Coinbase Rejects $20M Ransom After Insider Data Leak, Faces Up to $400M in Fallout

Crypto giant Coinbase is grappling with one of its most serious security challenges to date: An insider-led data breach that has shaken customer trust and could cost the company as much as $400 million.

In a statement released Thursday, Coinbase revealed that cybercriminals bribed overseas customer support agents to leak sensitive customer data. The stolen information was then used in social engineering scams that tricked users into giving away their crypto.

“These insiders abused their access to customer support systems to steal the account data for a small subset of customers,” Coinbase said in a blog post.

What was stolen?

According to Coinbase’s filings and public statement, the stolen information includes:

• Names, addresses, phone numbers, and emails.
• Masked Social Security numbers (last four digits).
• Masked bank account details and identifiers.
• Government-issued ID images.
• Account data, including balance snapshots and transaction history.
• Limited internal corporate documentation.

No passwords, private keys, or customer funds were accessed. Prime accounts and Coinbase’s hot or cold wallets were also untouched.

A $20M demand and a flat refusal

On May 11, Coinbase received an email from an unknown sender claiming to possess internal data and demanding $20 million to keep the breach quiet. Coinbase refused.

“We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received,” the company stated. “Instead, we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.”

Anyone with credible information is asked to email security@coinbase.com with “[BOUNTY]” in the subject line.

The financial impact could hit $400M

Coinbase disclosed in a U.S. Securities and Exchange Commission (SEC) 8-K filing that the breach could cost the company between $180 million and $400 million in remediation and “voluntary customer reimbursements.”

The company emphasized that this estimate could change, depending on future findings, legal outcomes, and potential asset recovery. Coinbase is pledging to reimburse retail customers who were tricked into sending funds to the scammers, so long as the transfers were directly linked to this incident and occurred before May 15. Coinbase says affected customers have already been notified. 

To prevent future incidents, the company has announced a series of measures:

• A new support hub to be opened in the U.S.
• Stronger security controls and monitoring.
• Extra ID checks and scam-awareness prompts for suspicious accounts.
• Increased investment in insider threat detection.

CEO and industry reactions

Coinbase CEO Brian Armstrong addressed the issue on X (formerly Twitter) on May 15. He stated that attackers have been approaching customer support agents for months, attempting to bribe them for access. He emphasized that security upgrades are already underway.

Meanwhile, blockchain investigator ZachXBT estimated that social engineering scams cost Coinbase users $300M+ annually. According to previous reports by Cointelegraph, Coinbase was the most impersonated crypto brand in 2024.

“Crypto adoption depends on trust,” Coinbase said. “To the customers affected, we’re sorry for the worry and inconvenience this incident caused.”

The company promised to “keep owning issues when they arise and investing in world-class defenses—because that’s how we protect our customers and keep the crypto economy safe for everyone.”