Coinbase, a leading cryptocurrency exchange, has disclosed a data breach resulting due to social engineering attack targeting some of its customer support agents located outside the United States.
Cybercriminals bribed these individuals to gain unauthorized access to sensitive customer data, which they then intended to use for further malicious activities, including social engineering scams to steal cryptocurrency. The attackers subsequently demanded a $20 million ransom from Coinbase, which the company has refused to pay, instead offering the same amount as a reward to any informant.
Key Points of the Breach:
- Insider Threat: The breach originated from the exploitation of compromised internal access by bribed customer support agents.
- Data Compromised: The stolen data includes:
– Names, phone numbers, addresses, and email addresses.
– Masked Social Security numbers (last four digits only).
– Partial bank account details and some bank identifiers.
– Government-issued ID images (e.g., driver’s licenses, passports).
– Account data such as balance snapshots and transaction history.
Coinbase has confirmed that the attackers did not gain access as follows:
- Login credentials or two-factor authentication (2FA) codes.
- Private keys.
- Any ability to move or access customer funds directly.
- Coinbase Prime accounts.
- Hot or cold wallets controlled by Coinbase or its customers.
Ransom Demand: The cybercriminals demanded a $20 million ransom in Bitcoin to prevent the public release of the stolen data.
Coinbase’s Response: Coinbase has publicly stated they will not pay the ransom and are instead offering a $20 million reward for information leading to the arrest and conviction of the perpetrators.
Financial Impact: Coinbase estimates the incident could cost between $180 million and $400 million, encompassing remediation efforts and voluntary customer reimbursements.
Affected Users: Coinbase began notifying affected users via email on May 15, 2025, at 7:20 AM ET. The breach impacted less than 1% of Coinbase’s monthly transacting users.
Impacts of the Data Breach:
- Increased Risk of Social Engineering Attacks: The stolen data provides attackers with enough information to impersonate Coinbase customer support and attempt to trick users into transferring their cryptocurrency to attacker-controlled wallets.
- Potential for Identity Theft: While full Social Security numbers and bank account details were not compromised, the available information could still be used in conjunction with other data sources for identity theft attempts.
- Erosion of User Trust: A data breach, especially one involving insider threats, can damage user trust in the security of the platform.
- Financial Losses for Affected Users: Users who fall victim to subsequent social engineering attacks may suffer financial losses.
- Reputational Damage to Coinbase: The incident could negatively impact Coinbase’s reputation, particularly as it was preparing to join the S&P 500 index.
What Coinbase Says?
- Commitment: Coinbase has pledged to reimburse customers who were directly tricked into sending funds to the attackers as a result of this incident, following an investigation to verify the facts.
- Enhanced Security Measures: The company has implemented additional safeguards, including:
– Extra ID verification for large withdrawals on flagged accounts.
– Mandatory scam-awareness prompts for high-risk accounts.
– Increased monitoring of suspicious transactions, potentially leading to temporary delays.
– Establishing a new support hub in the U.S. with stronger security controls.
– Increased investment in insider threat detection and automated response systems. - Cooperation with Law Enforcement: Coinbase has fired the involved insiders and referred the case to both U.S. and international law enforcement agencies, vowing to pursue criminal charges.
- Transparency: Coinbase is committed to keeping the community updated as the investigation progresses.
- Warning Against Imposters: Coinbase has cautioned users to be wary of potential follow-up scams where individuals may impersonate Coinbase employees. They reiterate that Coinbase will never ask for passwords, 2FA codes, or request users to transfer assets to specific addresses.
Recommendations for Coinbase Users:
- Be Extremely Vigilant: Be highly suspicious of any unsolicited communications claiming to be from Coinbase, especially those asking for sensitive information or urging you to take immediate action.
- Enable Withdrawal Allow-listing: Restrict transfers to only those cryptocurrency wallet addresses that you fully control and trust.
- Use Strong Two-Factor Authentication (2FA): Hardware security keys are the most secure option, followed by authenticator apps. Avoid relying solely on SMS-based 2FA.
- Hang Up on Imposters: If you receive a suspicious phone call from someone claiming to be Coinbase support, hang up immediately. Coinbase will never call you directly for support.
- Lock Your Account if Suspicious: If anything feels unusual or you suspect your account may be compromised, immediately lock your account through the Coinbase app and contact their security team at security@coinbase.com.
- Review Security Tips: Familiarize yourself with Coinbase’s security best practices to avoid social engineering scams and other threats.
Monitor Your Account Activity: Regularly check your Coinbase account for any unauthorized transactions or unusual activity. - Secure Your Email Account: Ensure your email account, which is often linked to your Coinbase account, is protected with a strong, unique password and 2FA.
- Beware of Phishing Attempts: Be cautious of emails, messages, or websites that look like Coinbase but could be fake and designed to steal your login credentials. Always access Coinbase through your bookmarked official link.
