Managing Insider Risk Is Critical: Coinbase's Recent Extortion Scheme Targeting Its Support Agents Shows Why

In a recent example of why managing insider risk is critical, cryptocurrency exchange Coinbase announced that it was the target of an extortion scheme enabled by insiders.

Coinbase is the latest company to be targeted by cybercriminals in an attempt to extort millions. But what makes this case unique is that it was enabled by insiders and attempts to highlight the critical role that managing insider risk plays in today’s threat landscape.

According to a recent blog post by Coinbase, malicious actors recruited several overseas contractors who were support agents for the company to gain access to its systems. From there, the cybercriminals attempted to extort the company for USD20 million to cover up the data breach.

Earlier this year in Forrester’s The Top Cybersecurity Threats In 2025 report, Forrester called out a higher risk of insider threats due to disgruntlement, financial distress, and geopolitical conflict.

According to a video from Coinbase chief executive officer Brian Armstrong (see video below), the cybercriminals were able to access personal information on less than 1% of the company’s monthly transacting users (MTUs). An 8-K filing indicates that the cybercriminals accessed company and customer data, including:

* Customer names, email addresses, and postal addresses

* Phone numbers

* Cryptocurrency addresses

* Transaction history on the platform

* Copies of customers’ government-issued identification

* Social Security numbers for a small number of U.S. customers

* Bank account numbers for a small number of U.S. customers who used a bank transfer to fund their account or request a withdrawal

The company said that the attackers weren’t able to access any user passwords, private keys, or funds. Instead, the cybercriminals used the data accessed to social engineer Coinbase clients. Coinbase is dismissing the insiders involved in the incident and is pursuing criminal charges against them through international law enforcement entities.

Estimating the impact

Coinbase provided a preliminary estimate of expenses related to the incident that range from USD180–400 million, including remediation costs, customer reimbursements, and other potential costs. The actual total could be lower based on insurance claims. Breaches, however, do have a long tail, so once litigation begins, the number could just as easily increase in the years ahead.

Flipping the coin (script) on the extortionists

In a move that is sure to surprise many, Coinbase is throwing the ransom request back in the face of the attackers — instead of paying up for the modest sum and hoping to close the book on this chapter quickly, they are putting the USD20 million toward a bounty for information leading to the arrest and conviction of the attackers. This seems to be a first — governments, such as the FBI and the US State Department through Rewards For Justice, have offered bounties, but no private-sector companies seem to have taken this approach.

Rebuilding Customer Trust

The old adage “It’s not the crime; it’s the cover-up” applies to breaches. In this scenario, Coinbase is providing remarkably clear, specific, and transparent details about the incident and its impact. This ranges from its public statements and the video from its CEO to the bounty leading to the arrest of the individuals/groups involved and its required 8-K filing.

Coinbase is also being responsive and human in its actions. The company is directly addressing customer concerns (such as reimbursements for those tricked by the attackers into sending funds) and highlighting how customers can stay safe.

In the blog post, Coinbase points out that “crypto adoption depends on trust.” The seven levers of trust in Forrester’s trust imperative research include accountability, competence, transparency, and empathy. Coinbase is touching on each of these in its announcements and communications about the incident so far. Its behavior, in the short term, is demonstrating its commitment to rebuilding customer trust.

Beware Of Low-Cost International Expansion

Coinbase’s announcement includes a warning that every business needs to take note of. Economic volatility is putting pressure on businesses to cut costs in various ways, and one way that companies are increasing efficiency is through offshoring. But international expansion brings with it cultural challenges, law enforcement differences, and stark contrasts in employee-to-employer loyalty. Coinbase is experiencing this firsthand. For those thinking that a combination of guardrails, agentic AI, and AI agents will solve this problem … well … generative AI is not immune to bribes either.

Thwarting future social engineering attempts

The Coinbase breach was a combination of multiple human-element breach types that resulted in the social engineering of its customers. In addition to the transparency around the breach itself, Coinbase is providing all customers with best practices for keeping data and funds safe.

Coinbase is clearly stating that it will never ask for passwords or two-factor authentication codes and won’t call or text customers to provide information. It states, “If you receive this call, hang up the phone.”

Encouraging customers, partners, and employees to pause and ask questions in the face of novelty, authority, and/or urgency is critical to disrupting social engineering attempts. It’s equally important to