Coinbase Reveals Insider Bribery Scheme Led to Data Breach, Potential $400M Cost

Coinbase disclosed Thursday that cybercriminals orchestrated a targeted bribery scheme involving third-party customer service agents to access sensitive customer data, later used in social engineering attacks. The incident, which affected fewer than 1% of the cryptocurrency platform’s monthly transacting users, could cost the company between $180 million and $400 million to remediate, according to a regulatory filing with the U.S. Securities and Exchange Commission (SEC).

In a blog post detailing the attack, Coinbase said the threat actors obtained contact center login credentials by bribing employees of overseas third-party vendors. Using those credentials, the attackers exfiltrated customer data, including names, email addresses, phone numbers, partially masked Social Security and bank account numbers, government-issued ID images, and account activity history. Coinbase emphasized that no passwords, private keys, or customer funds were accessed.

The stolen data was allegedly used to impersonate Coinbase staff in targeted scams. On May 11, the attackers demanded a $20 million ransom in exchange for withholding the data from public release. Coinbase declined to pay and instead offered a $20 million reward for information leading to the arrest and conviction of those involved.

“Coinbase’s decision to reject the ransom demand is a commendable display of resilience,” John Hurley, chief revenue officer at cybersecurity solutions integrator Optiv, told SecurityInfoWatch. “Succumbing to such demands only serves to perpetuate and incentivize cyber extortion, turning it into a profitable business model for threat actors.”

There is currently no federal requirement in the U.S. mandating that organizations either pay or refuse ransom demands. However, Hurley noted that the federal government strongly discourages payment, citing the risk of funding cybercriminal enterprises and even state-sponsored attacks. He added that whether to pay a ransom remains a complex, high-stakes decision that depends on the specific context of an attack and its potential to disrupt operations.

“Ultimately, whether to pay a ransom is a complex decision that must be evaluated case by case, factoring in the severity of the attack and its potential impact on business continuity,” Hurley said. “Still, one of the most strategic actions an organization can take is to define its position on ransom payments during incident response (IR) planning. Establishing this stance in advance helps avoid reactive decision-making under pressure and ensures a consistent, informed response when stakes are highest.”

Law Enforcement and Internal Response

Coinbase has since revoked access for the implicated third-party agents and is cooperating with both U.S. and international law enforcement agencies. As part of its response, the company is investing in stronger internal controls, enhanced monitoring, and additional employee training. It also plans to establish a new U.S.-based support center to reduce reliance on outsourced agents.

Customers have been urged to remain vigilant against scams and impersonation attempts. Coinbase reiterated that it will never ask users to transfer cryptocurrency, share passwords, or disclose two-factor authentication codes. Affected users are being contacted directly and offered support.

The disclosure comes amid a pivotal period for the company. Coinbase recently announced a $2.9 billion acquisition intended to support global expansion and has been added to the S&P 500 index, with inclusion set to take effect next week. During last week’s earnings call, CEO Brian Armstrong shared his ambition for Coinbase to become the world’s leading financial services app within the next five to 10 years.