Coinbase Discloses Insider-Aided Data Breach Impacting 1% of Customers
Cryptocurrency exchange Coinbase has confirmed a Insider breach that exposed personal and account information for up to 1 million customers, approximately 1% of its user base. The attackers behind the breach demanded a $20 million ransom in exchange for not releasing the stolen data. Coinbase has refused to pay.
The attack involved cybercriminals who recruited overseas support contractors to gain unauthorized access to internal systems. The breach was disclosed publicly after the attackers emailed Coinbase on May 11, threatening to release the stolen data if their ransom demands were not met.
“Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks,” Coinbase said in a blog post.
Insider Access Used to Steal Customer and Internal Data
According to Coinbase, the attackers worked with third-party support staff based outside the U.S. who were paid to access internal tools. The company stated that the involved individuals were immediately terminated once unauthorized activity was discovered. However, some data had already been exfiltrated.
Coinbase emphasized that no customer passwords, private keys, or crypto wallets—including Coinbase Prime accounts—were accessed or compromised.
The company detailed the stolen data in a filing with the U.S. Securities and Exchange Commission (SEC):
- Full name, address, phone number, and email
- Masked Social Security numbers (last four digits only)
- Masked bank account numbers and some banking identifiers
- Images of government-issued IDs (e.g., passports, driver’s licenses)
- Account balances and transaction histories
- Limited internal documents, training materials, and support communications
Coinbase Launches $20M Reward Fund for Attacker Leads
Instead of complying with the ransom demand, Coinbase announced a $20 million reward program for information that leads to the identification or capture of those behind the attack.
“We will reimburse customers who were tricked into sending funds to the attacker,” the company added.
Estimated Financial Impact Between $180M and $400M
Though the full scale of the financial impact remains under assessment, Coinbase estimates the cost of the incident—including reimbursements and remediation—could range between $180 million and $400 million.
The breach enabled follow-up social engineering attacks, during which some users were tricked into sending funds to the attackers. Coinbase has pledged to reimburse retail customers who suffered losses before the date of the public disclosure.
Strengthening Internal Controls and U.S. Support Hub Planned
In response to the breach, Coinbase will:
- Open a new U.S.-based support hub
- Increase investments in insider Insider Breach threat detection
- Expand security simulation and automated response capabilities
- Reinforce customer education on fraud prevention
Customers are being advised to remain cautious of scams and impersonation attempts. Coinbase reiterated that it will never ask for passwords, two-factor authentication codes, or request fund transfers over the phone or by unsolicited contact.
“To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world-class defenses,” Coinbase said.
Incident Follows S&P 500 Inclusion and Market Spike
Despite the breach, Coinbase’s stock rose by 24% after the company was added to the S&P 500, joining the index of top publicly traded U.S. firms.
