Coinbase has uncovered a targeted insider attack involving rogue overseas support agents bribed by malicious actors to steal customer data to extort the company.
While a small subset of users was impacted, no passwords, private keys, or funds were compromised. Coinbase Prime accounts were also unaffected.
The malefactors demanded a $20 million ransom, which Coinbase refused to pay. Instead, the company has created a $20 million reward fund for information leading to the arrest and conviction of those responsible.
What Happened
A group of attackers bribed a small number of third-party support agents outside the U.S. to access internal tools and collect customer data. Their goal was to use this information for social engineering scams, posing as Coinbase to trick users into sending them crypto.
Less than 1% of Coinbase’s monthly transacting users were affected. After attempting to extort the company for $20 million, the attackers were rebuffed.
What Was Accessed
Coinbase said data that was accessed includes names, addresses, phone numbers, and emails; masked Social Security numbers (last 4 digits only); masked bank account details; government-issued ID images; balance and transaction history; and limited internal Coinbase documentation.
It assured customers that the attackers didn’t get their hands on any login credentials or two-factor authentication codes; private keys or wallet access; any funds belonging to customers; Coinbase Prime accounts; or hot or cold wallet infrastructure.
Coinbase’s Response
Notifications were sent to impacted customers on May 15 from [email protected]. The company said it will reimburse affected users who were tricked into sending crypto due to the attack.
In addition, Coinbase said affected accounts now have added ID checks, scam warnings, and heightened fraud monitoring; and that it is opening a new U.S.-based support center and strengthening monitoring and access controls globally.
It is also investing in more security solutions, including insider threat detection, automated responses, and internal security simulations.
Involved insiders were terminated and referred to U.S. and international authorities. Coinbase is pressing for criminal prosecution.
$20M Reward Fund
Instead of coughing up the ransom, Coinbase has established a $20 million bounty for information that helps law enforcement track down and convict the attackers.
Tips can be submitted to [email protected] with “[BOUNTY]” in the subject line.
The company is also working with blockchain industry partners to trace stolen funds by tagging wallet addresses associated with the attackers.
Customer Safety Reminder
Coinbase reminds users it will never ask for passwords, 2FA codes, or seed phrases; ask them to transfer funds to another wallet; or call or text with new wallet addresses.
If anything feels suspicious, users are urged to lock their accounts via the Coinbase app and report concerns to [email protected].
“Crypto adoption depends on trust,” Coinbase stated. “We’re deeply sorry to those affected. We’ll continue to take responsibility, invest in stronger defenses, and ensure the crypto economy remains secure.”
Coinbase will voluntarily reimburse retail customers who lost funds due to this incident—pending a review—if the scam occurred prior to this announcement.”
Weaponizing Transparency
Coinbase’s decision to publicly counter-extort with a $20 million bounty is an interesting reversal of the usual playbook, transforming breach response into what could turn into a global manhunt, says Jason Soroko, Senior Fellow at Sectigo.
“This move shifts the narrative from victimhood to proactive offense, weaponizing transparency and financial incentive against cybercriminals. It also signals to users and adversaries alike that extortion will not quietly succeed, potentially reframing how future attacks may be responded to. Perhaps risk is escalation. Adversaries may double down or target exchanges with even greater aggression. This gambit sets a precedent for the digital asset industry bounties. Seeking justice rather than being silent is a new tactic,” Soroko adds.
Downstream Risks
Commenting on this, Oded Vanunu, Chief Technologist, WEB 3.0 & Head of Product Vulnerability at Check Point Research, said: Coinbase’s announcement regarding a cyber-attack potentially resulting in losses of up to $400 million is a sobering reminder of the dynamic threat landscape within the crypto industry. “Although no direct theft of customer funds or private keys has been confirmed, the nature of the breach, exposing PII of 84,000 users, creates downstream risks, including targeted phishing, social engineering, and potential future exploits.
“In crypto, trust boundaries are everything. Once an attacker compromises a bridge into the organisation, especially through social engineering or insider access, the implications can cascade quickly due to the irreversible nature of blockchain transactions and the high value of developer and infrastructure access.”
Setting a Strong Precedent
Vanunu says organizations must treat third-party access with the same zero-trust rigor as internal access, recognizing that external partners can pose similar security risks. Social engineering continues to be an effective attack vector, requiring a layered defense approach that includes behavioral monitoring, least privilege policies, and continuous insider risk assessments.
Transparency is also critical. Coinbase’s decision to publicly disclose its SEC filing and refusal to pay a ransom sets a strong precedent in the crypto industry, where breaches are often concealed, undermining collective resilience.
“The $180M–$400M exposure estimate underscores the cost of trust mismanagement in Web3, where access equals ownership. As attackers become more sophisticated, including the use of AI for social engineering and reverse engineering, organisations must evolve faster, not just with tooling, but with a mindset shift toward proactive, threat-informed defence,” Vanunu says.
Several Steps to Take
While it’s promising to see that Coinbase isn’t currently planning to pay the $20M ransom, there are steps they can take to ensure further scenarios such as this don’t transpire, comments Ishpreet Singh, Chief Information Officer at Black Duck. “I’d recommend implementing just-in-time access controls such as device fingerprinting and session auditing. Additionally, conducting regular risk reviews and strengthening vendor risk management and oversight can reduce third-party access to personally identifiable information.”
Regarding security architecture, moving to a zero-trust network model will help them to enforce micro-segmentation, adds Singh. “It’s important to carry out advanced security risk training including social engineering defense training. Sensitive user data should be heavily segmented and encrypted with keys inaccessible to support agents.”
Singh says this incident is an example of how security is becoming a competitive differentiator. “Applying security mechanisms such as these will help Coinbase and other enterprises around the world ensure uncompromised trust in the software that their customers rely on.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.