Cyber Incident Victim: Coinbase Global, Inc.

On May 11 2025 Coinbase Inc. received an email from an unknown threat actor claiming to have obtained certain customer‑account information and internal documentation and demanding payment to prevent public disclosure. The threat actor had obtained the data by paying multiple contractors or employees working in support roles outside the United States who possessed legitimate system access for their job duties but allegedly accessed information without a business need. Coinbase’s security monitoring had previously detected improper access by these individuals, leading to the termination of the personnel involved and the implementation of heightened fraud‑monitoring protections. After assessing the email as credible, Coinbase concluded that the earlier instances of improper access were part of a single campaign that had successfully exfiltrated data from internal systems. The company stated that the incident did not involve compromised passwords, private keys, or direct access to customer funds, and that the exposed data included names, addresses, phone numbers, email addresses, masked Social Security numbers (last four digits), masked bank‑account numbers and some identifiers, government‑ID images such as driver’s licenses or passports, account data like balance snapshots and transaction history, and limited corporate materials available to support agents. Coinbase noted that the attackers did not obtain login credentials, two‑factor authentication codes, private keys, or access to Coinbase Prime accounts or customer wallets, and that the data theft affected less than 1 % of the exchange’s monthly transacting users. The threat actor’s communication referenced a $20 million extortion demand, and Coinbase’s Form 8‑K filing disclosed a preliminary estimate that remediation costs and voluntary customer reimbursements could range from approximately $180 million to $400 million, with the caveat that the figure could change as facts evolve.

In response, Coinbase terminated the implicated support personnel, reinforced its fraud‑monitoring systems, and warned customers whose information might have been accessed to prevent misuse of the compromised data. The company announced plans to open a new support hub in the United States and to adopt additional measures designed to harden defenses against similar insider‑bribery attacks. Coinbase stated that it intends to voluntarily reimburse any eligible retail customers who sent funds to the threat actor as a direct result of the incident after completing a factual review, and that it will aggressively pursue all available remedies. The firm continues to cooperate with law‑enforcement investigations into the breach. In December 2025 Coinbase CEO Brian Armstrong publicly confirmed the arrest in Hyderabad, India, of a former Coinbase customer‑service agent, thanking Hyderabad Police and reiterating a zero‑tolerance stance for insider misconduct; the arrest was described by Coinbase as a development in the aftermath of the May 2025 breach, though details such as the suspect’s identity, specific charges, and any connection to particular contractors remained undisclosed at the time of reporting. The investigation remained ongoing, with the possibility of further enforcement actions indicated by the company’s leadership.