The latest crypto data breach underscores a simple truth: hackers target humans

This “Coinbase security incident” hit right as the exchange was preparing to join the S&P 500, yet it stemmed from bribery and social engineering

The latest crypto data breach serves as a stark reminder that hackers often target humans, not just software. In May 2025, fewer than 1% of Coinbase users had their personal data breached by bribery and social engineering, rather than a flaw in the exchange's technology.

This incident hit right as Coinbase was preparing to join the S&P 500. While no login passwords, two-factor codes or private keys were leaked, the fallout is nonetheless massive, with Coinbase now expecting $180–$400 million in costs for remediation and reimbursements.

Coinbase's breach began quietly in late 2024. According to a regulatory filing, criminal hackers bribed Coinbase's overseas customer-support contractors to siphon customer information, starting around December 26, 2024.

The fraud went unnoticed until May 11, 2025, when Coinbase's security team spotted suspicious activity – the same day the attackers emailed a $20  million ransom demand. Coinbase refused and disclosed the incident on May 15.

In total, about 69,461 customer accounts were impacted. The stolen data was personal, not technical. Attackers obtained names, postal addresses, phone numbers, and emails for these customers, plus masked identifiers: the last four digits of Social Security numbers, partial bank-account info, images of drivers’ licenses or passports, and snapshots of account balances and transaction history.

Critically, no login passwords, two-factor codes or private keys were leaked – the thieves could not directly access funds or cryptocurrency wallets.

Coinbase maintained that no customer funds or password data were touched. The stolen information was valuable mainly for social engineering – impersonating Coinbase in order to trick users into sending crypto to the scammers.

This attack was classic crypto social engineering. Rather than hacking a server, criminals preyed on trust. They targeted a “few bad apples” among Coinbase’s support staff with cash bribes.

These insiders had access to customer data and were paid to copy it. With that data, the criminals planned to pose as Coinbase support and contact victims.

Social engineering tactics like smishing (phishing via SMS) and vishing (voice phishing) are growing in crypto. For example, security firm KnowBe4 described a Coinbase incident in which an employee first received a malicious text asking them to log into a work account; moments later, a caller pretending to be IT support urged the employee to grant access to their workstation.

The employee grew suspicious and reported the attempt, preventing a deeper breach. “No funds were taken and no customer information was accessed… but some limited contact information for our employees was taken,” Coinbase noted after that attack.

In Coinbase’s May breach, the combination of inside help and scam tactics bypassed the company’s technical barriers. The hackers did not need to break passwords or crack two-factor codes. They simply leveraged the trust placed in human agents to extract data.

As Coinbase’s CEO Brian Armstrong put it, attackers simply “found a few bad apples” and socially engineered their way into private data.

The fallout was swift. Shares of Coinbase slid as the breach hit headlines, but more importantly, the company acted immediately to protect customers.

In compliance with data laws, Coinbase began mailing breach notification letters to affected customers and offered them a year of credit monitoring and identity-theft insurance.

Financially, Coinbase warned the incident would be costly – on the order of $180–$400 million in total. This includes forensic costs, customer reimbursements for any social-engineering losses, and regulatory fines.

The attackers’ $20M ransom demand was rebuffed. Instead, Coinbase created a $20M reward fund for tips leading to the hackers’ capture. The company also fired the support agents involved and said it will press charges.

To prevent future incidents, Coinbase beefed up security. Impacted accounts are being flagged with extra checks and scam-alert prompts.

On May 15, Coinbase announced it would reimburse any customer tricked into sending crypto to the attackers. It is opening a new U.S.-based support center and enforcing stronger access controls in overseas offices. The exchange is also investing in better insider-threat monitoring and more employee training on spotting scams.

The Coinbase security incident drives home a broader point: human error remains crypto’s weakest link. Technical defenses can be state-of-the-art, but a single compromised staffer can hand attackers the keys to the kingdom.

Industry surveys back this up. One IBM/Ponemon study found nearly half of all breaches involve human mistakes or insider actions. And as KnowBe4 bluntly puts it, “anyone can fall victim to a social engineering attack” – including cryptocurrency professionals.

For crypto investors, the takeaway is vigilance. Always treat unsolicited calls, texts, or emails with skepticism, even if they reference your account.

Verify any Coinbase communications through official