Coinbase reports major security breach as attackers steal 84,000 customers’ data, demand $20 million ransom

Coinbase, one of the world’s leading cryptocurrency exchanges, has disclosed a significant cyberattack involving insider bribery that compromised the personal data of about 84,000 customers. The breach, carried out by hackers who bribed rogue overseas support agents, has led to social engineering scams targeting affected users.

Surprisingly, instead of complying with the attackers’ $20 million ransom demand, the crypto exchange has taken a defiant stance, offering a $20 million reward for information leading to the arrest and conviction of those responsible. The incident is expected to cost the company between $180 million and $400 million, sending its shares down 3% in premarket trading on Thursday.

According to a blog post by the company, the breach stemmed from a group of overseas customer support agents who were recruited and bribed by cybercriminals. These rogue agents abused their access to customer support systems, leaking sensitive personal information, including names, home addresses, phone numbers, and government ID photos.

The stolen data was then used to orchestrate sophisticated social engineering scams, with attackers posing as Coinbase employees to trick users into verifying suspicious account activity or sending funds to fraudulent addresses. While no passwords, private keys, or funds were directly exposed, and Coinbase Prime accounts remained unaffected, the breach has exposed vulnerabilities in the exchange’s internal security protocols.

Coinbase’s chief security officer, Phillip Martin, emphasised the company’s commitment to addressing the breach transparently. “We will pursue the harshest penalties possible and will not pay the $20 million ransom demand we received.” 

The firm reiterated in a post on X. “Instead, we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.”

The company is collaborating with law enforcement to track down the perpetrators and has promised full reimbursement to eligible customers who lost funds to scammers posing as Coinbase agents.

Coinbase users are growing targets for social engineering scams

The breach adds to a troubling pattern of social engineering scams targeting Coinbase users. Blockchain investigator ZachXBT, a prominent on-chain sleuth, reported that Coinbase customers have lost over $300 million annually to such scams, with $45 million stolen in the past week alone as of May 7, 2025.

ZachXBT’s investigations, conducted in collaboration with researcher Tanuki42, have identified multiple wallet addresses linked to these thefts, pointing to coordinated phishing and impersonation operations. Attackers often use spoofed phone numbers and fraudulent emails with fake case IDs to deceive victims, exploiting weaknesses in Coinbase’s user verification and compliance processes. ZachXBT has criticised Coinbase for failing to flag known theft addresses or provide adequate support to victims, alleging that the exchange’s leadership has not addressed evolving threats effectively.

The financial impact of the breach is substantial. Coinbase estimates losses ranging from $180 million to $400 million, covering reimbursements to affected customers and costs associated with enhancing security measures.

This incident is not Coinbase’s first brush with security challenges. In March 2025, ZachXBT reported that users lost $46 million to phishing scams, including a single theft of 400 Bitcoin (worth $34.9 million) from one user. Earlier reports from February 2025 highlighted $65 million in losses over two months, with ZachXBT attributing some scams to groups in India and online communities like “The Com.”

Additionally, Coinbase has faced criticism for not publicly addressing other security incidents, such as hacked API keys and a $15.9 million theft via Coinbase Commerce in 2024. The exchange’s failure to report theft addresses in compliance tools has further fuelled accusations of inadequate user protection.

The breach underscores the growing sophistication of social engineering scams in the crypto industry. In 2024, Coinbase was the most impersonated crypto brand by scammers, who often masquerade as trusted entities to exploit victims’ trust. The broader crypto sector has also seen high-profile incidents, such as a $330 million Bitcoin theft from an elderly U.S. citizen in April 2025, marking one of the largest social engineering scams in history.

Coinbase’s response includes immediate steps to secure affected accounts and enhance internal controls. The company has urged users to remain vigilant against phishing attempts and to verify communications claiming to be from Coinbase. Industry experts are calling for stronger regulatory frameworks and unified scam-reporting systems to combat the rising tide of crypto-related cybercrime. Coinbase’s chief security officer has advocated for a streamlined scam-reporting process to better protect users across the industry.

As Coinbase navigates the fallout, the $20 million reward offer signals a bold approach to combating cybercrime. Whether it will lead to the perpetrators’ arrest remains uncertain, but the move highlights the exchange’s determination to prioritise accountability over capitulation.