Coinbase Global Inc., the largest U.S.-based cryptocurrency exchange, has disclosed a security breach involving external actors who bribed overseas customer support contractors to obtain sensitive user data and demanded a $20 million ransom.
The incident, described as one of the most sophisticated social engineering attacks in the digital asset sector, targeted individuals with access to Coinbase’s internal systems.
According to a regulatory filing and company statement released Thursday, the breach affected less than 1 percent of the exchange’s monthly transacting users.
The San Francisco-based firm stated that certain third-party contractors, located outside the United States, accepted financial incentives from the attackers in exchange for downloading or forwarding customer information like names, physical addresses, account data, and government-issued identification images.
The stolen data was subsequently used in a broader scheme to impersonate Coinbase and extract additional funds from users.
Coinbase confirmed that it has not paid the ransom and has instead committed to reimbursing all affected users in full. The company also announced a $20 million reward for information leading to the identification, arrest and conviction of the attackers.
Preliminary estimates suggest the breach could cost the company between $180 million and $400 million in remediation expenses and customer reimbursements.
Coinbase warned in its filing that further reviews of potential losses, indemnity claims and possible recoveries may cause this estimate to shift materially.
“These attackers have been approaching our overseas customer support agents, looking for a weak link, someone who would accept a bribe in exchange for sharing some customer information with them,” Coinbase CEO Brian Armstrong said in a video statement. “Unfortunately, they were able to find a few bad apples.”
The attack was identified as a form of social engineering, a technique that manipulates individuals rather than system vulnerabilities to gain unauthorized access. This method has become increasingly common across the crypto industry, where the decentralized and pseudonymous nature of transactions makes platforms frequent targets. Research from Chainalysis estimates that $2.2 billion was lost to crypto-related breaches in 2024 alone.
The breach was initially discovered after Coinbase received an email on May 11 from an anonymous source claiming to possess internal documents and customer data, along with a threat to publicize the breach unless paid $20 million in Bitcoin.
This followed internal investigations into unusual behavior by certain customer support agents who were accessing proprietary systems without any operational need.
Upon confirming the extent of the compromise, Coinbase terminated the implicated workers and notified affected customers.
The exchange stated that enhanced security measures have since been implemented and that the risk of wider impact remains contained.
Despite the breach, Coinbase is expected to proceed with its inclusion in the S&P 500 Index next week. However, the incident places renewed scrutiny on operational security within the digital asset space, especially for firms seeking broader institutional and passive investment exposure.
Coinbase shares slipped more than 3 percent in pre-market trading following the announcement. Analysts expect heightened volatility in the short term as the company navigates regulatory, legal and reputational implications stemming from the breach.
