The company stated it won’t pay the ransom and instead will establish a 20 million USD reward fund for any information leading to the arrest and conviction of the criminals responsible for this attack
On May 11, 2025, hackers contacted Coinbase demanding a 20 million USD ransom. Otherwise they threatened to leak stolen customer account information and internal documents to the public domain.
According to Coinbase, the cybercriminals received the stolen data from contractors and rogue overseas support agents. The attackers paid insiders for access to company’s internal systems. Employees involved in this criminal operation have already been fired.
The hackers obtained personal data of some 1% of Coinbase customers (approximately 1 million people). However, the criminals were unable to steal customers’ private keys and passwords or gain access to Coinbase Prime accounts or victims’ hot and cold wallets.
The company has already filed a report with the United States Securities and Exchange Commission (SEC). According to this document, the stolen data include:
- Name, address, phone, and email;
- Masked Social Security (last 4 digits only);
- Masked bank-account numbers and some bank account identifiers;
- Government‑ID images (e.g., driver’s license, passport);
- Account data (balance snapshots and transaction history); and
- Limited corporate data (including documents, training material, and communications available to support agents).
“Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers. No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched. We will reimburse customers who were tricked into sending funds to the attacker,” – Coinbase.
Coinbase didn’t disclose the number of customers affected by social engineering attacks and tricked into transferring money to the scammers. The company estimates the incident remediation costs and voluntary customer reimbursements at 180-400 million USD.
Coinbase intents to launch a new support hub in the U.S. and introduce stronger security controls and monitoring across all locations. The company has also increased its investment in insider-threat detection, automated response, and simulating similar security threats to find failure points in any internal system.
Company emphasizes that scammers posing as Coinbase employees may try to pressure you into moving your funds. Coinbase will never ask for the password, 2FA codes, or for you to transfer assets to a specific or new address, account, vault or wallet. It will never call or text you to give you a new seed phrase or wallet address to move your funds to.
“To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world‑class defenses-because that’s how we protect our customers and keep the crypto economy safe for everyone. Coinbase will voluntarily reimburse retail customers who mistakenly sent funds to the scammer as a direct result of this incident prior to the date of this post, following a review to confirm the facts,” – Coinbase.