Coinbase reports data breach caused by support agents bribed to steal customer info
Take action: We all like to consider our colleagues good people, and we don't want to insult them by assuming they can do something bad. But this is an example why controls against malicious insiders are important.
Learn More
Coinbase, the largest U.S.-based cryptocurrency exchange, is reporting a data breach involving rogue support agents who were bribed by cybercriminals to steal customer information. The breach was discovered by Coinbase's independent monitoring systems, which detected personnel accessing data without legitimate business needs in previous months.
On May 11, 2025, the company received a ransom demand of $20 million from unknown threat actors who threatened to publish stolen information about certain customer accounts and internal documentation. Cybercriminals bribed and recruited a group of contractors and support staff located in India who had access to Coinbase's internal systems.
The insiders abused their authorized access to customer support systems to exfiltrate sensitive information before being detected and terminated by the company. The stolen data was then used for social engineering attacks against Coinbase customers, tricking some into transferring funds to attackers.
The personally identifiable information stolen in this incident includes:
- Name, address, phone number, and email
- Masked Social Security numbers (last four digits only)
- Masked bank account numbers and some bank account identifiers
- Government ID images (e.g., driver's license, passport)
- Account data (balance snapshots and transaction history)
- Limited corporate data (including documents, training material, and communications available to support agents)
The breach affected approximately 1% of Coinbase's customer base, which translates to around 1 million individuals based on the company's total user count of over 100 million. Coinbase has committed to voluntarily reimburse retail customers who were tricked into sending funds to scammers as a direct result of this incident.
Update - as of 20th of May 2025, Coinbase reports that the incident affected 69,461 individuals. The US Department of Justice has launched an investigation into the cyberattack. Apparently, Coinbase itself is not under investigation. "Coinbase is not under DOJ investigation, DOJ is investigating the criminal actors,"
As of 2nd of June 2025, Reuter reports that Coinbase knew about a customer data leak at an outsourcing company as far back as January 2025. Soon after learning of the data leak more than 200 TaskUs employees who worked as outsourcing resources for Coinbase were fired. Coinbase claims that it knew contractors accessed employee data "without business need" in "previous months." but they realized that it's a systemic campaign only after receiving an extortion demand.
It's claimed that Sequoia Capital Managing Partner Roelof Botha was among the Coinbase Global Inc. customers whose personal information was stolen as part of a hack against the largest US crypto exchange.
Coinbase claims that no passwords, private keys, or funds were directly exposed, and Coinbase Prime accounts remained untouched. The company has emphasized that customers' hot or cold wallets were not compromised in the breach.
Coinbase estimates the financial impact of this incident to be between $180 million and $400 million, covering both remediation costs and customer reimbursements. The company has declined to pay the $20 million ransom and instead established a reward fund of the same amount for information leading to the arrest and conviction of the criminals responsible for the attack.
