Coinbase has disclosed a significant data breach in which cybercriminals, working in coordination with rogue overseas support agents, gained unauthorized access to internal systems and exfiltrated sensitive user data.
The attackers later demanded a $20 million ransom in exchange for not leaking the stolen information.
In a strong and public stance against extortion, Coinbase has refused to pay the ransom and has instead launched a $20 million reward fund to encourage individuals with knowledge about the perpetrators to come forward.
The breach was revealed after the threat actors sent an extortion email to Coinbase on May 11, warning the company that they would release customer data and internal documentation unless the ransom was paid.
According to Coinbase’s official SEC filing and accompanying blog post, the attackers obtained their foothold by bribing support contractors based outside the United States. These insiders were reportedly paid to abuse their privileged access to internal customer support systems and extract data linked to a subset of users.
The company clarified that approximately 1% of its user base—around 1 million customers—had their information compromised. Stolen data includes full names, physical addresses, phone numbers, email addresses, the last four digits of Social Security numbers, partial bank account identifiers, images of government-issued IDs (such as passports and driver’s licenses), account balance snapshots, transaction histories, and limited corporate documentation like internal communications and training materials.
Importantly, Coinbase confirmed that despite the breadth of the data breach, no private keys, login credentials, or cryptocurrency funds were accessed or stolen. Furthermore, Coinbase Prime accounts and cold and hot wallets—both belonging to customers and to the company—remained completely unaffected. The company has assured that impacted users who were tricked into sending funds to attackers through social engineering scams will be fully reimbursed.
Coinbase emphasized in its blog post that the attack was orchestrated to support broader social engineering campaigns against customers, relying heavily on the trust and internal access of compromised support agents. These agents have since been terminated after being caught violating access policies and attempting to access systems without authorization.
In response to the breach, Coinbase is taking multiple steps to both investigate the incident and strengthen its security posture. Chief among them is the establishment of a $20 million reward fund, which will be used to incentivize informants who can provide actionable intelligence that leads to the identification or apprehension of the cybercriminals responsible. This reward initiative is part of Coinbase’s broader effort to stand against extortion attempts and uphold transparency and user trust in the cryptocurrency industry.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
As of now, the company is cooperating with law enforcement and regulatory bodies and has urged other technology and financial institutions to remain vigilant about insider threats, especially those arising from third-party contractors operating in foreign jurisdictions. Coinbase’s refusal to yield to ransom demands may set a precedent for how major tech firms deal with extortion-driven cyberattacks going forward.
