Cryptocurrency exchange Coinbase has disclosed that unknown cyber actors broke into its systems and stole account data for a small subset of its customers.
“Criminals targeted our customer support agents overseas,” the company said in a statement. “They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users.”
The end goal of the campaign was to put together a list of customers who they contact by masquerading as Coinbase and deceiving them into handing over their cryptocurrency assets.
Coinbase said the threat actors then unsuccessfully attempted to extort the company for $20 million on May 11, 2025, by claiming to have information about certain customer accounts as well as internal documents. In a statement shared with Fortune, Coinbase said the compromised customer agents worked in India and have all been fired.
“No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched,” Coinbase noted. What the attackers got away with are listed below –
- Name, address, phone, and email
- Masked Social Security (last 4 digits only)
- Masked bank‑account numbers and some bank account identifiers
- Government ID images (e.g., driver’s license, passport)
- Account data (balance snapshots and transaction history)
- Limited corporate data, including documents, training material, and communications available to support agents
The crypto giant said it’s taking the step of reimbursing customers who were tricked into transferring funds to the attacker due to social engineering attacks. It’s exactly not clear how many customers fell for the scam, but the company told TechCrunch that less than 1% of its 9.7 million monthly customers were affected.
The company is also enforcing added ID checks for certain flagged accounts when carrying out large withdrawals, and that it’s hardening its defenses to counter such insider threats. Lastly, Coinbase has established a $20 million reward fund for information leading to the arrest and conviction of the attackers.
As mitigations, users are advised to turn on withdrawal allow‑listing to permit transfers only to addresses in their address books, enable two-factor authentication (2FA), and be cautious about imposters who try to move funds to a safe wallet.
