Coinbase Discloses Data Breach After Extortion Attempt
In a recent filing with the Securities and Exchange Commission (SEC), Coinbase revealed that it had suffered a data breach, which was triggered by an extortion attempt. The company confirmed that rogue contractors had stolen customer data from its internal systems, demanding a ransom of $20 million to cover up the incident.
The breach was first reported to Coinbase on May 11, 2025, when the company received a ransom email from a threat actor claiming to have accessed customer and internal data. The attacker claimed to have paid overseas contractors in support roles to extract this information from Coinbase's internal systems, leveraging their legitimate access.
Coinbase stated that it had detected unauthorized data access by support personnel in the past months, and promptly terminated those involved, boosted fraud monitoring, and alerted impacted users. However, the company confirmed that the breach was part of a single coordinated campaign that successfully exfiltrated internal data.
"These instances of such personnel accessing data without business need were independently detected by the Company's security monitoring in the previous months," reads the SEC filing. "Upon discovery, the Company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information."
"Since receipt of the email, the Company has assessed the email to be credible, and has concluded that these prior instances of improper data access were part of a single campaign (the "Incident") that succeeded in taking data from internal systems," continues the filing. "The Company has not paid the threat actor's demand and is cooperating with law enforcement in the investigation of this Incident."
The security breach did not expose passwords, private keys, or customer funds, but it did reveal sensitive information such as contact details, partial SSNs, bank info, ID images, account history, and limited internal documents.
"Criminals targeted our customer support agents overseas," stated Coinbase in a statement published on its website. "They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users. Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto."
"We said no" to the ransom demand, according to Coinbase.
Response and Remediation
Coinbase has promised to reimburse scammed retail users after verification. The company is also opening a new support hub in the U.S. and adding stronger security controls and monitoring across all locations.
The company has boosted investment in insider-threat detection and response, simulating threats to find weaknesses, and keeping users informed throughout the investigation.
Estimated Costs
Coinbase estimates that the breach will result in $180M-$400M in costs, mainly for remediation and customer reimbursements. The final impact of the breach remains under review.
"We take the security of our customers' data very seriously," stated Coinbase in a statement. "We are committed to protecting their information and preventing similar incidents from occurring in the future."