Coinbase user data stolen in $20 million ransom attempt, social engineering attacks now commonplace
TechFlow Selected TechFlow Selected
Coinbase user data stolen in $20 million ransom attempt, social engineering attacks now commonplace
Coinbase users suffering from social engineering attacks may have become "the norm."
Navigating Web3 tides with focused insightsCompiled by: Felix, PANews
On May 15, two negative developments concerning Coinbase caused its stock price to suffer a "Waterloo."
One was Coinbase's disclosure of a cyberattack involving the theft of internal data and customer information, with potential financial impact ranging between $180 million and $400 million.
In addition, sources said the U.S. SEC is still investigating whether Coinbase misrepresented user data prior to its 2021上市.
Under the impact of these two negative news items, Coinbase's stock dropped 7.2% during the day.
Customer Service Leaks User Data and Demands $20 Million Ransom
In its report, Coinbase stated that cybercriminals bribed and recruited a group of malicious overseas customer service staff who abused their access to the customer support system, stealing data of less than 1% of monthly transacting users (approximately 80,000–100,000) from customer support tools. While no funds, passwords, or private keys were stolen and Coinbase Prime accounts were "unaffected," attackers used this data to launch targeted social engineering scams against customers.
Regarding this attack method, a crypto insider commented that such targeted social engineering attacks (using overseas customer support teams) are not uncommon in the crypto industry. The information of active users at crypto exchanges is far more valuable than imagined. Top-tier exchanges spend an average of $5–$50 to acquire each effective user, while smaller and mid-sized exchanges spend $50–$300 on average.
After launching the social engineering scam, the attackers sent a ransom letter demanding Coinbase pay 20 million dollars worth of Bitcoin, threatening to release the stolen customer data if Coinbase refused to pay.
The report stated that the attackers obtained:
-
Names, addresses, phone numbers, and email addresses
-
Partially redacted Social Security numbers (last four digits only)
-
Partially redacted bank account numbers and some bank account identifiers
-
Images of government-issued ID documents (e.g., driver’s licenses, passports)
-
Account data (balance snapshots and transaction history)
-
Limited company data (including documents, training materials, and communications available to customer service personnel)
However, login credentials or two-factor authentication codes, private keys, any ability to transfer or access customer funds, access to Coinbase Prime accounts, or access to any Coinbase or Coinbase customer hot or cold wallets were "not compromised."
Multifaceted Response Measures: Refusal to Pay Ransom and Bounty Announcement
Following the incident, Coinbase implemented a series of response measures.
First, it closely cooperated with law enforcement. The internal personnel responsible for the data leak were immediately fired and handed over to U.S. and international law enforcement authorities; Coinbase stated it will pursue criminal charges.
Second, it began tracking stolen funds. Coinbase collaborated with industry partners to flag the attackers’ addresses to assist authorities in tracing and recovering assets. It also pledged to compensate customers who were tricked into sending money to the attackers due to social engineering. To further strengthen operational security, Coinbase will open a new support center in the United States and enhance security controls and monitoring across all locations.
In response to the attackers' demand for a $20 million ransom, Coinbase stated it would not pay. At the same time, Coinbase will establish a $20 million reward fund for information leading to the arrest and conviction of those responsible for this attack.
Social Engineering Attacks on Coinbase Users May Have Become "Normal"
Although the series of response measures appear proactive, security incidents involving Coinbase seem to occur frequently, and the amounts stolen are substantial—particularly social engineering scams targeting users.
In February this year, on-chain investigator ZachXBT disclosed on X that between December 2024 and January 2025, Coinbase users lost over $65 million due to social engineering scams. He indicated the estimated $65 million figure might be "far below" the actual amount, as it did not include cases reported to Coinbase support and police.
ZachXBT listed multiple security incidents and issued a strong condemnation of Coinbase's failure to properly handle such scams. "Coinbase needs to make urgent changes, as increasing numbers of users are being defrauded of tens of millions of dollars each month. Other major exchanges aren't experiencing similar issues."
ZachXBT also urged Coinbase leadership to consider strengthening measures against social engineering attacks, including allowing KYC-verified users to optionally enter phone numbers on the platform, introducing new account types with withdrawal restrictions for novice users, and enhancing community outreach.
These proposals may not have been adopted by Coinbase, but this latest ransom incident might serve as a wake-up call.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
PANews
