“Cybercriminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers.”
Hackers’ aim is to gather the customer list and contact them pretending to be Coinbase, tricking people into handing over their crypto.
“We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks,” Coinbase said.
The company introduces additional safeguards. Flagged accounts now require extra ID checks on large withdrawals and include mandatory scam‑awareness prompts.
“As we monitor high risk transactions, you may experience delays,” the firm said.
Coinbase warns to expect imposters and scammers, related to this breach or not.
Coinbase never asks for your password, 2FA codes, or for you to transfer assets to a specific or new address, account, vault, or wallet.
“We will never call or text you to give you a new seed phrase or wallet address to move your funds to. If you receive this call, hang up the phone. Coinbase will never ask you to contact an unknown number to reach us.”
Your email address will not be published. Required fields are markedmarked