Coinbase Has Confirmed That Cybercriminals Stole Sensitive Customer Data

In a significant cybersecurity incident, Coinbase has confirmed that cybercriminals, aided by a group of bribed rogue overseas support agents, stole sensitive customer data

Coinbase has fallen victim to a significant cybersecurity incident, in which a group of cybercriminals, aided by a group of bribed rogue overseas support agents, stole sensitive customer data in an attempt to extort the company for $20 million.

The incident unfolded when the attackers contacted Coinbase via email on May 11, 2025, demanding a $20 million ransom in exchange for the stolen data. However, the largest U.S.-based cryptocurrency exchange refused to pay the ransom and instead opted to establish a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for the attack.

According to Coinbase’s official blog post dated May 15, 2025, the breach occurred when a small group of rogue customer support contractors, based overseas, were recruited by cybercriminals through cash bribes to exfiltrate data for less than 1% of Coinbase’s monthly transacting users.

Their goal was to compile a list of customers they could target by impersonating Coinbase, to deceive users into giving up their cryptocurrency. Subsequently, they attempted to blackmail Coinbase, demanding $20 million to keep the breach hidden. But Coinbase refused the offer.

“Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers,” Coinbase wrote in a Thursday blog post.

“No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.”

Coinbase has said it is taking full responsibility for protecting affected users, who will be contacted via email on May 15. Impacted customers will be reimbursed if they were fooled into transferring funds to scammers due to social engineering attacks.

The company is also rolling out tighter withdrawal controls, as flagged accounts will now require additional identity verification for large transactions, along with new scam-awareness prompts. It is opening a new support hub in the U.S. and adding stronger security controls and monitoring across all locations.

Additionally, to prevent future breaches, the company has increased investments in insider threat detection, security threat simulation, and automated response to identify similar security threats in its infrastructure.

Rather than pay the ransom, Coinbase is offering a $20 million bounty to anyone who can help bring the perpetrators to justice. The company is also working closely with U.S. and international law enforcement and has already fired the exchange staff involved in the breach. It will press criminal charges.

“Working with industry partners, we’ve tagged the attackers’ addresses so the authorities can track and work to recover assets,” the company added.

Coinbase is urging customers to remain vigilant, as imposters may try to exploit the situation by posing as Coinbase employees. The company will never ask for passwords or 2FA codes, or ask users to move funds or assets to a specific or new address, account, vault or wallet, or call or text users to move funds to a “safe” wallet.

If this happens, the crypto exchange suggests users hang up on imposters, immediately lock their account in the app, and email at [email protected] to report suspicious activity.

To protect against any potential data breach, Coinbase recommends that its users enable two-factor authentication (2FA) and turn on withdrawal allow-listing for secure transfers.

“To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world class defenses—because that’s how we protect our customers and keep the crypto economy safe for everyone,” Coinbase concluded.