Cryptocurrency Exchange Coinbase revealed that an unknown cyber actor had infiltrated the system and stole account data for a small subset of customers.
“The criminals targeted overseas customer support agents,” the company said in a statement. “They used cash offers to convince a small group of insiders to copy data into customer support tools with less than 1% of Coinbase’s monthly trading users.”
The ultimate goal of the campaign was to compile a list of customers they would contact by spoofing Coinbase and deceiving them to hand over crypto assets.
Coinbase said threat actors failed to attempt to force the company for $20 million on May 11, 2025 by claiming they have information about specific customer accounts and internal documents. In a statement shared with Fortune, Coinbase said that compromised customer agents were working in India and all of them were fired.
“The password, private key, or funds have not been disclosed and the Coinbase Prime account has not been mentioned,” Coinbase said. The attackers escaped are listed below –
- Name, address, phone, email
- Masked Social Security (last 4 digits only)
- Masked bank account numbers and some bank account identifiers
- Government ID images (e.g. driver’s license, passport)
- Account Data (Balanced Snapshots and Transaction History)
- Limited corporate data such as documentation, training materials, and communications available to support agents
Crypto Giant said it is taking steps to reimburse customers who have been deceived to transfer funds to attackers due to social engineering attacks. It’s not entirely clear how many customers fell due to the scam, but the company told TechCrunch that less than 1% of its 9.7 million customers each month were affected.
The company also performs additional ID checks for certain flagged accounts when performing large withdrawals, and is bolstering its defenses to combat such insider threats. Finally, Coinbase has established a $20 million reward fund for information that leads to the arrest and conviction of the attacker.
As a mitigation, users are encouraged to allow only addresses in their address book, enable two-factor authentication (2FA) and to be aware of scammers trying to move their funds to their secure wallets.
