(Bloomberg/Emily Nicolle) — Coinbase Global Inc. said hackers bribed contractors or employees outside the US to steal sensitive customer data and demanded a $20 million ransom, in one of the most high-profile security breaches of a crypto trading platform.
The largest US crypto exchange said it won’t pay the ransom and estimated the incident could cost the San Francisco-based firm up to $400 million to remedy.
Criminals had offered cash to Coinbase customer support agents to copy customer data like names, addresses, account data and government ID images, the exchange said in a statement on Thursday. The attackers planned to use this data to pretend to be Coinbase and convince users to hand over their crypto, while demanding ransom from the exchange to cover it up.
Less than 1% of the exchange’s monthly transacting users were affected, Coinbase said. In addition to ramping up security controls for those affected, Coinbase said it would reimburse in full anyone who lost money. The exchange also said it is offering a $20 million bounty to anyone with information leading to the attackers’ arrest and conviction.
Coinbase said preliminary estimates suggested it would face between $180 million to $400 million in “remediation costs and voluntary customer reimbursements” relating to the incident, according to a regulatory filing also released Thursday. A further review of potential losses, indemnification claims and potential recoveries could meaningfully increase or decrease this estimate, it added.
Hacks have long plagued the crypto industry, thanks to its heavy reliance on user anonymity and complex digital software. Around $2.2 billion was lost to such incidents in 2024, according to researcher Chainalysis. Operating under the threat of attack has been particularly painful for crypto exchanges, which are often major targets and face high ongoing costs to maintain tight security.
The incident comes as Coinbase is set to join the S&P 500 index next week. Inclusion in the benchmark is becoming more important for companies in a world increasingly dominated by passive investment funds, wrapping Coinbase’s stock into numerous trackers following the index. Coinbase shares slipped more than 3% in pre-market trading on Thursday.
Coinbase’s hackers deployed what’s called a social engineering attack — where criminals use people to gain unauthorized access to data, rather than exploiting flaws in computer code. This type of threat has become increasingly popular in crypto, resulting in recent major incidents like the $1.5 billion hack of crypto exchange Bybit in February.
On May 11, an unknown attacker emailed Coinbase to say it had obtained customer information and some internal Coinbase documentation, the exchange said in the filing. They demanded $20 million in Bitcoin in order not to go public with the fact that they’d got their hands on such data, Coinbase Chief Executive Officer Brian Armstrong added, speaking in a video posted on social media.
In the months leading up to that email, Coinbase had already detected instances of customer support agents collecting information about internal Coinbase systems without needing it for their job. Upon discovery, those workers were immediately terminated and Coinbase said it warned customers who may have been affected. When the May 11 email appeared, Coinbase determined these workers had been part of a single campaign orchestrated by the hacker to steal that data.
“These attackers have been approaching our overseas customer support agents, looking for a weak leak, someone who would accept a bribe in exchange for sharing some customer information with them,” Armstrong said in the video. “Unfortunately, they were able to find a few bad apples.”
(Updates to add context and comment from Coinbase starting in the sixth paragraph.)
More stories like this are available on bloomberg.com
©2025 Bloomberg L.P.