Coinbase user data was stolen and blackmailed for $20 million. Social attacks have become the norm

  • Coinbase faced a cyber attack involving theft of internal and customer data, potentially costing $180M–$400M, while the SEC investigates alleged falsified user data during its 2021 listing, causing a 7.2% stock drop.
  • Attackers bribed overseas customer service staff to steal data from 80K–100K users, including names, addresses, partial SSNs, bank details, government IDs, and transaction history, but no login credentials or private keys were compromised.
  • The hackers demanded a $20M Bitcoin ransom, threatening to leak stolen data, but Coinbase refused to pay and instead offered a $20M bounty for clues leading to arrests.
  • Coinbase responded by firing the insider, collaborating with law enforcement, tracking stolen funds, compensating affected users, and opening a U.S. support center with enhanced security.
  • Social engineering scams targeting Coinbase users are rampant, with over $65M lost in a two-month period earlier this year, prompting calls for stronger safeguards like KYC-linked phone numbers and withdrawal limits.
  • Despite measures, recurring security incidents suggest user attacks may now be a "norm" for Coinbase, highlighting urgent need for systemic improvements.
Summary

Compiled by: Felix, PANews

On May 15, two pieces of negative news about Coinbase were released, causing Coinbase's stock price to suffer a "Waterloo."

One is that Coinbase disclosed a cyber attack involving the theft of internal data and customer information, with a potential financial impact of between $180 million and $400 million.

In addition, sources said that the US SEC is still investigating whether Coinbase falsified user data before its listing in 2021.

Under the influence of two pieces of negative news, Coinbase's stock price fell 7.2% during the day.

Coinbase user data was stolen and blackmailed for $20 million. Social attacks have become the norm

Customer service leaked user data and demanded $ 20 million in ransom

Coinbase said in the report that cyber criminals bribed and recruited a group of malicious customer service staff overseas, who abused their access to the customer support system and stole data from less than 1% of monthly trading users (about 80,000 to 100,000) in the customer support tool. Although no funds, passwords or private keys were stolen, and Coinbase Prime accounts were "unaffected", the attackers used this data to launch targeted social engineering scams against customers.

Regarding this attack method, some crypto experts commented that this type of targeted social engineering attack (using overseas customer support teams) is not uncommon in the crypto industry. Because the information of active users of crypto exchanges is far more valuable than imagined. The average cost of attracting new users for the top exchanges is $5-50 per valid user, while the average cost of attracting new users for small and medium-sized exchanges is $50-300.

After launching a social engineering scam, the Coinbase attackers sent a ransom note demanding $20 million worth of Bitcoin from Coinbase and threatening to release stolen customer data if Coinbase did not pay.

The report states that the attackers obtained:

  • Name, address, phone number and email
  • Masked Social Security Number (last 4 digits only)
  • Blocked bank account numbers and some bank account identifiers
  • Image of government ID (e.g. driver's license, passport)
  • Account data (balance snapshots and transaction history)
  • Limited company data (including documents, training materials, and communications available to customer service personnel)

However, data such as login credentials or two-factor authentication codes, private keys, any ability to transfer or access customer funds, access to Coinbase Prime accounts, and access to any Coinbase or Coinbase customer hot or cold wallets “was not stolen.”

Multiple measures to deal with attacks, refuse to pay ransom and issue bounties

Coinbase took a series of countermeasures after the incident.

First, work closely with law enforcement. The insider who leaked the data was fired on the spot and handed over to US and international law enforcement, and Coinbase said it would file a criminal lawsuit.

Secondly, track the stolen funds. Coinbase worked with industry partners to mark the attacker's address so that authorities can track and recover the assets. And promised to compensate customers who were tricked into sending money to the attacker due to social engineering attacks. To further ensure the security of support operations, Coinbase will open a new support center in the United States and strengthen security controls and monitoring at all locations.

In response to the $20 million ransom demanded by the attacker, Coinbase said it would not pay it. At the same time, Coinbase will set up a $20 million reward fund to reward those who provide clues and help arrest and convict the criminals of this attack.

Coinbase users may be subject to social engineering attacks or have become " normal "

Despite the seemingly positive response measures, security incidents involving Coinbase seem to occur frequently, and the amount of money stolen is also quite large, especially the social engineering scams encountered by users.

In February of this year, on-chain detective ZachXBT disclosed on the X platform that Coinbase users lost more than $65 million due to social engineering scams between December 2024 and January 2025. He said that the estimated $65 million may be "far lower" than the actual amount because it does not take into account the cases submitted to Coinbase support and the police.

ZachXBT cited multiple security incidents and denounced Coinbase for failing to properly handle such scams. “Coinbase needs to make changes urgently because more and more users are being defrauded of tens of millions of dollars every month. Other large exchanges are not experiencing similar situations.”

ZachXBT also urged Coinbase leadership to consider strengthening measures against social engineering attacks, including giving KYC-verified users the option to enter their phone number on the platform, adding a new user account type that limits withdrawals, and increasing community outreach.

These proposals may not have been adopted by Coinbase, but this extortion incident may serve as a wake-up call for Coinbase.

Related reading: Coinbase Q1 financial report explained: Net profit plummeted 94% due to portfolio losses, and the company acquired Deribit to develop derivatives

Share to:

Author: Felix

This article represents the views of PANews columnist and does not represent PANews' position or legal liability.

The article and opinions do not constitute investment advice

Image source: Felix. Please contact the author for removal if there is infringement.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
3 minute ago
2 hour ago
2 hour ago
3 hour ago
3 hour ago
4 hour ago

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe

Curated Series

App内阅读