Almost 70,000 Customers Affected By Coinbase Breach Involving $20 Million Ransom Demand
In early 2025, an unknown threat actor recruited a number of overseas customer support contractors working for Coinbase, paying them to leak sensitive customer data and internal documentation. The insiders systematically extracted personally identifiable information from Coinbase's customer service systems over a period of months. Coinbase's internal security team eventually detected the suspicious activity, terminated the involved employees, and notified affected users. On May 11, 2025, Coinbase received an extortion email from the attacker demanding $20 million in exchange for not distributing the stolen data. Coinbase declined to pay.
What Was Taken
The stolen data covered 69,461 accounts — a small fraction of Coinbase's total user base, but the depth of the exposure made the breach significant. The attacker obtained full names, home addresses, phone numbers, email addresses, government ID images including driver's licenses and passports, masked Social Security numbers showing only the last four digits, account balance snapshots and transaction history, and masked bank account numbers. Login credentials, two-factor authentication codes, private keys, and access to Coinbase Prime accounts were not compromised. No customer funds were directly accessible through the stolen data.
The data was not stolen for its own sake. The attacker's stated purpose was to enable social engineering campaigns — using the stolen information to impersonate Coinbase convincingly enough to deceive customers into transferring funds or revealing credentials. Account balances, government ID images, and home addresses together provide the raw material for a highly personalized impersonation that is difficult for a target to dismiss as generic phishing.
How Coinbase Responded
Rather than paying the ransom, Coinbase disclosed the breach publicly, filed an 8-K with the SEC, reported the incident to law enforcement, terminated and referred the involved insiders for criminal prosecution, and established a $20 million reward fund for information leading to the attackers' arrest — mirroring the extortion demand in both amount and visibility. The company committed to reimbursing customers who lost funds as a direct result of social engineering enabled by the breach, with estimated remediation costs ranging from $180 million to $400 million. Affected users were provided with one year of complimentary credit monitoring, identity restoration services, and dark web monitoring.
Coinbase also announced a new US-based support hub and implemented strengthened monitoring across support operations to reduce insider threat exposure going forward.
The attacker's behavior in the weeks following the breach was notable. On May 21, the same actor moved approximately $42.5 million from Bitcoin to Ethereum through THORChain and used Ethereum transaction input data to post a mocking message directed at on-chain investigator ZachXBT, who had previously flagged $65 million in social engineering losses from Coinbase users in the months before the breach became public.
What This Attack Represents
The Coinbase breach did not involve smart contracts, protocol vulnerabilities, or cryptographic failures. It was an insider threat enabled by financial incentives — contractors paid to leak data they had legitimate access to as part of their job function. This category of attack bypasses technical security controls entirely because the attacker is operating through authorized users with authorized access. The data exfiltration was indistinguishable from normal job function until behavioral patterns surfaced enough anomalies to trigger detection.
The breach also illustrated the downstream risk of data accumulated by large centralized platforms. Government ID images, home addresses, and account balances in the hands of an adversary do not produce immediate financial loss — but they provide a durable toolkit for impersonation attacks that can continue generating losses long after the initial breach is contained.