Cryptocurrency exchange Coinbase has disclosed that unknown cyber actors broke into its systems and stole account data for a small subset of its customers.
“Criminals targeted our customer support agents overseas,” the company said in a statement. “They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users.”
The end goal of the campaign was to put together a list of customers who they contact by masquerading as Coinbase and deceiving them into handing over their cryptocurrency assets.
Coinbase said the threat actors then unsuccessfully attempted to extort the company for $20 million on May 11, 2025, by claiming to have information about certain customer accounts as well as internal documents. In a statement shared with Fortune, Coinbase said the compromised customer agents worked in India and have all been fired.
“No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched,” Coinbase noted. What the attackers got away with are listed below –
Name, address, phone, and email
Masked Social Security (last 4 digits only)
Masked bank‑account numbers and some bank account identifiers
Government ID images (e.g., driver’s license, passport)
Account data (balance snapshots and transaction history)
Limited corporate data, including documents, training material, and communications available to support agents
The crypto giant said it’s taking the step of reimbursing customers who were tricked into transferring funds to the attacker due to social engineering attacks. It’s exactly not clear how many customers fell for the scam, but the company told TechCrunch that less than 1% of its 9.7 million monthly customers were affected.
The company is also enforcing added ID checks for certain flagged accounts when carrying out large withdrawals, and that it’s hardening its defenses to counter such insider threats. Lastly, Coinbase has established a $20 million reward fund for information leading to the arrest and conviction of the attackers.
As mitigations, users are advised to turn on withdrawal allow‑listing to permit transfers only to addresses in their address books, enable two-factor authentication (2FA), and be cautious about imposters who try to move funds to a safe wallet.
Update
Coinbase, in a statement shared with Bloomberg, said it began observing unusual activity from some of these customer representatives as far back as January. The threat actors are also said to have bribed enough customer service agents to achieve “effectively on-demand access to Coinbase customer information” over the past five months, a claim Coinbase has disputed.
“What these attackers were doing was finding Coinbase employees and contractors based in India who were associated with our business process outsourcing or support operations, that kind of thing, and bribing them in order to obtain customer data,” Coinbase Chief Security Officer Philip Martin was quoted as saying.
“So there were a number of specific bribery incidents that this attack, that this threat actor is claiming credit for throughout the course of that time, but they did not have persistent access over the course of the entire period.”
