Coinbase Exchange $20 Million Extortion Attempt Thwarted, Bounty Setup to Catch Attackers

Coinbase, a leading crypto exchange, has taken a firm stand against a sophisticated cybercriminal operation that targeted its customer support systems. The company disclosed that a group of rogue overseas support agents, swayed by social engineering and bribes, illicitly accessed personal data belonging to less than 1% of its monthly transacting users. This breach, while limited in scope, underscores the persistent threats facing crypto exchange and wallet platforms. Coinbase has responded decisively, refusing to pay a $20 million ransom demand and instead establishing a $20 million reward fund to aid in capturing the perpetrators.

The cybercriminals behind the attack exploited vulnerabilities in Coinbase’s overseas customer support operations according to the company. By offering cash incentives, they persuaded a small group of insiders to extract data from customer support tools. The stolen information included names, addresses, phone numbers, email addresses, masked Social Security numbers (showing only the last four digits), masked bank account details, government-issued ID images, account balance snapshots, transaction histories, and limited corporate data such as training materials and internal communications.

Importantly, the attackers did not gain access to critical assets such as login credentials, two-factor authentication codes, Bitcoin and crypto private keys, or the ability to move customer funds. Coinbase Prime accounts and the company’s hot and cold wallets remained entirely secure.

Coinbase’s Comprehensive Response

In response to the breach, Coinbase has implemented a multi-faceted strategy to protect its customers and strengthen its defenses. The company is reimbursing retail customers who were deceived into sending funds to the attackers through social engineering tactics, provided the incidents occurred before the public disclosure and meet specific review criteria. To prevent future vulnerabilities, Coinbase has introduced enhanced security measures, including additional identity verification for large withdrawals and mandatory scam-awareness prompts for flagged accounts. These safeguards may cause minor transaction delays as the company monitors high-risk activities.

Coinbase is also fortifying its support operations by opening a new U.S.-based support hub and implementing stricter security controls and monitoring across all locations. The company has increased its investment in insider-threat detection, automated response systems, and simulated security threat exercises to identify and address potential weaknesses. Transparency remains a priority, with Coinbase promptly notifying affected users and committing to ongoing updates as the investigation progresses.

Coinbase has rejected the criminals’ $20 million extortion demand, opting instead to establish a $20 million reward fund for information leading to the arrest and conviction of those responsible. The company is collaborating with industry partners to trace stolen funds by tagging the attackers’ addresses, aiding law enforcement in tracking and recovering assets. The rogue insiders involved have been terminated and referred to U.S. and international authorities, with Coinbase pursuing criminal charges to the fullest extent of the law.

To empower its users, Coinbase is emphasizing best practices for staying safe in the crypto space. The company advises customers to enable withdrawal allow-listing to restrict transfers to verified wallets, use strong two-factor authentication (preferably with hardware keys), and remain vigilant against imposters posing as Coinbase representatives. Coinbase will never request passwords, two-factor authentication codes, or instruct users to transfer funds to unfamiliar wallets. If something seems suspicious, users are urged to lock their accounts via the app and reach out to Coinbase’s security team.