Coinbase Discloses Insider-Assisted Data Breach, Refuses Ransom Demand
As reported by Bleeping Computer, Coinbase, one of the world’s largest cryptocurrency exchanges with more than 100 million customers, has disclosed a significant data breach involving rogue overseas support agents who colluded with cybercriminals to steal sensitive customer information. The attackers have demanded a $20 million ransom to prevent the public release of the stolen data, an ultimatum Coinbase says it will not honor.
Instead, the company announced the creation of a $20 million reward fund for any leads that result in the identification and apprehension of those responsible.
How Coinbase Was Breached From the Inside
The breach was disclosed in a regulatory filing and blog post following a ransom demand email sent to Coinbase on May 11. According to the company, the cybercriminals recruited contractors or support staff based outside the U.S. and paid them to abuse their access to internal systems. While these individuals were later terminated after being caught accessing systems without authorization, they had already exfiltrated substantial data from Coinbase’s support infrastructure.
The attackers reportedly accessed sensitive customer data belonging to approximately 1% of Coinbase’s users, around one million individuals. Stolen information includes:
Full names, addresses, phone numbers, and emails.
Masked Social Security numbers (last four digits).
Masked bank account numbers and some identifiers.
Images of government-issued IDs (driver’s licenses, passports).
Account details, including balance snapshots and transaction history.
Limited corporate materials, such as internal documents and training content.
Crucially, Coinbase confirmed that no passwords or private keys were exposed in the breach. The company also stated that Coinbase Prime accounts, as well as customers’ hot and cold wallets, remained secure. However, some affected users were tricked into transferring funds in follow-up phishing and social engineering schemes. Coinbase has committed to reimbursing these customers.
Financial Impact Could Reach $400 Million
While the full financial impact of the breach is still being calculated, Coinbase estimates remediation costs and customer reimbursements will fall between $180 million and $400 million.
To prevent future incidents, Coinbase has stated that it will:
Open a new customer support hub based in the U.S.
Expand investments in insider-threat detection and response automation.
Simulate more advanced threat scenarios to test defenses.
The company also issued a warning to customers, advising them to remain vigilant against impersonation scams. Coinbase emphasized that it does not request sensitive information such as passwords or two-factor authentication codes by phone or ask users to transfer assets to unfamiliar wallets. Customers are urged to enable two-factor authentication and withdrawal allow-listing for added security.
Despite the breach, Coinbase’s stock surged 24% last week following the company’s inclusion in the S&P 500 index, marking a significant milestone for the crypto exchange.
How to Protect Your Organization Against Insider Threats
Incidents like the Coinbase breach highlight the growing risk posed by insider threats, especially when employees or contractors with legitimate access are coerced, bribed, or manipulated into compromising sensitive systems. Although these incidents are somewhat rare compared to other attack vectors, accounting for 7% of breaches according to IBM’s Cost of a Data Breach Report, they’re costly and hard to prevent.
To defend against these attacks, organizations should implement strict access controls, monitor for anomalous activity, and apply the principle of least privilege to limit exposure based on role. Zero Trust security models are especially effective in these scenarios. By assuming no user or device is inherently trusted and verifying every access attempt, organizations can reduce the potential fallout of insider abuse.
Breaches involving trusted insiders are harder to prevent, but a layered security strategy that uses strong technical controls can make all the difference.
