Coinbase cyberheist led by "rogue support agents" could cost $400 million
Cyber criminals recruited insiders to steal Coinbase customer data and demanded a $20 million ransom.

Coinbase has admitted that the cost of cleaning up after a cyberattack and reimbursing affected customers could soar to hundreds of millions of dollars.
In an SEC filing, Coinbase estimated that remediation costs and voluntary customer reimbursements could cost between $180 million and $400 million.
The crypto exchange said that a group of cybercriminals "bribed and recruited a group of rogue overseas support agents" to steal Coinbase customer data and facilitate social engineering attacks.
Crooks then demanded a $20 million ransom, which Coinbase refused to pay. It has now audaciously established a $20 million reward fund for information leading to the arrest and conviction of criminals who led the attack
"These insiders abused their access to customer support systems to steal the account data for a small subset of customers," it wrote.
What was stolen in the Coinbase cyberattack?
No funds, passwords or private keys were exposed and Coinbase is promised to reimburse customers who were hoodwinked into sending funds to the attackers.
It wrote: "Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users.
"Their aim was to gather a customer list they could contact while pretending to be Coinbase - tricking people into handing over their crypto. They then tried to extort Coinbase for $20 million to cover this up. We said no."
It said the following information had been accessed:
- Name, address, phone, and email.
- Masked Social Security (last 4 digits only).
- Masked bank-account numbers and some bank account identifiers.
- Government‑ID images (such as driver’s license or passport).
- Account data (balance snapshots and transaction history).
- Limited corporate data including documents, training material, and communications available to support agents.
Coinbase confirmed the crooks did not pinch this important data:
- Login credentials or 2FA codes
- Private keys
- Any ability to move or access customer funds
- Access to Coinbase Prime accounts
- Access to any Coinbase or Coinbase customer hot or cold wallets
Coinbase is strengthening its security posture by adding extra ID checks and scam warnings for flagged accounts, enhancing internal support operations with a new U.S. hub, investing in insider threat detection and response, and maintaining transparency with user impact notices and ongoing updates.
It added: "If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers."
Do you have a story or insights to share? Get in touch and let us know.