Coinbase, the largest cryptocurrency exchange in the United States, recently disclosed a significant data breach affecting approximately 1% of its customers. The company has since the attack taken an aggressive stance against the hackers by refusing to pay ransom demands while implementing thorough remediation policies.
On May 11, 2025, Coinbase reported that they got an email from an unknown threat actor, claiming to have customer account information and internal documents in their possession. In the investigation that was launched after the breach, Coinbase discovered that the cybercriminals had bribed a group of the company’s overseas customer support representatives to extract sensitive customer data.
It was also discovered that the breach had begun as early as December 2024, although it remained undetected until May 2025. Coinbase then promptly terminated the compromised employees after discovering the prolonged unauthorized access, and referred them to law enforcement, where the U.S. Department of Justice (DOJ) has now opened a formal investigation into the cyberattack.
“We have notified and are working with the DOJ and other US and international law enforcement agencies and welcome law enforcement’s pursuit of criminal charges against these bad actors,” Paul Grewal, Chief Legal Officer of Coinbase told Reuters.
It is important to note that the attackers demanded a $20 million ransom while threatening the release of stolen information, which Coinbase refused to pay. Instead, the cryptocurrency company announced a $20 million reward for any information regarding or leading to the arrest and conviction of the perpetrators.
According to the company’s report, the data breach affected over 69,000 users, approximately 1% of its total monthly active users. Per their discovery, the threat actor obtained several categories of sensitive personal information such as customer names, addresses, phone numbers, and email addresses. Information like the last four digits of Social Security numbers, masked bank account numbers and some bank account identities, as well as images of government identification documents such as passports and driver’s licenses were also obtained by the attackers.
However, the company confirmed that despite the attackers’ extensive access into their customers’ data, the attackers did not obtain login credentials, passwords, private keys, or two-factor authentication codes. They also were unable to access customer funds and Coinbase Prime accounts or Coinbase’s hot or cold wallets.
In the company’s firm stance taken against the attackers with the implementation of important remediation measures for affected customers, they emphasized on providing reimbursement and exquisite customer support, as well as ensuring security enhancements.
In a blog post titled “Protecting Our Customers – Standing Up to Extortionists,” the company said, “We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks.” This reimbursement applies to retail customers who mistakenly sent funds to scammers as a direct result of this incident prior to Coinbase’s security announcement on May 15.
In addition, they are also offering affected users one year of complimentary credit monitoring and identity protection services through IDX. This package includes identity restoration assistance, dark web monitoring, and a $1 million insurance reimbursement policy.
For the security enhancements, the cryptocurrency company is increasing investment in cyber threat detection and prevention capabilities, enhancing internal monitoring systems to detect unusual employee behaviour, as well as opening a new customer support hub in the United States in order to reduce reliance on overseas contractors.
As a result of the cyberattack, Coinbase has estimated that voluntary customer reimbursements and other remediation costs could range between $180 and $400 million.
Coinbase also issued specific guidelines and official recommendations to help customers protect themselves following the breach. The company warns that scammers, whether related to this incident or not, may pose as Coinbase employees attempting to pressure users into moving their funds.
As such, the cryptocurrency company advises customers to be vigilant against imposters, as Coinbase will never call or text customers to provide a new seed phrase or wallet address to move funds. “If you receive a call [claiming to be from Coinbase asking you to move funds], hang up the phone,” Coinbase emphasized in its blog post.
They also advise that customers should enable withdrawal allow-listing (that only permits transfers to wallets under the customer’s control), as well as activate strong two-factor authentication for all account access.
