- Attackers bribed support staff to access internal tools.
- $20M ransom demand redirected into reward fund.
- New protections live ahead of S&P 500 entry.
Coinbase has disclosed a targeted cyberattack involving bribed overseas contractors, resulting in a significant data breach that impacted less than 1% of its monthly active users.
While no funds, passwords, or private keys were exposed, the attackers accessed internal systems and extracted sensitive customer information.
The incident highlights growing concerns over insider threats in centralised crypto platforms and comes at a crucial moment, with Coinbase preparing for its inclusion in the S&P 500 index.
The company has launched new user protections and is expecting up to $400 million in related expenses.
Bribed contractors enabled access
The breach occurred through a coordinated social engineering effort in which a group of overseas contractors were bribed to grant attackers access to internal tools.
Although Coinbase did not specify the country involved, it confirmed that Coinbase Prime accounts used by institutions were not affected.
Attackers obtained partial bank information, addresses, phone numbers, and masked Social Security digits, aiming to impersonate the platform and extract further assets through phishing.
Coinbase warned that the information was intended to target users in follow-up scams by posing as legitimate support agents.
$20M ransom rejected
After the breach was discovered, the attackers demanded a $20 million payment to stay silent.
Coinbase rejected the demand and instead diverted the amount into a reward fund to help track down those responsible.
The company is now offering up to $20 million for information leading to the arrest and conviction of the attackers.
Coinbase has also engaged blockchain analytics firms to flag addresses connected to the attackers, freeze potential stolen assets, and monitor the flow of funds.
Law enforcement agencies in the US and abroad have been alerted to pursue criminal charges.
New protections deployed
To limit future attacks and mitigate risks from the breach, Coinbase has implemented several new security protocols.
These include additional ID verification during withdrawals, real-time scam alerts, and enhanced scrutiny for accounts flagged as high risk.
A new customer support hub has been launched in the US to reduce third-party outsourcing.
Internally, Coinbase has strengthened its insider threat detection and now runs continuous red-team testing.
It has pledged to make impacted customers “whole” if any further scams succeed using the stolen data, and is reviewing potential indemnification claims.
S&P 500 listing under spotlight
The disclosure comes just days before Coinbase’s entry into the S&P 500, making it the first crypto-native company to achieve the distinction.
With estimated costs from the breach ranging between $180 million and $400 million, analysts expect scrutiny to rise over the exchange’s security infrastructure and operational resilience.
Coinbase said a full assessment of losses, legal claims, and potential recoveries is underway, but the incident underscores the challenges centralised exchanges face in guarding user data against both external and internal threats.
