Breach cyber

Coinbase

Nov 26, 2025 3 min read
Coinbase

In December 2024, Coinbase suffered a major data breach where cybercriminals bribed overseas support agents (allegedly in India) to steal sensitive customer data. The leaked information of 69,461 individuals included passport photos, government IDs, names, dates of birth, partial Social Security numbers, bank account details, balances, and transaction histories. While passwords were not compromised, the exposed data enabled social engineering attacks, with hackers impersonating Coinbase to trick victims into transferring cryptocurrency. A third party later demanded a $20 million extortion payment, which Coinbase refused, instead disclosing the incident publicly.The breach heightened security concerns, coinciding with a rise in kidnappings and violence targeting crypto industry figures, including a high-profile attack on the daughter of a French crypto CEO. Coinbase committed to reimbursing scammed retail customers, tracing stolen funds, monitoring suspicious withdrawals, and offering a $20 million bounty for information on the hackers. Remediation costs are estimated between $180 million to $400 million, with the U.S. Justice Department launching an investigation. The incident underscores severe risks to customer trust, financial security, and physical safety in the cryptocurrency sector.

Source: https://therecord.media/nearly-70000-impacted-coinbase-breach

Coinbase cybersecurity rating report: https://www.rankiteo.com/company/coinbase

"id": "COI4173641112625",
"linkid": "coinbase",
"type": "Breach",
"date": "12/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '69,461',
                        'industry': 'Financial Services (Cryptocurrency)',
                        'location': 'United States (global operations)',
                        'name': 'Coinbase',
                        'size': 'Large (publicly traded, millions of users)',
                        'type': 'Cryptocurrency Exchange Platform'}],
 'attack_vector': ['Bribery of Support Agents',
                   'Insider Threat',
                   'Extortion',
                   'Social Engineering'],
 'customer_advisories': 'Sample breach notification letters warning of social '
                        'engineering risks; reimbursement pledge for scammed '
                        'users',
 'data_breach': {'data_exfiltration': 'Yes',
                 'file_types_exposed': ['Images (passport/ID photos)',
                                        'Textual data (names, DOBs, SSN '
                                        'fragments, bank details)'],
                 'number_of_records_exposed': '69,461',
                 'personally_identifiable_information': 'Yes (names, DOBs, SSN '
                                                        'fragments, government '
                                                        'IDs, passport photos)',
                 'sensitivity_of_data': 'High (government IDs, partial SSNs, '
                                        'bank accounts, transaction histories)',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Financial Data',
                                              'Account Information']},
 'date_detected': 'December 2024',
 'date_publicly_disclosed': 'May 2025',
 'description': 'Cryptocurrency platform Coinbase disclosed a data breach '
                'affecting 69,461 individuals, where cybercriminals bribed '
                'overseas support agents (allegedly in India) to steal '
                'customer data, including photos of passports, government IDs, '
                'names, dates of birth, partial Social Security numbers, bank '
                'account details, and transaction histories. The breach was '
                'publicly disclosed in May 2025 after an extortion attempt of '
                '$20 million was rejected. The incident led to social '
                'engineering attacks targeting victims, with Coinbase pledging '
                'reimbursements for scammed users and implementing measures '
                'like fund tracing, withdrawal monitoring, and a $20 million '
                'bounty for information on the hackers. The U.S. Justice '
                'Department is investigating the breach, which Coinbase '
                'estimates will cost $180 million to $400 million in '
                'remediation.',
 'impact': {'brand_reputation_impact': 'High (public disclosure, regulatory '
                                       'filings, media coverage, association '
                                       'with kidnapping/violence risks in '
                                       'crypto industry)',
            'customer_complaints': 'Expected (69,461 breach notifications '
                                   'sent)',
            'data_compromised': ['Photos of passports',
                                 'Government IDs',
                                 'Names',
                                 'Dates of birth',
                                 'Last four digits of Social Security numbers',
                                 'Bank account numbers',
                                 'Account information (balances, transaction '
                                 'history)'],
            'identity_theft_risk': 'High (PII exposed, social engineering '
                                   'attacks reported)',
            'legal_liabilities': 'Potential (U.S. Justice Department '
                                 'investigation, SEC filing, regulatory '
                                 'scrutiny)',
            'operational_impact': 'Increased security measures, fund tracing, '
                                  'withdrawal monitoring, $20M bounty program',
            'payment_information_risk': 'High (bank account numbers exposed)'},
 'initial_access_broker': {'entry_point': 'Bribed overseas support agents '
                                          '(India)',
                           'high_value_targets': 'Coinbase customer data (PII, '
                                                 'financial records)'},
 'investigation_status': 'Ongoing (U.S. Justice Department investigation)',
 'motivation': ['Financial Gain', 'Extortion', 'Fraud (social engineering)'],
 'post_incident_analysis': {'corrective_actions': ['Termination of involved '
                                                   'employees',
                                                   'Enhanced security measures',
                                                   '$20M bounty program',
                                                   'Withdrawal monitoring'],
                            'root_causes': ['Insider threat (bribed support '
                                            'agents)',
                                            'Inadequate access '
                                            'controls/monitoring for support '
                                            'personnel']},
 'ransomware': {'data_encryption': 'No',
                'data_exfiltration': 'Yes',
                'ransom_demanded': '$20,000,000 (extortion attempt)',
                'ransom_paid': 'No'},
 'references': [{'source': 'Bloomberg'},
                {'date_accessed': 'May 2025', 'source': 'Coinbase SEC Filing'},
                {'date_accessed': 'May 2025',
                 'source': 'Coinbase Breach Notification Letters'}],
 'regulatory_compliance': {'legal_actions': ['U.S. Justice Department '
                                             'investigation',
                                             'SEC filing'],
                           'regulatory_notifications': ['Maine regulators',
                                                        'SEC']},
 'response': {'communication_strategy': ['Breach notification letters to '
                                         '69,461 victims',
                                         'Public disclosure via SEC filing',
                                         'Media statements'],
              'containment_measures': ['Termination of involved employees',
                                       'Enhanced security measures'],
              'enhanced_monitoring': 'Yes (withdrawal monitoring, suspicious '
                                     'activity detection)',
              'incident_response_plan_activated': 'Yes',
              'law_enforcement_notified': 'Yes (U.S. Justice Department, SEC)',
              'remediation_measures': ['Tracing stolen funds',
                                       'Flagging large withdrawals',
                                       '$20M bounty for hacker information',
                                       'Reimbursement for scammed users']},
 'stakeholder_advisories': 'Breach notifications to 69,461 affected '
                           'individuals, SEC disclosure',
 'threat_actor': 'Cybercriminals (allegedly based in India)',
 'title': 'Coinbase Data Breach (December 2024)',
 'type': ['Data Breach', 'Insider Threat', 'Extortion', 'Social Engineering'],
 'vulnerability_exploited': 'Human vulnerability (bribery of overseas support '
                            'agents)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.