Coinbase, one of the world’s largest cryptocurrency platforms with over 100 million users, has revealed it was the target of a cyberattack involving insider help. The breach led to the theft of sensitive user data, and the attackers demanded a $20 million ransom to keep the information from going public.
The company made it clear—it refused to pay the ransom. Instead, Coinbase has announced a $20 million reward fund for anyone who can provide credible information leading to those behind the attack.
The extortion attempt became public after the attackers sent an email to Coinbase on May 11, threatening to expose internal documents and details of affected user accounts if the ransom wasn’t paid.
According to Coinbase, the breach occurred after support agents outside the U.S. were bribed to give unauthorized access to internal systems. Once detected, the company promptly terminated the rogue insiders, though some data had already been extracted.
What Was Stolen
Roughly 1% of Coinbase’s users—about 1 million people—were affected. The attackers gained access to:
- Full names, addresses, phone numbers, and email addresses
- Masked Social Security numbers (last four digits)
- Masked bank account details and some identifiers
- Images of government-issued IDs (like driver’s licenses and passports)
- Account activity, including balances and transaction histories
- Internal corporate materials such as support documents and training files
Despite the breach, no customer passwords, private keys, or cryptocurrency wallets—hot or cold—were accessed. Coinbase Prime accounts were also unaffected.
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC), Coinbase reiterated its position that no funds were directly compromised. The company has pledged to reimburse any customers who were tricked into sending money during the fallout from this attack.
In a public blog post, Coinbase said:
“Cybercriminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers.”
This incident highlights an increasing trend of insider-enabled cyberattacks, where criminals bypass traditional security systems by exploiting trusted individuals inside an organization.
Coinbase says it continues to cooperate with law enforcement and has tightened access controls to prevent similar breaches in the future.
Coinbase Faces Up to $400M in Fallout After Insider Breach, Will Reimburse Victims
The full financial impact of the recent insider-led security breach at Coinbase is still being calculated, but the company estimates costs could land between $180 million and $400 million. These expenses cover customer reimbursements and efforts to address the breach’s consequences.
While Coinbase hasn’t disclosed exactly how many users were misled into transferring funds during follow-up scams, it has confirmed that some victims fell prey to social engineering attacks after the data was stolen. In response, Coinbase announced several major changes.
A New Security Push
Coinbase plans to open a new customer support hub in the U.S. and will offer full reimbursement to users who mistakenly sent crypto to scammers as a result of the incident, after verifying the details of each case.
To prevent future breaches, the company is ramping up investment in insider-threat detection, security simulations, and automated responses to potential attacks. These upgrades aim to catch suspicious activity before any real damage can occur.
Coinbase also issued a public warning to users: Beware of impersonators. If someone claiming to be from Coinbase contacts you and asks for sensitive data or urges you to move your funds, hang up or end the conversation immediately. The company emphasized that it will never request login information or pressure users to transfer assets.
For stronger protection, Coinbase recommends turning on two-factor authentication and enabling withdrawal allow-listing, a feature that restricts asset transfers to pre-approved wallet addresses.
“To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world‑class defenses—because that’s how we protect our customers and keep the crypto economy safe for everyone,” the company said in a statement.
Commitment to Reimburse Victims
Coinbase confirmed it will voluntarily reimburse retail customers who were deceived into sending funds to scammers due to this breach, if the transactions occurred before the date of the public announcement and meet verification standards.
In the midst of this crisis, Coinbase shares surged 24% after the company was added to the S&P 500 index, signaling continued investor confidence despite the breach.
