A prominent security researcher has accused cryptocurrency exchange Coinbase of waiting months to publicly disclose a serious data breach involving insider threats and social engineering. According to the whistleblower, who claims to have warned Coinbase in January, the incident actually occurred in December 2024 and impacted nearly 70,000 users.
The attack, reportedly involving the bribery of customer support staff, highlights the growing risks facing organizations from insider-assisted compromises, particularly in industries handling sensitive financial and personal information.
Researcher Alleges Early Disclosure to Coinbase Was Ignored
A security researcher, involved in independent investigations of cryptocurrency scams, claims that Coinbase had knowledge of the breach far earlier than it disclosed. According to his account, he attempted to alert the company in January after encountering fraud attempts that pointed to insider compromise.
Research Led to Suspicion of Insider Access
While investigating crypto scams involving impersonation and phishing, the researcher initiated contact with Coinbase to learn more about certain user account access patterns. In the process, he discovered indications that support staff credentials had been abused.
“I was asking Coinbase to confirm account details, and their warning message to me suddenly switched to something much more aggressive, telling me they wouldn’t send me anything because of ‘a recent support team social engineering attack’,” he revealed.
This response allegedly served as a tacit admission of the breach, months prior to Coinbase’s eventual disclosure.
Coinbase Confirms Breach Outcome Involving 70,000 Users
Coinbase acknowledged the breach publicly in mid-2025, confirming that attackers had used social engineering techniques to compromise customer service team members. As a result, unauthorized individuals gained access to personally identifiable information of approximately 70,000 customers.
Social Engineering and Bribery Tactics Were Key
The attackers reportedly convinced at least one employee to hand over internal credentials, likely through direct bribery, a common method in recent insider threat incidents. Once inside the system, the perpetrators were able to gather sensitive customer data. While Coinbase did not report that these details were exploited for crypto theft, the exposure of identity and account details remains significant.
Prompt Action Taken After Compromise Detection
Once the breach was confirmed, Coinbase stated it implemented a series of mitigation strategies, including:
- Revocation of compromised credentials
- Enhanced internal security awareness training
- Implementation of additional multi-factor authentication (MFA) controls
- User notification letters and credit monitoring for impacted accounts
The company maintained that it acted “swiftly” upon discovery, though questions now swirl around when exactly the breach came to light internally.
Insider Threats Pose Growing Risk in Crypto Sector
This incident underscores the persistent threat insiders pose to digital-first financial institutions. As systems become more fortified against external threat actors, attackers increasingly rely on targeting human vulnerabilities within organizations to gain access.
Crypto Companies Face Increasingly Sophisticated Attacks
Coinbase’s breach follows a broader trend of attackers turning to social engineering and phishing to bypass frontline defenses. For cryptocurrency platforms dealing with millions of users and billions in assets, insecure internal processes or lack of timely transparency can erode trust.
Potential Consequences of Delayed Disclosure
Experts warn that delayed incident disclosure can have legal, reputational, and operational ramifications. For a publicly traded company like Coinbase, transparency in incident reporting is critical to maintain user confidence and meet regulatory obligations.
The researcher’s statement raises uncomfortable questions regarding Coinbase’s incident response timeline. If true, the delay between internal discovery and public acknowledgment may warrant scrutiny from regulators and stakeholders alike.
Investigations May Determine Accountability and Timeline
At time of writing, there is no formal statement from Coinbase addressing the specific claim that they were warned in January. However, public and internal reports indicate the breach occurred in December 2024, with corrective action and customer notifications happening several months later.
The timelines and disclosures related to this incident will likely be of interest to:
- Data protection regulators
- Cryptocurrency industry watchdogs
- Institutional investors monitoring risk management practices
The increased focus on insider threats , especially in high-stakes sectors like cryptocurrency, continues to shape how companies approach data security and incident reporting. As the fallout from this disclosure unfolds, affected users and the security community alike may demand greater accountability.
