Insiders within Coinbase leaked user data causing a major cybersecurity incident and exposing critical user data earlier this month.

On May 11, 2025 the company received ransom demands from an unknown threat actor who claimed to have information about Coinbase customer accounts and internal Coinbase documents

A report by CyberNews has provided further details concerning a recent cybersecurity incident at Coinbase, revealing that an unknown threat actor had threatened to release data on the company's customer accounts and internal documents.

On May 11, the company received an email from aบุรุษม پیامرسان threatening to disclose information about Coinbase customer accounts and internal documents, including materials related to customer service and account management systems.

The company stated that the actors claimed to have data on "less than 1% of the Coinbase monthly transacting users."

While the exact number of affected users wasn't mentioned, it's worth noting that the publicly traded company, which operates the largest U.S.-based cryptocurrency exchange, has over 100 million users.

The stolen data includes name, address, phone number, email address, Social Security number (last four digits), masked bank account numbers (and some identifiers), and government ID images (driver’s licenses and passports). It also includes account data, such as balance snapshots and transaction history.

Moreover, some corporate data was taken, which includes training material and communications available to support agents. However, no passwords or private keys were included.

The ongoing internal Coinbase investigation has found that this ransomware incident was part of a single campaign, and that the ransomware email is credible. However, Coinbase will not be paying the ransom. The company will be cooperating with law enforcement.

Coinbase's ongoing internal investigation has found that the source of the breach is cybercriminals who bribed and recruited employees in support roles or contractors outside of the U.S. who had access to internal systems.

Coinbase has found instances of personnel accessing data without a legitimate business need in previous months through their independent monitoring systems.

Coinbase responded by terminating the involved employees and contractors, and by rolling out heightened fraud-monitoring protections. A new support hub will be opening in the U.S., and the company will be taking measures to increase defenses and safeguards, including requiring extra ID checks on large withdrawals and mandatory scam awareness prompts for flagged accounts.

Coinbase has warned users that they may experience some delays as high risk transactions are monitored. They’ve also contacted customers who may have had their information compromised.

Instead of paying the $20 million ransom demand, Coinbase has created a $20 million reward fund as a bounty, offering it to whomever can provide information that leads to the arrest and conviction of the criminals responsible for the attack.

The company estimates the remediation could cost it between $180 million and $400 million, and it plans to voluntarily reimburse affected customers who directly lost funds to the hackers as a result of this incident.

How to stay safe after the breach

Coinbase warns its users they will likely experience an influx of imposters and scammers, perhaps related to this breach and perhaps not. They remind users that they will never ask for your password, 2FA codes or ask that you transfer your assets to a specific or new address, account, vault or wallet.

Additionally, Coinbase will never call or text you to give you a new seed phrase or wallet address to move your funds to. If you receive a call like this, you are encouraged to hang up the phone immediately. Coinbase will never ask you to contact an unknown number to reach them.

The usual rules of phishing also apply here: Never click on any unexpecting links, attachments or QR codes that are sent to you in any manner. If you receive something that appears to be from someone you do know, confirm it with them in an independent manner.

When going online, make sure you have one of the best antivirus software programs installed and up to date – these programs have VPNs, password managers and safe browsers as well as other features that can help provide you with an added layer of security.