Cryptocurrency company Coinbase revealed a significant security incident in which cybercriminals successfully bribed overseas customer support agents to steal sensitive customer data, affecting less than 1% of monthly transacting users.
Rather than pay a $20 million ransom demand, the company has established an equivalent reward fund for information leading to the attackers’ arrest and conviction.
Breach Exposing Customer Data
The sophisticated attack targeted Coinbase’s overseas customer support infrastructure through a classic insider threat vector.
Cybercriminals used cash incentives to recruit a small group of rogue support agents who exploited their legitimate access to customer support tools and databases.
These compromised insiders systematically extracted sensitive customer information, including:
- Personally identifiable information (PII) .
- Masked Social Security numbers (last four digits only).
- Masked bank account numbers with routing identifiers.
- Government-issued identification documents.
- Account balance snapshots.
- Complete transaction histories.
- Limited corporate data accessible to support agents, internal documentation, training materials, and communications.
However, the attackers’ access remained confined to support-level systems, preventing them from accessing critical security infrastructure.
Coinbase confirmed that login credentials, two-factor authentication (2FA) codes, private cryptographic keys, hot wallets, cold storage systems, and Coinbase Prime institutional accounts remained completely secure throughout the incident.
Following the data exfiltration, the cybercriminals leveraged the stolen information to orchestrate sophisticated social engineering attacks against affected customers.
Equipped with legitimate customer data, the attackers impersonated Coinbase employees through various communication channels, attempting to convince users to transfer cryptocurrency to wallet addresses controlled by the attackers.
This multi-stage attack illustrates the evolving threat landscape, where initial data breaches often serve as stepping stones for more lucrative financial crimes.
Coinbase has implemented enhanced security protocols for flagged accounts, requiring additional identity verification procedures for large withdrawal requests and deploying mandatory scam-awareness prompts during high-risk transactions.
The company has also collaborated with blockchain analytics firms to tag and trace the cryptocurrency addresses of attackers, enabling law enforcement agencies to monitor fund movements across distributed ledger networks.
In response to the breach, Coinbase has implemented comprehensive security enhancements across its operational infrastructure.
The company is establishing a new customer support hub within the United States to reduce reliance on overseas operations, while deploying advanced insider threat detection systems and automated incident response protocols.
Security teams are conducting red team exercises and penetration testing to identify potential vulnerabilities in internal systems and access controls.
The affected insider agents were immediately terminated and referred to both U.S. and international law enforcement agencies for criminal prosecution.
Coinbase is pursuing maximum penalties under applicable cybercrime statutes while maintaining close cooperation with the Federal Bureau of Investigation, international cybercrime units, and relevant regulatory authorities.
Coinbase voluntarily reimburses all retail customers who inadvertently transferred funds to attackers due to social engineering tactics employed during this incident.
The company continues reinforcing user education about social engineering threats, emphasizing that legitimate Coinbase personnel will never request passwords, 2FA codes, or unauthorized fund transfers to external addresses or “safe” wallets during customer interactions.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
