Coinbase has reportedly terminated the employment of a group of customer support agents based in India following their alleged involvement in social engineering attacks targeting users of the cryptocurrency exchange. The disclosure follows a data breach where cybercriminals allegedly bribed these agents to gain unauthorized access to user data.

According to a May 15 interview with Fortune, Coinbase's Chief Security Officer (CSO), Philip Martin, stated that the company had identified customer support contractors who had granted scammers access to user data, suggesting that these individuals were likely Indian nationals. These revelations surfaced after numerous crypto users reported attempted phishing attacks utilizing their Coinbase data. The exchange estimates that the potential costs associated with remediation and reimbursement could range from $180 million to $400 million.

The breach, as detailed in Coinbase's May 15 blog post, stemmed from the bribing of offshore support contractors and staff who leaked customer contact details and limited account information, including identity data such as passport details. Threat actors then exploited this data to launch targeted phishing campaigns, successfully deceiving some customers into divulging their account access credentials.

Coinbase detected the unauthorized activities in recent months and promptly dismissed the implicated staff and contractors. The company has also issued warnings to clients whose data was compromised. While Coinbase maintains that its core systems remained secure, it acknowledged the substantial impact on customers resulting from these secondary attacks. The exchange has initiated the process of reimbursing affected customers and is implementing additional security measures to prevent similar incidents in the future. The estimated compensation costs are preliminary and reflect Coinbase's commitment to fully compensate its customers.

The company said it received an email on May 11 from an "unknown threat actor". The threat actor claimed to have obtained information about certain Coinbase customer accounts and internal Coinbase documentation. The company said that "the threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access".

Coinbase refused to pay the $20 million ransom and is offering a $20 million reward for information leading to the arrest and conviction of those responsible.

According to Coinbase, the data stolen included names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers, and Coinbase account data, such as balance snapshots and transaction history. The company emphasized that no passwords, private keys, or funds were exposed and Coinbase Prime accounts were untouched.

In response to the attack, Coinbase is reinforcing its internal data management processes and relocating some customer support operations to prevent similar incidents.

This incident occurs despite Coinbase securing approval to re-enter the Indian market in March 2025, after facing previous regulatory hurdles.