Coinbase Ransomware Attack Insider Participation

Coinbase publicly disclosed that cybercriminals had orchestrated a major insider-mediated extortion attempt. These attackers had bribed overseas customer support agents to access and steal sensitive customer data—including names, addresses, phone numbers, emails, images of government-issued IDs, masked Social Security and bank account details, account balances, transaction histories, and certain internal corporate documents.
Coinbase estimated that less than 1% of its monthly transacting user base was affected, which translates to roughly 69,000 users.
Crucially, the breach did not expose login credentials, two-factor authentication codes, private keys, or funds—neither individual customer wallets nor Coinbase Prime accounts were compromised.
Cybercriminals demanded a $20 million ransom in Bitcoin to avoid public release of the stolen data. Coinbase instead refused to pay the ransom, stating, “We will not fund criminal activity.”
Rather than capitulate, Coinbase launched a $20 million reward fund for information leading to the arrest and conviction of those involved. The financial fallout was substantial: preliminary estimates placed the total remediation and reimbursement costs between $180 million and $400 million. The company also faced legal consequences numerous lawsuits were filed alleging negligence and insufficient incident response while regulatory scrutiny followed through SEC disclosures and filings.