Coinbase hackers demand $20 million ransom after insider-driven data breach

Leading cryptocurrency exchange Coinbase has revealed that it could face up to $400 million in financial losses following a cyber attack involving bribed support personnel.

The hack resulted in the theft of sensitive customer data, which was then used to carry out social engineering-based scams. The attackers demanded the payment of a $20 million ransom, an offer that Coinbase refused.

In a blog post, Coinbase confirmed that "less than 1%" of its users were compromised. The hackers gained access to their systems by bribing foreign contractors and system administrators with high-level system access. They then used the stolen data to impersonate Coinbase and steal customers' crypto assets.

While the firm stated that no money, private keys, or passwords were ever accessed during the hack, the stolen information comprised names, email addresses, phone numbers, obscured bank account details, and Social Security number last four digits. Photos of government-issued IDs and account balances were also part of the breached data. Coinbase has assured to refund customers in full who were tricked into transferring money to the attackers.

The incident lowered Coinbase's share price by 4.1% on Thursday morning. The firm has filed an incident report with the U.S. Securities and Exchange Commission (SEC), estimating remediation expenses between $180 million and $400 million. These consist of customer refunds, fraud protection enhancements, and counsel assistance—though they could vary depending on subsequent claims and recoveries.

Coinbase stated that it already reported suspicious activity in the previous months and took initial steps before receiving an email from the attackers on May 11.

The warning note released by the attackers vowed to release internal files and customer data if Coinbase would provide a ransom fee of $20 million. Rather, the company reached out to law enforcement and set up a $20 million reward fund for tips that would lead to the arrest and conviction of the attackers.

The assault is poorly timed for Coinbase, which is soon to be officially added to the S&P 500 index just days from now.

Coinbase has laid off the staff and contractors who participated in the hack. It has also improved its fraud detecting algorithms and published new safety guidelines for customers. Customers are being urged to be careful and report any potential threats.

"Coinbase will never ask for your password, two-factor codes, or request crypto transfers to unknown accounts," the firm said. It also suggested customers lock their account if they notice something is fishy. "To the customers affected, we're sorry for the worry and inconvenience this incident caused. We'll keep owning issues when they arise."