Coinbase Rejects $20 Million Extortion by Malicious Actors, Offers Matching Bounty

On May 15, 2025, Coinbase, the largest U.S.-based cryptocurrency exchange, disclosed a significant data breach in which cybercriminals bribed overseas customer support agents with cash offers to steal sensitive user information. The attackers used the data to demand a $20 million Bitcoin ransom, which Coinbase rejected, instead offering a $20 million reward for information leading to the culprits’ arrest and conviction. The breach, affecting less than 1% of Coinbase’s monthly transacting users, has sparked concerns about insider threats in the crypto industry, with estimated remediation costs ranging from $180 million to $400 million.

Details of the Breach and Extortion

Coinbase reported that the breach stemmed from cybercriminals offering cash bribes to Coinbase’s overseas customer support agents, primarily in India, to copy monthly transaction data from the exchange’s customer support tools. This enabled the attackers to compile a list of users, which they used to impersonate Coinbase staff in social engineering scams aimed at tricking victims into transferring cryptocurrency. The stolen data included names, addresses, phone numbers, email addresses, masked bank account numbers, the last four digits of Social Security numbers, government ID images, account balances, and transaction histories. No passwords, private keys, or customer funds were compromised, and Coinbase Prime accounts remained unaffected.

Coinbase fired the compromised agents, who Chief Security Officer Philip Martin suggested could be Indian nationals, after flagging their involvement in allowing scammers access to user data. The company received an email from an unknown threat actor demanding $20 million in Bitcoin to withhold the data, a demand Martin described as eliciting a unanimous “hell no!” from the team.

Coinbase’s Response: Bounty and Reimbursements

Coinbase refused the ransom, instead launching a $20 million reward fund to identify and prosecute the perpetrators. CEO Brian Armstrong emphasized pursuing “the harshest penalties possible.” The exchange is working with U.S. and international law enforcement and plans to press charges against the fired agents. Coinbase also committed to reimbursing customers who lost funds due to follow-up social engineering scams, where attackers posed as Coinbase staff. The financial toll is substantial, with Coinbase estimating $180 million to $400 million in remediation and reimbursement costs, according to an SEC filing. This includes investments in a new U.S.-based support hub, insider threat detection, and scam-awareness prompts. Coinbase shares (COIN) dropped over 7.2% to below $244 in trading on May 15, reflecting investor unease.

Industry Context and Expert Insights

The breach underscores the rising threat of insider-led cyberattacks in crypto. Blockchain investigator ZachXBT reported that Coinbase has faced ongoing issues with user data leaks, with social engineering scams costing users over $300 million annually, including $45 million stolen in early May 2025 alone, underscoring the platform’s distinct vulnerability compared to other exchanges. ZachXBT noted he has identified and publicized numerous Coinbase user thefts linked to a specific criminal group. In a February 2025 post, he revealed that between December 2024 and January 2025, $65 million in user funds were stolen, a figure likely underrepresenting the total losses. In that post, ZachXBT detailed the scam group’s tactics, describing them as “skids from the Com” and threat actors based in India. He accused Coinbase of quietly experiencing related security incidents without public acknowledgment, stating, “For the vast majority of the time, these theft addresses are not being reported at all by Coinbase in popular compliance tools even after the thefts went on for weeks.” He further criticized Coinbase’s customer support, noting, “Multiple victims who have contacted me get stuck with useless customer support agents who never hear back.” At the time, Coinbase did not publicly respond to ZachXBT’s allegations.

KYC’s Role in Amplifying Social Engineering Risks

The Coinbase data breach has sparked broader discussions about whether Know Your Customer (KYC) protocols inadvertently fuel social engineering attacks. Critics argue that while KYC can deter malicious actors to some extent, it also centralizes vast amounts of sensitive user data, making exchanges and similar institutions prime targets for hackers. Once KYC databases are compromised, they enable highly personalized and effective social engineering attacks. Jameson Lopp, co-founder and chief security officer of crypto self-custody platform Casa, commented, “KYC is the root crime that enables what comes next. Thanks to KYC, we're going to see more social engineering attacks and possibly even more wrench attacks.”