Coinbase, a leading cryptocurrency trading platform, fell victim to an extortion attempt by an unknown threat actor who demanded $20 million in exchange for not publishing stolen customer data. The breach occurred after criminals targeted overseas customer support agents in India, bribing a small group to copy data from internal tools. The compromised data belonged to less than 1% of Coinbase’s 9.7 million monthly transacting users (under 100,000 individuals) and included names, addresses, phone numbers, email addresses, masked partial Social Security numbers, encoded bank details, government ID images (e.g., driver’s licenses), transaction histories, and limited corporate data. While no login credentials, 2FA codes, private keys, or direct access to funds were stolen, the breach exposed users to phishing risks, with scammers potentially impersonating Coinbase to trick victims into transferring assets.Coinbase refused the extortion demand, fired the implicated employees, and pledged to reimburse affected users. The company estimates remediation costs between $180 million and $400 million. The incident highlights vulnerabilities in third-party support operations and the broader risks of insider threats in handling sensitive customer data.
Source: https://therecord.media/coinbase-extortion-attempt-company-offers-20million-reward
Coinbase cybersecurity rating report: https://www.rankiteo.com/company/coinbase
"id": "COI0262702111725",
"linkid": "coinbase",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Fewer than 100,000 (less than '
'1% of monthly transacting '
'users)',
'industry': 'Financial Services (Cryptocurrency)',
'location': 'United States (global operations)',
'name': 'Coinbase',
'size': 'Large (9.7M monthly transacting users; ~$67B '
'market cap as of May 2023)',
'type': 'Cryptocurrency Exchange'}],
'attack_vector': ['Social Engineering',
'Bribery of Insiders',
'Data Exfiltration'],
'customer_advisories': 'Public advisory to expect imposters posing as '
'Coinbase employees; reminder that Coinbase will never '
'ask for passwords, 2FA codes, or fund transfers.',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Customer records',
'Images (IDs)',
'Transaction logs'],
'number_of_records_exposed': 'Fewer than 100,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes government IDs and '
'transaction histories)',
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)',
'Financial data (masked)',
'Government-issued IDs',
'Transaction histories',
'Corporate data']},
'date_publicly_disclosed': '2023-05-11',
'description': 'Cryptocurrency trading platform Coinbase disclosed an '
'extortion attempt by an unknown threat actor who demanded $20 '
'million in exchange for not publishing stolen customer data. '
'The attackers targeted overseas customer support agents, '
'bribing a small group to copy data from customer support '
'tools affecting fewer than 1% of Coinbase’s monthly '
'transacting users (~97,000 users). The stolen data included '
'names, addresses, phone numbers, email addresses, masked '
'SSN/tax ID digits, bank account details, government ID '
'images, transaction histories, and limited corporate data. '
'Coinbase refused to pay the ransom and is offering a $20 '
'million bounty for information leading to the arrest of the '
'perpetrators. The company estimates remediation costs between '
'$180 million and $400 million.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data breach and extortion attempt; '
'proactive communication to mitigate '
'trust erosion',
'data_compromised': ['Names',
'Addresses',
'Phone numbers',
'Email addresses',
'Masked last 4 digits of SSN/tax IDs',
'Encoded bank account numbers',
'Government ID images (e.g., driver’s '
'licenses)',
'Transaction histories',
'Limited corporate data'],
'identity_theft_risk': 'High (due to PII exposure, including '
'government IDs and transaction histories)',
'operational_impact': 'Termination of compromised employees; '
'ongoing investigation and remediation',
'payment_information_risk': 'Low (no login credentials, 2FA codes, '
'or private keys compromised)',
'systems_affected': ['Customer support tools']},
'initial_access_broker': {'entry_point': 'Customer support agents (bribed '
'insiders in India)',
'high_value_targets': 'Customer PII and transaction '
'data'},
'investigation_status': 'Ongoing (cooperating with law enforcement)',
'lessons_learned': 'Vulnerability of insider threats, especially in overseas '
'operations; importance of monitoring for bribery/social '
'engineering risks among support agents; need for robust '
'customer education on phishing scams post-breach.',
'motivation': 'Financial gain (extortion and potential fraud via '
'phishing/scams)',
'post_incident_analysis': {'corrective_actions': ['Termination of compromised '
'employees',
'Enhanced monitoring and '
'access controls for '
'support tools',
'$20M bounty for '
'perpetrator information',
'Customer reimbursement '
'policy for scam victims'],
'root_causes': ['Insufficient safeguards against '
'insider threats (bribery '
'vulnerability)',
'Lack of real-time monitoring for '
'unauthorized data copying in '
'support tools',
'Geographic risk concentration '
'(overseas support agents '
'targeted)']},
'ransomware': {'data_exfiltration': True,
'ransom_demanded': '$20,000,000 (extortion, not ransomware)'},
'recommendations': ['Strengthen insider threat detection programs, '
'particularly for overseas employees with access to '
'sensitive data.',
'Implement stricter access controls and logging for '
'customer support tools.',
'Enhance employee training on bribery and social '
'engineering tactics.',
'Proactively communicate with customers about potential '
'scams following a breach.',
'Consider proactive bounty programs to incentivize threat '
'intelligence sharing.'],
'references': [{'date_accessed': '2023-05-11', 'source': 'Coinbase Blog Post'},
{'date_accessed': '2023-05-11',
'source': 'Coinbase SEC 8-K Filing'},
{'date_accessed': '2023-05-11',
'source': 'Fortune Magazine',
'url': 'https://fortune.com'},
{'date_accessed': '2023-05-11',
'source': 'The Block (Cryptocurrency News)',
'url': 'https://www.theblock.co'}],
'regulatory_compliance': {'regulatory_notifications': ['SEC 8-K filing']},
'response': {'communication_strategy': ['Public blog post',
'SEC 8-K filing',
'Customer advisories warning of '
'imposter scams'],
'containment_measures': ['Termination of compromised employees',
'Securing customer support tools'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Offering $20M bounty for perpetrator '
'information',
'Reimbursing victims of related scams',
'Enhanced monitoring for phishing '
'attempts']},
'stakeholder_advisories': 'Warnings issued about imposter scams targeting '
'customers; commitment to reimburse victims of '
'related fraud.',
'threat_actor': 'Unknown threat actor (extortionist)',
'title': 'Coinbase Extortion Attempt Involving Stolen Customer Data',
'type': ['Data Breach', 'Extortion', 'Insider Threat'],
'vulnerability_exploited': 'Human vulnerability (bribery of customer support '
'agents)'}