In a model of responsible disclosure, Coinbase today detailed insider data theft that led to a $20 million ransom demand.
In a blog post and SEC filing, Coinbase – the third largest crypto exchange by volume – said it will reimburse any customers tricked into sending funds to the attacker. And instead of paying the ransom demand, the company is instead offering a $20 million reward for information leading to the arrest and conviction of the attackers.
“Crypto adoption depends on trust,” Coinbase said in the blog post. “To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world‑class defenses—because that’s how we protect our customers and keep the crypto economy safe for everyone.”
Coinbase Insider Data Theft Detailed in May 11 Email
The SEC filing said Coinbase received an email from an unknown threat actor on May 11 “claiming to have obtained information about certain Coinbase customer accounts, as well as internal Coinbase documentation, including materials relating to customer-service and account-management systems.”
Coinbase said the threat actor appears to have obtained the information by bribing “multiple contractors or employees working in support roles outside the United States.”
It’s not clear what internal threat detection systems the company had or when Coinbase first became aware of the insider threat, but the SEC filing said the “instances of such personnel accessing data without business need were independently detected by the Company’s security monitoring in the previous months. Upon discovery, the Company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information.”
The threat actor obtained data on “less than 1% of Coinbase monthly transacting users.” The company has more than 100 million users but only around 10 million active monthly users, suggesting that data was stolen on around 100,000 users.
The threat actor’s aim was “to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto,” the Coinbase blog post said. “They then tried to extort Coinbase for $20 million to cover this up. We said no.”
The threat actor was able to obtain:
- Name, addresses, phone numbers, and email addresses
- Masked Social Security numbers (last 4 digits only)
- Masked bank account numbers and some bank account identifiers
- Government ID images such as driver’s licenses and passports
- Account data, such as balance snapshots and transaction history
- Limited corporate data (documents, training material, and communications available to support agents)
The threat actor didn’t get login credentials or 2FA codes, private keys, any ability to move or access customer funds, access to Coinbase Prime accounts, or access to any Coinbase or Coinbase customer hot or cold wallets.
Incident Could Cost Coinbase Up to $400 Million
The SEC filing said Coinbase estimates that the breach, remediation and customer reimbursement will cost anywhere from $180 million to $400 million.
Flagged accounts will now require additional ID checks on large withdrawals and include “mandatory scam‑awareness prompts.”
Coinbase plans to open a new support hub in the U.S. and add “stronger security controls and monitoring across all locations.”
“We have increased our investment in insider‑threat detection, automated response, and simulating similar security threats to find failure points in any internal system,” the blog stated.
Protecting Against Crypto Scams
Coinbase said scammers “may pose as Coinbase employees and try to pressure you into moving your funds. Remember, Coinbase will never ask for your password, 2FA codes, or for you to transfer assets to a specific or new address, account, vault or wallet. We will never call or text you to give you a new seed phrase or wallet address to move your funds to. If you receive this call, hang up the phone. Coinbase will never ask you to contact an unknown number to reach us.”
The company said users should turn on withdrawal allow‑listing and “only permit transfers to wallets that you are confident you fully control and where the seed phrase is secure and was not provided to you or shared with anyone.”
Enable strong two-factor authentication (2FA); “Hardware keys are best.”
Hang up on imposters: “Coinbase will never ask for your password, 2FA codes, or to move funds to a ‘safe’ wallet.”
“Lock first, ask later —If something feels off, lock your account in‑app and email [email protected].”
The Coinbase SEC filing and blog post were remarkable examples of responsible cyber incident disclosure – and an equally strong reminder of the peril of insider threats.
