Coinbase user data was stolen and blackmailed for $20 million. Social attacks have become the norm

Compiled by: Felix, PANews

On May 15, two pieces of negative news about Coinbase were released, causing Coinbase's stock price to suffer a "Waterloo."

One is that Coinbase disclosed a cyber attack involving the theft of internal data and customer information, with a potential financial impact of between $180 million and $400 million.

In addition, sources said that the US SEC is still investigating whether Coinbase falsified user data before its listing in 2021.

Under the influence of two pieces of negative news, Coinbase's stock price fell 7.2% during the day.

Customer service leaked user data and demanded $ 20 million in ransom

Coinbase said in the report that cyber criminals bribed and recruited a group of malicious customer service staff overseas, who abused their access to the customer support system and stole data from less than 1% of monthly trading users (about 80,000 to 100,000) in the customer support tool. Although no funds, passwords or private keys were stolen, and Coinbase Prime accounts were "unaffected", the attackers used this data to launch targeted social engineering scams against customers.

Regarding this attack method, some crypto experts commented that this type of targeted social engineering attack (using overseas customer support teams) is not uncommon in the crypto industry. Because the information of active users of crypto exchanges is far more valuable than imagined. The average cost of attracting new users for the top exchanges is $5-50 per valid user, while the average cost of attracting new users for small and medium-sized exchanges is $50-300.

After launching a social engineering scam, the Coinbase attackers sent a ransom note demanding $20 million worth of Bitcoin from Coinbase and threatening to release stolen customer data if Coinbase did not pay.

The report states that the attackers obtained:

• Name, address, phone number and email
• Masked Social Security Number (last 4 digits only)
• Blocked bank account numbers and some bank account identifiers
• Image of government ID (e.g. driver's license, passport)
• Account data (balance snapshots and transaction history)
• Limited company data (including documents, training materials, and communications available to customer service personnel)

However, data such as login credentials or two-factor authentication codes, private keys, any ability to transfer or access customer funds, access to Coinbase Prime accounts, and access to any Coinbase or Coinbase customer hot or cold wallets “was not stolen.”

Multiple measures to deal with attacks, refuse to pay ransom and issue bounties

Coinbase took a series of countermeasures after the incident.

First, work closely with law enforcement. The insider who leaked the data was fired on the spot and handed over to US and international law enforcement, and Coinbase said it would file a criminal lawsuit.

Secondly, track the stolen funds. Coinbase worked with industry partners to mark the attacker's address so that authorities can track and recover the assets. And promised to compensate customers who were tricked into sending money to the attacker due to social engineering attacks. To further ensure the security of support operations, Coinbase will open a new support center in the United States and strengthen security controls and monitoring at all locations.

In response to the $20 million ransom demanded by the attacker, Coinbase said it would not pay it. At the same time, Coinbase will set up a $20 million reward fund to reward those who provide clues and help arrest and convict the criminals of this attack.

Coinbase users may be subject to social engineering attacks or have become " normal "

Despite the seemingly positive response measures, security incidents involving Coinbase seem to occur frequently, and the amount of money stolen is also quite large, especially the social engineering scams encountered by users.

In February of this year, on-chain detective ZachXBT disclosed on the X platform that Coinbase users lost more than $65 million due to social engineering scams between December 2024 and January 2025. He said that the estimated $65 million may be "far lower" than the actual amount because it does not take into account the cases submitted to Coinbase support and the police.

ZachXBT cited multiple security incidents and denounced Coinbase for failing to properly handle such scams. “Coinbase needs to make changes urgently because more and more users are being defrauded of tens of millions of dollars every month. Other large exchanges are not experiencing similar situations.”

ZachXBT also urged Coinbase leadership to consider strengthening measures against social engineering attacks, including giving KYC-verified users the option to enter their phone number on the platform, adding a new user account type that limits withdrawals, and increasing community outreach.

These proposals may not have been adopted by Coinbase, but this extortion incident may serve as a wake-up call for Coinbase.

Related reading: Coinbase Q1 financial report explained: Net profit plummeted 94% due to portfolio losses, and the company acquired Deribit to develop derivatives