Coinbase Insider Breach Leads to $7 Million Scam, $180-$400 Million in Remediation Costs

An insider-led breach at Coinbase has sparked a costly scam targeting the exchange's users. The incident involved a sophisticated social engineering scheme where attackers impersonated Coinbase staff using personal data obtained through an internal breach. The attackers contacted users, claiming to represent Coinbase and warning of a supposed compromise on their accounts. They then conducted identity verification steps and requested details about account balances to prioritize high-value targets.

Victims were instructed to transfer assets to a Coinbase Wallet, with attackers providing a pre-generated seed phrase under the guise of assisting with wallet setup. This gave the attackers full control over the assets once they were moved. Alliance DAO contributor Qiao Wang detailed the scam on social media, revealing that the attackers had made $7 million in a single day.

Coinbase disclosed the data breach on May 15, stating that it affected less than 1% of its monthly active users. The breach did not compromise login credentials or private keys but involved the bribing of overseas customer support agents to leak sensitive data. The leaked information included names, contact details, identity documents, and masked banking and social security data.

Coinbase terminated the involved insiders and is cooperating with law enforcement to investigate the breach. CEO Brian Armstrong confirmed that the attackers attempted to extort $20 million in Bitcoin from the company, a demand that Coinbase rejected. Instead, the firm is offering a $20 million reward for information leading to the perpetrators’ arrest and has stated it will reimburse affected users.

Despite the reimbursement promises, Wang called for Coinbase to treat the potential exposure of users’ home addresses and government-issued IDs as a personal safety issue, which is worth “way more than loss of funds.”

In recent months, similar social engineering operations have been attributed to more than $300 million in annualized Coinbase user losses. These operations often involve impersonation, seed phrase extraction, and fund redirection.

Coinbase disclosed in a Form 8-K filing with the US Securities and Exchange Commission (SEC) on May 15 that it is still assessing the total financial ramifications of the security lapse. Based on current data, the company’s preliminary estimates place remediation costs and voluntary customer reimbursements between $180 million and $400 million.

Coinbase reiterated in the document that it would not pay the ransom demanded by the attackers. The company stated it intends to pursue all legal avenues against the individuals responsible for the attack and is continuing its investigation into the full scope of the incident.