Coinbase Confirms Data Breach Affecting 69,461 Users

On May 11, 2025, Coinbase, America’s largest cryptocurrency exchange, received an unsolicited email from an unknown threat actor claiming to possess sensitive information about its customers and demanding a ransom of $20 million. This incident marked a significant breach in the company's cybersecurity, despite its substantial monthly investments in this area. The breach was preceded by reports from blockchain investigator ZachXBT in February, who highlighted increased thefts involving Coinbase users. ZachXBT attributed these thefts to aggressive risk models and Coinbase’s failure to prevent $300 million in yearly losses from social engineering scams. According to ZachXBT, $65 million was stolen from users between December 2024 and January 2025, with the actual losses potentially being higher due to limited access to data.
The fear of cybercriminals stealing valuable information became a reality when Coinbase published a blog post confirming that account balances, ID images, phone numbers, home addresses, and partially hidden bank details were stolen during the data breach. On May 21, the same threat actor swapped about $42.5 million from Bitcoin (BTC) to Ether (ETH) via THORChain, using Ethereum transaction input data to write “L bozo,” followed by a meme video of NBA player James Worthy smoking a cigar, seemingly mocking ZachXBT, who later flagged the message on his Telegram channel.
The 2025 Coinbase breach was not a typical crypto hack involving smart contracts or blockchain vulnerabilities. Instead, it was a traditional IT security failure marked by insider manipulation, corporate espionage, and an extortion attempt. The incident unfolded as follows: unknown cyber attackers began recruiting overseas customer service agents working for Coinbase, particularly those based in India. These insiders were paid to leak sensitive customer data and internal documentation, which was intended for future impersonation scams targeting users. Coinbase’s internal security team eventually detected suspicious activity linked to these employees, leading to their termination and the alerting of affected users. Although only 69,461 accounts were impacted, the depth of stolen personal data made the breach significant. On May 11, 2025, Coinbase received an unsolicited email claiming to possess internal system details and personally identifiable information (PII), which was later confirmed as credible in an 8-K SEC filing. Rather than accepting extortion, Coinbase reported the breach to law enforcement, disclosed it publicly, and offered a $20 million reward for information leading to the attackers’ arrest, turning defense into offense. Shortly after the SEC filing, Coinbase publicly confirmed the breach, clarifying the scope and nature of the attack. A data breach notification was filed with the Maine Attorney General’s office, officially stating 69,461 users were affected.
According to a notification letter issued by Coinbase, attackers sought this information because they planned to launch social engineering attacks. The information they stole could help them appear credible to victims and possibly convince them to move their funds. Coinbase detailed the information the threat actors had got access to and what they could not. The attackers gained access to names, addresses, phone numbers, emails, government-ID images, masked Social Security numbers, account data, masked bank account numbers, and some bank account identifiers, as well as limited corporate data. However, the attackers did not gain access to login credentials or 2FA codes, private keys, access to Coinbase Prime accounts, any ability to move or access customer funds, or access to any Coinbase or Coinbase customer hot or cold wallets.
In response to the 2025 data breach, Coinbase implemented a comprehensive strategy to mitigate damage, support affected users, and strengthen its security infrastructure. Key actions taken by Coinbase included refusing to pay the $20 million ransom demanded by the attackers and instead establishing a $20 million reward fund for information leading to the arrest and conviction of those responsible. The company committed to reimbursing customers who were deceived into sending funds due to the breach, with estimated costs for remediation and reimbursements ranging between $180 million and $400 million. Coinbase is providing all affected individuals with one year of complimentary credit monitoring and identity protection services, including credit monitoring, a $1 million insurance reimbursement policy, identity restoration services, and dark web monitoring. Affected accounts will require additional ID verification for large withdrawals, including mandatory scam-awareness prompts to prevent further social engineering attacks. Coinbase is opening a new support hub in the US, implementing stronger security controls and monitoring across all locations to prevent insider threats, and collaborating closely with US and international law enforcement agencies. Insiders involved in the breach were terminated and referred for criminal prosecution. Coinbase immediately notified affected customers once the breach was recognized and is providing ongoing updates about the breach and the steps being taken to address it.
In the wake of large-scale data breaches of crypto platforms, it is crucial to take proactive steps to protect yourself from social engineering attacks. Never share sensitive information with impersonators, as scammers often pose as support staff or security agents after a breach. They may push you toward moving funds to crypto wallets they share with you or revealing sensitive information under various texts. Never share your password, two-factor authentication (2FA) codes, or recovery phrases with such impersonators. No crypto exchange will ask you to transfer crypto to a “new” or “safe” wallet. Turn on allow-listing of wallet addresses, as some exchanges provide this feature, which restricts withdrawals to pre-approved wallet addresses you fully control. This prevents unauthorized transfers even if your account is compromised. Enable strong 2FA, using a hardware security key or a trusted authentication app, and avoid relying on SMS-based 2FA, which is vulnerable to SIM-swapping attacks. Be cautious with unsolicited communication, hanging up immediately if someone calls claiming to be from a crypto platform and asks for security credentials or requests asset transfers. Do not respond to unknown texts or emails with your personal information. Lock your account immediately through the app or platform and report the incident to customer support via official channels if anything feels suspicious. Stay informed by regularly reviewing security tips and updates from your crypto services to recognize and avoid evolving scam tactics.

Comments
No comments yet