Coinbase Data Breach & $20M Ransom

KYC database of Coinbase, the largest U.S. digital asset exchange, has been breached and up to 1% of monthly active users, or around 100,000 customers, have had their personal info stolen.

Hackers reportedly bribed overseas customer support agents and contractors to leak internal company info and user data. They then demanded $20 million and threatened to release the stolen data if Coinbase didn’t pay.

Instead of paying the ransom, Coinbase said no and is setting up a $20 million reward fund for anyone who can help catch the hackers.

“They then tried to extort Coinbase for $20 million to cover this up. We said no,” the company said in a blog post. “Instead of paying the $20 million ransom, we’re establishing a $20 million reward fund.”

So what’s been stolen? The breach, which was first disclosed in a filing with the U.S. Securities and Exchange Commission (SEC), did not involve any theft of customer funds, login credentials, private keys or wallets.

But the hackers did get:

• Full names
• Addresses
• Phone numbers
• Email addresses
• Last 4 digits of Social Security numbers
• Bank account numbers and some bank identifiers
• Government ID images (driver’s licenses, passports, etc.)
• Account balances and transaction history
• Internal corporate documents and training materials

Coinbase says Prime accounts were not affected and no passwords or 2FA codes were stolen.

According to Coinbase, the attackers targeted outsourced support agents in countries like India. They were offering cash bribes in exchange for access to the company’s internal customer support tools.

“What these attackers were doing was finding Coinbase employees and contractors based in India who were associated with our business process outsourcing or support operations, that kind of thing, and bribing them in order to obtain customer data,” said Philip Martin, Coinbase’s Chief Security Officer.

Coinbase said it first saw suspicious activity in January 2025 but didn’t get a direct email from the threat actors until May 11. The email had evidence of stolen data and the ransom demand.

Coinbase quickly launched an investigation, fired all the involved support agents and notified law enforcement. It also started notifying users via email on May 15.

The Coinbase data breach has hit it hard, financially and publicly. The company estimates it will spend $180-$400 million on security upgrades, reimbursements and other remediation.

Coinbase’s stock also took a hit, dropping 6.4% after the news broke, before rebounding.

Analysts say this couldn’t have come at a worse time, as Coinbase is about to be added to the S&P 500 index – a big deal for any publicly traded company.

It’s definitely an unfortunate timing. “This may push the industry to adopt stricter employee vetting and introduce some reputational risks,” said Bo Pei, analyst at U.S. Tiger Securities.

Coinbase will reimburse any customers who were tricked into sending their digital assets to the attackers as part of social engineering scams. They’ve also introduced new security measures:

• Extra ID verification for high-risk withdrawals
• Scam-awareness prompts
• A new U.S.-based support center
• Stronger insider threat monitoring
• Simulation testing for internal systems

Affected customers have already been notified and the exchange is working with U.S. and international law enforcement to track down the attackers.

This is part of a larger trend in the digital assets world. Earlier this year, Bybit, another exchange, was hit with a $1.5 billion theft, dubbed the biggest digital asset heist in history.

Research from Chainalysis shows over $2.2 billion was stolen from digital asset platforms in 2024 alone.