Security Incident: Coinbase Employees Compromised, User Data of Approximately 1% Exposed; $20 Million Extortion Attempt Thwarted

Coinbase has reported a security breach involving unauthorized access to its systems, resulting in the theft of account data for a limited number of customers. The incident was traced back to criminal actors who specifically targeted Coinbase’s customer support personnel in overseas locations. These actors utilized financial incentives to persuade a select group of employees to extract data from customer support tools, affecting less than 1% of the company’s monthly active users.

The primary objective behind this malicious campaign was to compile a list of customers, which the attackers intended to use for phishing attempts by impersonating Coinbase and misleading these individuals into surrendering their cryptocurrency assets.

On May 11, 2025, the threat actors attempted to extort Coinbase for $20 million, alleging they possessed sensitive information about certain customer accounts and internal documentation. In response to the breach, Coinbase announced the termination of the employees in question, who were located in India.

Coinbase clarified that no passwords, private keys, or funds were compromised in the breach, with its Coinbase Prime accounts remaining secure. However, the following customer information was accessed:

– Names, addresses, phone numbers, and email addresses
– Masked Social Security numbers (last four digits)
– Masked bank account numbers and other identifiers
– Government-issued ID images (e.g., driver’s licenses, passports)
– Account details including balance snapshots and transaction history
– Limited corporate data, encompassing internal documents, training materials, and communications accessible to support agents

In light of the incident, Coinbase has committed to reimbursing customers who may have been victimized by social engineering schemes that followed the breach. Although the exact number of impacted customers remains unclear, the company reported that it is below 1% of its 9.7 million monthly users.

To enhance security, Coinbase is implementing additional identification checks for high-risk accounts during large withdrawals and is fortifying its defenses against potential insider threats. Furthermore, the company has established a $20 million reward fund for information that leads to the apprehension and prosecution of the individuals responsible for the attack.

As preventive measures, users are encouraged to activate withdrawal allow-listing to restrict transfers to addresses stored in their address books, enable two-factor authentication (2FA), and exercise caution when dealing with individuals claiming to facilitate transfers to secure wallets.