Coinbase Customer Info Stolen by Bribed Overseas Agents

Coinbase insider breach: Bribed overseas agents stole user data; company rejects ransom, offers $20M reward, boosts security, and cooperates with law enforcement.

Coinbase, the largest US-based cryptocurrency exchange, has disclosed a major data breach involving bribed overseas customer support agents who stole sensitive customer information. The attackers demanded a $20 million ransom, which Coinbase refused to pay. Instead, the company has offered a $20 million reward for information leading to the arrest and conviction of the perpetrators.

****What Happened****

Cybercriminals targeted Coinbase’s external customer support agents, bribing a small group to access internal systems. These insiders extracted data from less than 1% of Coinbase’s monthly transacting users, including the following:

• Masked bank account info
• Some internal Coinbase documents
• Last 4 digits of Social Security numbers
• Government ID images (like driver’s licenses)
• Names, addresses, phone numbers, and emails
• Account balance snapshots and transaction history

According to Coinbase’s blog, the attackers used the information to impersonate Coinbase support and deceive customers into transferring their cryptocurrency. They then attempted to extort Coinbase for $20 million to prevent the release of the stolen data.

The good news is that the attackers could not get their hands on the following critical information:

• Login info
• 2FA codes
• Private keys
• Coinbase Prime account data
• Access to any crypto wallets or customer funds

****Coinbase’s Response****

In response to the breach, Coinbase has taken a series of actions aimed at minimizing damage and preventing future incidents. The company refused to pay the $20 million ransom demanded by the attackers and instead set up a $20 million reward fund for information leading to their arrest.

Customers who were deceived into transferring funds as a result of the attack will be reimbursed. To strengthen internal security, Coinbase is opening a new support center in the United States, rolling out enhanced security protocols, and increasing investment in insider threat detection and automated response systems.

The company is also working with law enforcement to press criminal charges against both the internal and external individuals involved. Financially, the breach may cost Coinbase between $180 million and $400 million, and the company’s stock fell 6% following the announcement, reflecting investor concerns.

****Customer Guidance****

Coinbase advises customers to remain alert against phishing attempts and social engineering scams. The company emphasizes that it will never ask for passwords, two-factor authentication codes, or request fund transfers to new addresses. Customers are encouraged to enable withdrawal allow-listing and use hardware-based two-factor authentication for added security.

****Experts Weigh In****

Ishpreet Singh, Chief Information Officer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the incident stating, “While it’s promising to see that Coinbase isn’t currently planning to pay the $20M ransom, there are steps they can take to ensure further scenarios such as this don’t transpire.“

“I’d recommend implementing just-in-time access controls such as device fingerprinting and session auditing,“ he added. “Additionally, conducting regular risk reviews and strengthening vendor risk management and oversight can reduce third-party access to personally identifiable information.“

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), also commented on the insider job, stating, “Coinbase’s decision to publicly counter-extort with a $20 million bounty is an interesting reversal of the usual playbook, transforming breach response into what could turn into a global manhunt.“

“This move shifts the narrative from victimhood to proactive offence weaponizing transparency and financial incentives against cybercriminals. It also signals to users and adversaries alike that extortion will not quietly succeed, potentially reframing how future attacks may be responded to. Perhaps risk is escalation,“ Jasin added. “Adversaries may double down or target exchanges with even greater aggression.“

This story is developing, stay tuned!