A data breach at Coinbase reportedly only impacted a “small subset” of its users, but the incident is serious enough that the crypto exchange is anticipating a loss of between $180 million and $400 million.
The breach appears to stem from third-party contractors that were bribed by hackers to provide access to private customer information. Coinbase has said that it will reimburse customers that lost funds due to the data breach, and is also setting aside a $20 million reward for information leading to the arrest and conviction of the hackers.
Coinbase data breach involved bribery, social engineering
The hackers did not have access to user login credentials or direct access to wallets, but the customer service agents that they bribed provided access to a panel that included a great deal of sensitive information: full names, addresses, phone numbers, photo ID images used for verification, masked bank account information, crypto exchange account balances, transaction histories and partial Social Security numbers among other pieces of information. The attackers obtained money from the data breach by impersonating Coinbase and contacting select customers, using this variety of personal information to convince them that the communications were legitimate and to provide access to their accounts.
The hackers appear to have focused on draining the wallets of users with substantial balances, rather than taking a scattershot approach. There is not yet a clear number of impacted users, but the crypto exchange said that “less than 1%” of its roughly 100 million users were targeted. The hackers also attempted to ransom Coinbase for $20 million, which the company rejected. It will instead put that amount up as a reward for information that leads to conviction of participants in the data breach.
Coinbase discovered the data breach on May 11 when the perpetrators contacted the crypto exchange with samples of stolen internal documents and demanded payment. The breach was tracked to “multiple” third-party contractors and company employees based outside of the United States, who were bribed to provide access to a customer service system containing the assortment of sensitive information. Coinbase says that those contractors and employees have been terminated. Bloomberg and several other media sources have reported that the contractors were based in India. There is not yet any word as to who the hackers are.
Crypto exchange hits snags ahead of S&P 500 index debut
The data breach comes just as Coinbase has been approved for listing on the S&P 500, first appearing on Monday May 19. Earlier in the month the company also announced the acquisition of Dubai’s crypto derivatives exchange Deribit for $2.9 billion, marking one of its first big steps outside of the US market. The news of the acquisition caused share prices to spike almost 6%, but they fell by almost that same amount when news of the crypto exchange’s breach broke. It remains significantly up on the S&P listing news overall, however.
Coinbase is the most frequently-used brand when phishing attackers attempt to impersonate a crypto brand, according to research by CoinTelegraph. The crypto exchange’s name is averaging use in a little over 100 attacks per year, putting it in the realm of major national banks such as Wells Fargo and Bank of America in terms of attempts. The platform has been experiencing cumulative scams that cost a total of about $300 million each year, and these have come via a variety of means rather than being owed to one particular recurring vulnerability. One common criticism of the platform is that the overseas customer service agents have proven to be generally unhelpful when some sort of data breach or suspicious account activity takes place. Coinbase has announced that it plans to open a customer support center in the US.
The crypto exchange is also already facing a “wave” of lawsuits over the recent data breach, with customers alleging that Coinbase failed to properly protect their personal information. Aside from the use of it to forge convincing-looking scam attempts, the most concerning item included is likely the scans of user government IDs (which are key to pulling off many other forms of fraud and impersonation) paired with the last four digits of SSNs.
There is also an ongoing SEC investigation into the crypto exchange’s reporting of verified users. The official number reported in SEC filings is over 100 million, but there are questions about this being overstated based on the inclusion of users who merely verified an email address or phone number during account creation at some point and are not actively transacting on the platform. Coinbase has responded by publishing monthly numbers on actively transacting users.
Coinbase is advising its customers to anticipate further scam attempts, and that it does not reach out with emails or messages asking for passwords or other authentication information or ask users to make transfers of their funds. It advises users to lock their accounts if they notice any suspicious activity.
Ishpreet Singh, Chief Information Officer at Black Duck, has some advice for Coinbase on improving its cybersecurity going forward: “While it’s promising to see that Coinbase isn’t currently planning to pay the $20M ransom, there are steps they can take to ensure further scenarios such as this don’t transpire. I’d recommend implementing just-in-time access controls such as device fingerprinting and session auditing. Additionally, conducting regular risk reviews and strengthening vendor risk management and oversight can reduce third-party access to personally identifiable information. Regarding security architecture, moving to a zero-trust network model will help them to enforce micro-segmentation. It’s important to carry out advanced security risk training including social engineering defense training. Sensitive user data should be heavily segmented and encrypted with keys inaccessible to support agents. This breach is an example of how security is becoming a competitive differentiator. Applying security mechanisms such as these will help Coinbase and other enterprises around the world ensure uncompromised trust in the software that their customers rely on.”
Jason Soroko, Senior Fellow at Sectigo, adds that the crypto exchange is likely looking to send a message to future attackers: “Coinbase’s decision to publicly counter-extort with a $20 million bounty is an interesting reversal of the usual playbook, transforming breach response into what could turn into a global manhunt. This move shifts the narrative from victimhood to proactive offense weaponizing transparency and financial incentive against cybercriminals. It also signals to users and adversaries alike that extortion will not quietly succeed, potentially reframing how future attacks may be responded to. Perhaps risk is escalation. Adversaries may double down or target exchanges with even greater aggression. This gambit sets a precedent for the digital asset industry bounties. Seeking justice rather than being silent is a new tactic.”
Randolph Barr, CISO at Cequence, notes that the incident provides some broader lessons in terms of third-party vendor security: “If access control, alerting, and separation of duties were more rigorously enforced, this breach may have been preventable. Saying “people are the weakest link” should never replace accountability for system design and control implementation. Any company operating in a high-trust, high-sensitivity environment—especially those handling financial data—has a responsibility to secure their ecosystems before an incident occurs. We can’t wait until something breaks to fix what’s broken. CEO Brian Armstrong mentioned that Coinbase is enhancing its security measures. That said, incidents like this are rarely about technical gaps alone—they’re about operational decisions. Organizations that place heavy trust in offshore or external call center environments must ensure strict access governance, continuous monitoring, and least privilege enforcement.”
Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ, adds: “This case serves to further highlight the need for organizations to implement effective breach detection and prevention security measures. Insider threats are dangerous because they’re often overlooked and are harder to detect than traditional threats. Proactive testing and validation of security controls is imperative to protect your customer data, particularly data loss prevention policies. Users impacted by the breach should take action to protect their information further. Enabling multi-factor authentication should be the first step to add an extra layer of security to accounts.”
