Coinbase (COIN.O) forecasts a hit of $180 million to $400 million from a cyberattack

The company received an email from an unknown threat actor on May 11, claiming to have information about certain customer accounts as well as internal documents.

Coinbase (COIN.O) shares extended losses on Thursday after the crypto exchange said it expects an impairment of $180 million to $400 million related to a cyberattack that breached the personal data of a “small subset” of its customers.

The company, which is set to join the S&P 500 index (SPX) next week, said it received an email from an unknown threat actor on May 11, claiming to have information about certain customer accounts as well as internal documents.

While some data — including names, addresses and emails — was stolen, the hackers did not get access to login credentials or passwords, Coinbase said. It will, however, reimburse customers who were tricked into sending funds to the attackers.

Hackers had paid multiple contractors and employees working in support roles outside the U.S. to collect information. The company has fired those involved, it said.

Separately, the U.S. Securities and Exchange Commission had begun probing whether Coinbase's had misstated its user figures, and whether the firm had appropriate compliance in place to meet know-your-customer and Bank Secrecy Act rules designed to prevent money laundering, two sources familiar with the matter told Reuters.

Coinbase denied the SEC was probing the company's compliance with know-your-customer and Bank Secrecy Act rules.

Coinbase shares were last down 6.5%.

"This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public," Coinbase's chief legal officer, Paul Grewal, said.

"While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close."

The SEC declined to comment.

CRACKS IN CRYPTO

The latest developments come days before the company is set to join the benchmark S&P 500 index, casting a shadow over what was expected to be a landmark moment for the crypto industry.

At a time when the industry is battling to project stability and gain broader acceptance among mainstream investors, the incident could spur more scrutiny of crypto firms' internal controls and cybersecurity measures.

Security remains a challenge for the crypto industry despite its growing mainstream acceptance. In February, Bybit disclosed a hack in which around $1.5 billion of digital tokens were stolen — widely dubbed the biggest crypto heist of all time.

"The cyberattack may push the industry to adopt stricter employee vetting and introduce some reputational risks," said Bo Pei, analyst at U.S. Tiger Securities.

Funds stolen by hacking crypto platforms totaled $2.2 billion in 2024, according to a report from Chainalysis.

"As our nascent industry grows rapidly, it draws the eye of bad actors, who are becoming increasingly sophisticated in the scope of their attacks," said Nick Jones, founder of crypto firm Zumo.

The firm now also faces a lawsuit, filed in the Southern District of New York, alleging the world's largest crypto exchange failed to secure and safeguard personally identifiable information of millions of former and current customers, the filing showed.

Coinbase has refused to pay a ransom demand of $20 million from the attackers and is working with law enforcement agencies. It has instead established a $20 million reward for information on the hackers.

The company is also opening a new support hub in the U.S. and taking other measures to prevent such cyberattacks, it said.