A major security incident at cryptocurrency exchange Coinbase has exposed the sensitive data of nearly 70,000 users, potentially costing the company up to $400 million in remediation and customer reimbursement. The breach, which began in December 2024 but wasn't detected until May 2025, involved the bribery of overseas customer service agents, allegedly located in India, who then leaked sensitive customer data to cybercriminals. These criminals then leveraged the stolen information to launch sophisticated social engineering attacks, tricking users into transferring their cryptocurrency.

The timeline of events reveals a concerning lapse in security protocols. Cyber attackers initiated the scheme by recruiting overseas customer service agents, offering them cash payments in exchange for sensitive customer data and internal documentation. This stolen information, particularly details related to customer service and account management systems, was then used to impersonate Coinbase representatives and deceive users. Coinbase's internal security team eventually detected the suspicious activity and terminated the employment of the involved staff.

The compromised data included a range of sensitive information, such as names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers, and images of government-issued IDs like driver's licenses and passports. This information is highly valuable to cybercriminals as it allows them to create convincing phishing scams and other social engineering attacks.

On May 11, 2025, Coinbase received an unsolicited email from the threat actors, who claimed to possess internal system details and personally identifiable information. They demanded a ransom of $20 million to keep the breach confidential. Coinbase refused to pay the ransom and instead reported the incident to law enforcement, disclosed it publicly, and offered a $20 million reward for information leading to the attackers' arrest.

In response to the breach, Coinbase has taken several steps to mitigate the damage and prevent future incidents. The company is reimbursing customers who were tricked into sending funds to the attackers and is providing affected individuals with one year of complimentary credit monitoring and identity protection services. Coinbase is also opening a new support hub in the US and implementing stronger security controls and monitoring across all locations to prevent insider threats. Furthermore, the company is cooperating closely with US and international law enforcement agencies and has terminated the employment of the insiders involved in the breach.

The incident has also triggered a probe by the U.S. Department of Justice (DOJ) into Coinbase's contracted customer service representatives in India. The DOJ is investigating allegations that some agents accepted bribes to grant criminals unauthorized access to user data.

This data breach highlights the increasing sophistication of cyberattacks targeting the cryptocurrency industry. Chainalysis reports that funds stolen through crypto hacks increased by approximately 21% year-over-year in 2024, reaching $2.2 billion. Centralized exchanges like Coinbase have become prime targets for cybercriminals due to the large amounts of cryptocurrency they hold and the sensitive user data they possess.

To protect themselves from similar data breaches, cryptocurrency users should take proactive steps to secure their accounts. These steps include enabling strong two-factor authentication, using hardware security keys or trusted authentication apps, being cautious with unsolicited communication, and never sharing sensitive information with impersonators. Coinbase also advises users to turn on allow-listing of wallet addresses, which restricts withdrawals to pre-approved wallet addresses.