Coinbase Confirms Data Breach Affecting 69,461 Users, Offers $20 Million Reward

On May 11, 2025, Coinbase, America’s largest cryptocurrency exchange, received an unsolicited email from an unknown threat actor claiming to possess sensitive information about its customers and demanding a ransom of $20 million. This incident marked a significant breach in the company's cybersecurity, despite its substantial monthly investments in this area. The breach was preceded by reports from blockchain investigator ZachXBT in February, who highlighted increased thefts involving Coinbase users. ZachXBT attributed these thefts to aggressive risk models and Coinbase’s failure to prevent $300 million in yearly losses from social engineering scams. According to ZachXBT, $65 million was stolen from users between December 2024 and January 2025, with the actual losses potentially being higher due to limited access to data.

The breach was confirmed by Coinbase in a blog post on May 11, revealing that account balances, ID images, phone numbers, home addresses, and partially hidden bank details were stolen. The threat actor later swapped about $42.5 million from Bitcoin (BTC) to Ether (ETH) via THORChain, using Ethereum transaction input data to write “L bozo,” followed by a meme video of NBA player James Worthy smoking a cigar, seemingly mocking ZachXBT.

The 2025 Coinbase breach was not a typical crypto hack involving smart contracts or blockchain vulnerabilities but rather a traditional IT security failure marked by insider manipulation, corporate espionage, and an extortion attempt. The incident unfolded as follows: unknown cyber attackers began recruiting overseas customer service agents working for Coinbase, paying them to leak sensitive customer data and internal documentation. Coinbase’s internal security team eventually detected suspicious activity, leading to the termination of the involved staff and notification of affected users. Although only 69,461 accounts were impacted, the depth of stolen personal data made the breach significant. On May 11, 2025, Coinbase received an unsolicited email claiming to possess internal system details and personally identifiable information (PII), which was later confirmed as credible in an 8-K SEC filing. Instead of paying the $20 million ransom, Coinbase reported the breach to law enforcement, disclosed it publicly, and offered a $20 million reward for information leading to the attackers’ arrest. Shortly after the SEC filing, Coinbase publicly confirmed the breach, clarifying the scope and nature of the attack and filing a data breach notification with the Maine Attorney General’s office, officially stating 69,461 users were affected.

According to a notification letter issued by Coinbase, the attackers sought the stolen information to launch social engineering attacks. The information they accessed included names, addresses, phone numbers, emails, government-ID images, masked Social Security numbers, account data, masked bank account numbers, and some bank account identifiers. However, the attackers did not gain access to login credentials, 2FA codes, private keys, access to Coinbase Prime accounts, or any ability to move or access customer funds. Coinbase’s response to the breach included refusing to pay the ransom, establishing a $20 million reward fund, committing to reimbursing customers who were deceived into sending funds, providing complimentary credit monitoring and identity protection services, enhancing customer safeguards, strengthening support operations, collaborating with law enforcement, and maintaining transparency and communication with affected customers. The estimated costs for remediation and reimbursements ranged between $180 million and $400 million.

In the wake of large-scale data breaches of crypto platforms, it is crucial to take proactive steps to protect oneself from social engineering attacks. Users should never share sensitive information with impersonators, turn on allow-listing of wallet addresses, enable strong 2FA, be cautious with unsolicited communication, lock accounts immediately if anything feels suspicious, and stay informed about security tips and updates from crypto services. These measures can help prevent unauthorized access and protect personal information in the event of a data breach.