Coinbase has disclosed a targeted extortion attempt in which a small number of customer service agents were bribed to leak sensitive user data. Although the breach affected less than 1% of the exchange’s monthly transacting users, it has raised broader concerns about internal security, the use of third-party contractors, and the growing trend of cybercriminals exploiting personal data for social engineering scams.
In an official blog post and follow-up public statements, the company confirmed that no customer funds, private keys, or login credentials were compromised. Still, the information that was exposed is significant and could be used to impersonate Coinbase in phishing campaigns. The criminals responsible have since demanded $20 million in exchange for not publishing the stolen data.
Coinbase refused to comply – and instead issued a $20 million bounty for information leading to the attackers’ arrest. Some users have criticized the decision, saying the company is gambling with leaked user data instead of paying to keep it secure.
Table of Contents
What Happened
The attack was carried out through human manipulation, rather than technical infiltration. According to Coinbase, cybercriminals targeted its customer support team based overseas. Some support agents were offered money to participate in the scheme. Those who accepted used their internal access to extract customer data from support tools and systems. The attackers focused on gathering personal details that could later be used to mimic legitimate Coinbase communication channels and deceive users.
The information stolen includes names, home addresses, email addresses, phone numbers, and masked Social Security numbers. In some cases, the attackers also obtained images of official identification documents – such as passports or driver’s licenses – as well as account balance snapshots and transaction histories. Internal training documents and support-related material were also copied during the breach.
Crucially, the breach did not grant access to user login credentials, two-factor authentication codes, crypto wallets, or Coinbase Prime institutional accounts. Coinbase emphasized that customer funds remain secure and that its core systems were not compromised.
Ransom Rejected, Bounty Offered
After stealing the data, the attackers contacted Coinbase and demanded a $20 million payment in Bitcoin. They claimed that they would release the data publicly if the company did not comply. Coinbase declined the request and instead made the breach public. The company announced that it is offering a $20 million reward to anyone who provides credible information that leads to the identification, arrest, and conviction of those responsible.
Coinbase has since terminated the employees involved and referred them to U.S. and international law enforcement. The company says it is cooperating closely with authorities and that wallet addresses associated with the attack have been tagged to assist with ongoing tracking and potential fund recovery.
What Coinbase Is Doing in Response
All affected customers were contacted directly on the morning of May 15. Coinbase stated that anyone whose data was accessed has already received an official notification. The company also pledged to reimburse retail customers who lost funds after being tricked into sending assets to impersonators. These reimbursements will be issued following individual case reviews.
Internally, Coinbase is making several operational changes. The company is opening a new customer support hub within the United States and upgrading security infrastructure across all locations. Customer support agents will face stricter access controls, and new protocols have been implemented to monitor insider threats and reduce future risk.
For affected user accounts, Coinbase has introduced new security requirements. These include mandatory scam-awareness prompts, enhanced ID verification for large withdrawals, and slower processing for flagged transactions. The company has also increased investments in simulated security drills designed to detect weak points in its internal systems.
Financial and Regulatory Implications
Coinbase expects the cost of the breach to fall between $180 million and $400 million, according to a filing with the U.S. Securities and Exchange Commission. This figure includes reimbursements, legal costs, and infrastructure upgrades. The final total could change as more information becomes available.
CEO Brian Armstrong addressed the incident in a video message. He reiterated that the company will not meet extortion demands under any circumstances and stressed the importance of holding the attackers accountable. Armstrong also pointed out that the threat was detected quickly and that Coinbase’s refusal to pay was supported unanimously within the organization.
Guidance for Customers
Coinbase is urging all customers to remain alert for fraudulent messages or calls. Given the nature of the exposed data, scammers may try to impersonate Coinbase representatives and persuade users to share sensitive information or move funds. The company reminds users that it will never request passwords, authentication codes, or wallet seed phrases. It also does not ask customers to transfer funds to new accounts for “safety” reasons.
As a precaution, Coinbase recommends enabling hardware-based two-factor authentication, setting up withdrawal allow-lists, and locking the account immediately if something appears suspicious. The company has also published updated guidelines to help users avoid falling for social engineering attacks.
Conclusion
While only a small share of users were affected, the breach has led to bigger questions about how companies handle security risks from within. Coinbase’s choice to speak publicly and refuse the ransom has been called brave and transparent by some, but others have criticized the decision, saying the company is gambling with user data instead of paying to keep it private.
Since the news came out, Coinbase’s stock has dropped by around 5%. The investigation is still ongoing, and the company says it will keep users informed as more details become available.
Read also: Coinbase Added to S&P 500, Shares Jump 24%
