Coinbase Says Breach May Cost $400 Million, Issues $20 Million Bounty
A major data breach of Coinbase continues to roil the cryptocurrency exchange, with executives saying it could cost the company as much as $400 million, while they also put a $20 million bounty on the attackers.
In a filing with the U.S. Securities and Exchange Commission, Coinbase said that the remediation and reimbursement efforts as a result of the hack, which executives learned about May 11 when contacted by the attackers, could add up to $180 million and $400 million, which could go up or down as the company further reviews the incident, deals with indemnification claims, and possibility recovers some of the stolen money.
The bounty equals the amount the attackers reportedly demanded from Coinbase to keep the attack quiet.
“Instead of paying the $20 million ransom, we’re establishing a $20 million reward fund for information leading to the arrest and conviction of the attackers,” the company wrote in a blog post.
According to Coinbase, the cybercriminals bribed some overseas support agents to copy and hand over data found in support tools with the goal of using the information to contact customers and, pretending to be Coinbase, convince people to hand over their crypto. Those who took the bribes were fired and referred to both U.S. and international law enforcement agencies. The company said it will press charges.
Lots of Data, Relatively Few Users
The breach affected less than 1% of the users who transact monthly through the company, and the stolen data includes names, addresses, phone numbers, and email, the last four digits of Social Security Numbers, masked bank account numbers, and account data. There is also some corporate data stolen, such as documents, training material, and communications to support agents.
Some information they didn’t get was login credentials or two-factor authentication codes, private keys, access to Coinbase Prime accounts, access to customer hot or cold wallets, or the ability to move or access user funds.
Coinbase said it is reimbursing customers tricked into handing over crypto, requiring additional ID checks on large withdrawals from flagged accounts and putting out mandatory scam-awareness prompts. It is also opening a new support hub in the United States, adding stronger security controls and monitoring operations, and investing more in insider-threat detection, automated responses, and security threat simulations to find weaknesses in its systems.
Strengthening Defenses
There is more that can be done, according to Ishpreet Singh, CIO at application security firm Black Duck.
“While it’s promising to see that Coinbase isn’t currently planning to pay the $20 million ransom, I’d recommend implementing just-in-time access controls such as device fingerprinting and session auditing,” Singh said. “Additionally, conducting regular risk reviews and strengthening vendor risk management and oversight can reduce third-party access to personally identifiable information.”
He also suggested moving to a zero-trust network architecture that includes micro-segmentation and running advanced security risk training that includes social engineering. In addition, sensitive user data should be heavily segmented and encrypted with keys inaccessible to support agents.
Phil Mataras, founder of Arweave-based cloud network AR.IO, said the data breach shows how much the crypto industry still relies on infrastructure that is centralized, opaque, and vulnerable.
“When access and trust are concentrated in one organization, a single error or insider threat can compromise millions,” Mataras said. “Security at scale isn’t just about better vetting or faster incident response. It’s about architecture. Systems need to minimize dependency on trust-based mechanisms by distributing control as a default, making operations transparent, and ensuring critical data can’t be silently altered or lost.”
The modern world “can’t keep building on infrastructure that forgets, hides, or breaks under pressure,” he said. “The future depends on verifiable, durable systems designed to survive beyond the institutions that run them.”
Sensitive Information at Risk
Chris Jones, managing director at payments consultancy PSE Consulting, said the data breach also raises concerns about the sensitive information that is being used by businesses for such steps as know-your-customer (KYC) verification, such as passports and driver’s licenses.
“The payments card industry has matured through repeated large-scale data breaches over the past decade, which is why consumer card details are now rarely the source of leaked data,” Jones said. “Unfortunately, the same level of protection isn’t consistently applied to other sensitive personal information. Details such as bank account numbers, home addresses, dates of birth … remain vulnerable.”
A compromise of this type of data can have long-term consequences for people that are more serious than simply cancelling a credit card.
“While regulations like GDPR [the EU’s General Data Protection Regulation] were introduced to enhance data privacy, this incident is yet another indication that there’s still a long way to go in safeguarding consumer identity in the digital age,” he said.
Another SEC Investigation
In an unrelated case that came to light this week, the SEC is investigating how the crypto giant reported user numbers in past securities disclosures and marketing material, according to The New York Times. The company reported more than 100 million users, though it reportedly had stopped using that number two years ago.
Coinbase Chief Legal Officer Paul Grewal told the newspaper that the SEC investigation was a “holdover” from the Biden Administration which involved a metric that the company has since stopped using. Grewal said the company believes the case should be closed, but added it’s cooperating with the SEC.
Federal oversight of the crypto industry has changed drastically since the Trump Administration took over, with the SEC dropping more than a dozen lawsuits against Coinbase and disbanding the unit that conducted such probes. The New York Times noted that the new SEC chair, Paul Atkins, is seen as being pro-crypto and that Trump himself is involved in crypto ventures.
