$20 million ransom demand flipped into a matching bounty when Coinbase disclosed this week that bribed overseas support staff leaked partial data on less than 1% of its users, reigniting fears of insider threats across crypto exchanges.
The crypto exchange says a group of rogue agents were bribed by cybercriminals to copy sensitive data, which was then used in a social engineering campaign to impersonate Coinbase and defraud users.
Although no customer funds, passwords, or private keys were accessed, the attackers obtained partial personal information, including names, contact details, masked Social Security and bank account numbers, and in some cases, images of government-issued IDs.
Coinbase emphasized that Coinbase Prime users were not impacted and that no direct access to hot or cold wallets was ever at risk.
“We’re committed to full transparency,” Coinbase said in a public statement, “and instead of giving in to the $20 million ransom demand, we’re establishing a $20 million reward fund to bring the criminals to justice.”
The Anatomy of the Attack
According to Coinbase, the breach occurred when criminals targeted overseas support agents and offered them financial incentives to participate in the scheme. A small number of insiders accepted the bribes and abused their privileged access to copy data stored in customer support tools.
The attackers then attempted to extort the company, threatening to release the stolen information unless Coinbase paid a $20 million ransom. The exchange declined the demand, opting instead to notify affected users and bolster its internal and external security infrastructure.
The stolen data included transaction histories, account balances, and some internal documentation accessible to support agents. However, the attackers did not obtain passwords, two-factor authentication codes, private keys, or access to any wallets, thus preventing direct theft of funds.
Coinbase’s Response and Customer Support
In response to the breach, Coinbase has pledged to reimburse retail customers who were tricked into sending funds to scammers through social engineering tactics.
These reimbursements will be made after a thorough review process. Affected accounts are now subject to increased withdrawal security protocols, including additional ID checks and scam-awareness prompts.
Coinbase said it is also taking steps to reinforce its global support operations. For example, a new customer support hub is being established in the United States, and enhanced insider-threat detection systems are being rolled out across all service locations.
The company has intensified internal simulations to stress-test its security infrastructure and isolate potential vulnerabilities.
All impacted users have received direct communication, and Coinbase is working closely with law enforcement agencies both in the U.S. and internationally. The rogue employees involved were immediately terminated and referred for criminal prosecution.
A Call for Accountability
Rather than succumbing to extortion, Coinbase said it is offering a $20 million reward for information that leads to the arrest and conviction of those responsible for the breach.
Anyone with credible information is encouraged to contact the company at security@coinbase.com. In parallel, Coinbase and its partners have tagged crypto wallet addresses associated with the attackers to aid in asset recovery.
Coinbase is also reminding users to stay vigilant against scams and impersonators. Customers are urged to never share passwords or 2FA codes, and to lock their accounts immediately if something seems suspicious.
“Trust is foundational to crypto adoption,” Coinbase said in its closing statement. “We’re sorry for the concern this incident caused and remain committed to transparency and protecting our users at every step.”
Huge Blow for the Company
Commenting on the cyber attack on Coinbase, Nick Jones, founder and CEO at Zumo, said: “Unfortunately, as our nascent industry grows rapidly, it draws the eye of bad actors, who are becoming increasingly sophisticated in the scope of their attacks and harnessing new AI tools and techniques to bypass fraud prevention measures.”
“This is understandably a huge blow for a company that has had a pivotal few weeks, announcing the acquisition of Deribit in the digital market’s largest deal to date, and then joining the S&P 500.”
“This attack underlines the critical importance of robust cybersecurity measures. The European Union (EU) introduced its Digital Operational Resilience Act (DORA) earlier this year with an emphasis on financial institutions ensuring the resilience of their supply chain, promoting better data hygiene, and sharing usable insights on attacks they have experienced to strengthen the industry’s perimeter. This seems particularly pertinent as it emerges that the hack occurred when attackers bribed overseas support staff,” Jones added.
The post Coinbase Rejects $20M Ransom, Pledges Same Bounty After Insider Leak Hits 1% of Users appeared first on Cryptonews.
