Coinbase Launches $20M Bounty After Insider Breach Leaks User Data

Coinbase has disclosed a targeted data breach involving insider assistance, as criminals bribed overseas customer service agents to obtain sensitive user data. 

This attack affected fewer than 1% of the company’s monthly transacting users, Coinbase says. The compromised information included personal details such as names, addresses, phone numbers, and partial banking data.

Importantly, login credentials, private keys, and access to user funds remained secure. The attackers attempted to extort $20 million from the platform in exchange for not disclosing the incident.

Coinbase confirmed that it rejected the demand and instead launched an investigation with the introduction of a $20 million bounty, taking steps to secure its systems and notify impacted users. The company also promised to pursue the harshest punishment on the party involved in the breach.

We will pursue the harshest penalties possible and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.

— Coinbase 🛡️ (@coinbase) May 15, 2025

Scope of the Data Breach and What Was Accessed

Criminals targeted Coinbase’s overseas support operations by offering cash bribes to a limited number of customer service agents. These insiders accessed internal tools to extract data belonging to a small portion of transacting users. 

Per a press release by Coinbase, the data included government ID images, masked Social Security numbers, masked bank account identifiers, account balances, and limited internal corporate documents. However, the attackers did not gain access to login credentials, authentication codes, or any capability to move or access crypto assets.

To prevent further exploitation, Coinbase flagged affected accounts and implemented stricter identity verification for large withdrawals. Scam-awareness prompts are now mandatory for flagged users. Additionally, Coinbase is relocating some of its support functions to a newly established U.S. hub and has introduced enhanced monitoring across all operational sites.

Company Response and Additional Platform Announcements

Coinbase has responded by terminating the involved insiders and referring them to both U.S. and international law enforcement. It has pledged to reimburse customers who lost funds through deception. The company has also created a $20 million reward fund for information leading to the identification and prosecution of the attackers. 

These reports come on a day when the exchange announced upcoming ERC-20 versions of several cryptocurrencies—including XRP, Litecoin, Dogecoin, and Cardano—on its Ethereum Layer-2 network, Base. These tokens are not yet live or tradable. 

Coinbase will also be added to the S&P 500 index on May 19, 2025, following the removal of Discover Financial Services after its acquisition by Capital One.

Ongoing Threats Highlighted by Analysts and Investigators

The breach has exposed a broader issue with persistent social engineering scams targeting Coinbase users. On-chain analyst ZachXBT reported that users lost $45 million to such scams in just the past week. 

He further revealed that these attacks have continued for several weeks, with another $46 million stolen earlier. These scams often involve phishing links, impersonation, and baiting tactics aimed at convincing users to surrender sensitive information.

According to ZachXBT and fellow blockchain investigator “Tanuki42,” the attacks appear to uniquely affect Coinbase users. They identified root causes linked to internal system vulnerabilities. Their analysis estimates total losses at over $330 million annually. 

Ripple CTO David Schwartz previously warned about similar attempts, sharing a phishing email he received from an impersonated Coinbase representative.