Coinbase, a cryptocurrency exchange with over 100 million customers, has disclosed that cybercriminals working with rogue support agents stole customer data and demanded a $20 million ransom not to publish the stolen information.
The company said it would not pay the ransom but would establish a $20 million reward fund for any leads that could help find the attackers who coordinated this attack.
The disclosure comes after the criminals behind the breach emailed Coinbase on May 11, demanding a $20 million ransom to prevent public disclosure of stolen information about certain customer accounts and internal documentation.
According to Coinbase, the attackers obtained this customer data with the help of contractors or support staff outside the U.S. who were paid to access internal systems. Coinbase fired the insiders after they were detected while accessing systems without authorization, but not before they exfiltrated information from those devices.
While the threat actors managed to steal a combination of personally identifiable information of up to 1% of Coinbase’s customer base (around 1 million individuals), they couldn’t steal customers’ private keys or passwords, and couldn’t access Coinbase Prime accounts and hot or cold wallets (belonging to affected customers or the crypto exchange).
In a filing with the U.S. Securities and Exchange Commission (SEC), the company says the data stolen in this incident includes:
- Name, address, phone, and email;
- Masked Social Security (last four digits only);
- Masked bank-account numbers and some bank account identifiers;
- Government‑ID images (e.g., driver’s license, passport);
- Account data (balance snapshots and transaction history); and
- Limited corporate data (including documents, training material, and communications available to support agents).
“Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers,” Coinbase said in a Thursday blog post.
“No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched. We will reimburse customers who were tricked into sending funds to the attacker.”
https://t.co/evpIBMFvRW pic.twitter.com/f6UPdkL5R0
— Brian Armstrong (@brian_armstrong) May 15, 2025
Expected losses to reach up to $400 million
While the financial impact is still being assessed and Coinbase didn’t reveal how many customers were deceived into sending funds to the attackers in follow-up social engineering attacks, the company estimates that the resulting expenses will be “within the range of approximately $180 million to $400 million” for remediation and customer reimbursements.
Coinbase added that it will open a new support hub in the U.S., reimburse affected customers tricked into sending funds to the attackers following social engineering attacks, and increase investments in insider‑threat detection, security threat simulation, and automated response to prevent future breach attempts.
The company also advised customers to be suspicious of scammers impersonating Coinbase employees and attempting to trick them into transferring funds or asking them for sensitive information such as passwords or 2FA codes.
If this happens, the crypto exchange recommends hanging up because it never asks for account information over the phone or pressures customers into transferring assets to other wallets. To defend against similar attacks, you should enable two-factor authentication and turn on withdrawal allow‑listing, which ensures secure transfers.
“To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world‑class defenses—because that’s how we protect our customers and keep the crypto economy safe for everyone,” Coinbase added.
“Coinbase will voluntarily reimburse retail customers who mistakenly sent funds to the scammer as a direct result of this incident prior to the date of this post, following a review to confirm the facts.”
Coinbase’s stock soared 24% after the crypto exchange joined the S&P 500, a stock market index that includes 500 leading companies listed on U.S. stock exchanges.
A Coinbase spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
