Coinbase user data stolen and ransomware $20 million, sociological attacks have become the norm

Comprehensive editor: Felix, PANews

On May 15, the outbreak of two negative news about Coinbase caused Coinbase's stock price to suffer a "Waterloo".

One is that Coinbase disclosed a cyber attack involving the theft of internal data and customer information, with potential financial impacts ranging from $180 million to $400 million.

In addition, some sources said that the US SEC is still investigating whether Coinbase falsely reported user data before it went public in 2021.

Under the influence of two negative news, Coinbase's stock price fell 7.2% intraday.

Customer service leaks user data and extorts $ 20 million

Coinbase said in the report that cybercriminals bribed and recruited a group of malicious overseas customer service personnel who abused access to the customer support system and stole less than 1% of monthly transaction users (about 80,000-100,000) in customer support tools. While no funds, passwords or private keys were stolen and the Coinbase Prime account was “unaffected”, the attackers used this data to launch targeted social engineering scams on customers.

Regarding this attack, some cryptographers commented that this targeted social engineering attack (using overseas customer support teams) is not uncommon in the crypto industry. Because the information of active users on crypto exchanges is much more valuable than expected. The average cost of new recruitment on top exchanges is $5-50 per active user, while the average cost of new recruitment on small and medium exchanges is $50-300.

After launching a social engineering scam, Coinbase attackers sent a ransomware letter asking Coinbase to pay $20 million worth of Bitcoin and threatened to publish stolen customer data if Coinbase did not pay.

The report said that the attacker obtained:

• Name, address, phone number and email
• Blocked Social Security Number (last 4 digits only)
• Blocked bank account numbers and some bank account identifiers
• Pictures of government ID documents (such as driver's license, passport)
• Account data (balance snapshot and transaction history)
• Limited company data (including documentation, training materials and communication information available for customer service staff)

However, data such as login credentials or two-factor authentication codes, private keys, any ability to transfer or access customer funds, access to Coinbase Prime accounts, access to any Coinbase or Coinbase customer’s hot or cold wallets is “not stolen.”

Multiple measures **to deal with attacks, refuse to pay ransoms and

issue bounties**

After the incident, Coinbase took a series of response measures.

First, work closely with law enforcement agencies. Insiders who leaked data were fired on the spot and handed over to U.S. and international law enforcement, Coinbase said it would file a criminal lawsuit.

Secondly, track stolen funds. Coinbase worked with industry partners to mark the attacker’s address so that authorities could track and recover assets. And promised to compensate customers who were tricked into sending money to the attacker due to social engineering attacks. To further ensure support operations security, Coinbase will open a new support center in the United States and strengthen security control and monitoring at all locations.

Coinbase responded that it would not pay for the $20 million ransom proposed by the attacker. Meanwhile, Coinbase will set up a $20 million reward fund to reward information that provides clues, helps arrest and convicts the offenders.

Coinbase users may become " normal " by social

engineering attacks

Although a series of responses seem positive, security incidents about Coinbase seem to occur frequently and the amount of stolen money is quite large, especially the social engineering scams encountered by users.

In February this year, on-chain detective ZachXBT disclosed on the X platform that between December 2024 and January 2025, Coinbase users suffered losses of more than US$65 million due to social engineering fraud. It said the estimated $65 million could be "much lower than" the actual amount, as cases filed with Coinbase support and police were not taken into account.

ZachXBT cited several security incidents and “declare” Coinbase’s failure to properly handle such frauds. “Coinbase needs to make an urgent change as more and more users are being cheated of tens of millions of dollars a month. And other large exchanges have not seen similar situations.”

ZachXBT also urged Coinbase leadership to consider strengthening measures against social engineering attacks, including giving KYC-verified users the option to enter their phone numbers on the platform, adding account types for restricted withdrawals, and strengthening community promotion.

These proposals may not have been adopted by Coinbase, but the extortion may have sounded a wake-up call for Coinbase.

Related reading: Detailed explanation of Coinbase Q1 financial report: Net profit plummeted by 94% under the influence of floating losses in the portfolio, and the acquisition of Deribit focuses on derivatives