Coinbase Refuses $20M Ransom After Insider Hack Exposes Customer Data

Hackers infiltrated Nasdaq-listed cryptocurrency exchange Coinbase by paying off a small group of overseas support contractors, the company disclosed, leading to a breach that exposed sensitive customer data and triggered a $20 million extortion attempt.

According to a regulatory filing and accompanying blog post, the attackers stole information tied to fewer than 1% of Coinbase’s monthly active users.

The compromised data includes full names, phone numbers, partial social security numbers, masked bank account details, and images of government-issued IDs. The exchange said that passwords, private keys, and access to wallets were not taken.

The attack unfolded through an internal betrayal: cybercriminals allegedly offered bribes to outsourced support agents in exchange for access to the company’s customer service systems.

Once inside, the attackers gathered data that was later used to impersonate Coinbase in phishing and other social engineering attempts targeting customers.

Coinbase first detected the breach through its internal systems and fired the involved employees.

Coinbase Attackers Issue Ransom Demand

On May 11, the attackers escalated, sending an email to the company claiming they had the stolen information and demanding payment to keep it under wraps.

The exchange said it rejected the ransom and instead launched a $20 million reward fund to aid law enforcement efforts.

“We’re cooperating closely with law enforcement to pursue the harshest penalties possible,” the company wrote. “[We] will not pay the $20 million ransom demand we received.”

To reduce future risk, Coinbase is moving to open a U.S.-based support hub, adding new withdrawal safeguards, and increasing investment in insider threat detection. The company also pledged to reimburse affected users who were tricked into transferring funds as a result of the breach. The exchange estimated this could cost it $180 to $400 million, although it’s still assessing the extent of the damage.

The incident comes roughly one month after blockchain sleuth ZachXBT warned that some users on Coinbase were somehow getting hacked.