Background of Coinbase’s May 2025 breach

Coinbase, America’s largest cryptocurrency exchange, received an unsolicited email from an unknown threat actor on May 11, 2025. They claimed to possess sensitive information about its customers and demanded a ransom of $20 million. 

Before examining the breach, it is interesting to understand how it happened at a public company that spends millions monthly on cybersecurity. In February, blockchain investigator ZachXBT reported increased thefts involving Coinbase users. He blamed aggressive risk models and pointed out Coinbase’s failure to prevent $300 million in yearly losses from social engineering scams

A table ZachXBT shared on X showed $65 million stolen from users between December 2024 and January 2025. He also said the real losses could be higher, as his data only came from his direct messages about onchain thefts, and excluded Coinbase support tickets and police reports he couldn’t access. 

A table shared by ZachXBT showed $65M were stolen from Coinbase users in Dec. 2024 - Jan. 2025

The fear of cybercriminals stealing valuable information came true on May 11 when Coinbase published a blog post confirming that account balances, ID images, phone numbers, home addresses and partially hidden bank details were stolen during the data breach.

On May 21, the same threat actor swapped about $42.5 million from Bitcoin (BTC) to Ether (ETH) via THORChain. They used Ethereum transaction input data to write “L bozo,” following it with a meme video of NBA player James Worthy smoking a cigar, seemingly mocking ZachXBT, who later flagged the message on his Telegram channel.

Coinbase data hacker trolling ZachXBT

What happened: Timeline of the Coinbase breach

The 2025 Coinbase breach wasn’t a typical crypto hack involving smart contracts or blockchain vulnerabilities. Instead, it was like a traditional IT security failure, marked by insider manipulation, corporate espionage and an extortion attempt.

Below is a breakdown of how the incident unfolded:

  • Insider recruitment and information theft began: To steal information from Coinbase, unknown cyber attackers began recruiting some overseas customer service agents (based in India) working for Coinbase. These insiders were paid to leak sensitive customer data and internal documentation, particularly that around customer service and account management systems. The stolen information was intended for future impersonation scams targeting users.
  • Security detection and employee termination: Coinbase’s internal security team eventually detected suspicious activity linked to these employees. The involved staff were swiftly terminated, and the company alerted affected users. Though just 69,461 accounts were impacted, a fraction of Coinbase’s user base, the depth of stolen personal data made the breach significant.
  • Extortion attempt via email (May 11, 2025): Coinbase received an unsolicited email claiming to possess internal system details and personally identifiable information (PII). This was later confirmed as credible in an 8-K SEC filing. 
  • Coinbase refuses to pay $20M ransom (May 14, 2025): Rather than accepting extortion, Coinbase flipped the script. The company reported the breach to law enforcement, disclosed it publicly and offered a $20 million reward for information leading to the attackers’ arrest, turning defense into offense. 
  • Breach disclosure and public notification: Shortly after the SEC filing, Coinbase publicly confirmed the breach, clarifying the scope and nature of the attack. A data breach notification was filed with the Maine Attorney General’s office, officially stating 69,461 users were affected. 

This timeline reflects how a crypto company responded differently to an attempted cyber-extortion, with transparency, resistance and bold countermeasures. This may bring in a change in the way companies respond to threats from cyber criminals.

Michael Rubin, an attorney for Coinbase, filed a data breach notification with Maine Attorney General

Did you know? North Korea’s Lazarus Group has stolen over $6 billion in crypto since 2017, including a record-breaking $1.46 billion from Bybit in 2025. 

What data was compromised in the Coinbase data breach in 2025?

According to a notification letter issued by Coinbase, attackers sought this information because they planned to launch social engineering attacks. The information they stole could help them appear credible to victims and possibly convince them to move their funds.

Coinbase detailed the information the threat actors had got access to and what they could not. 

What attackers got

  • Name, address, phone, and email
  • Government‑ID images (e.g., driver’s license, passport)
  • Masked Social Security (last four digits only)
  • Account data (balance snapshots and transaction history)
  • Masked bank account numbers and some bank account identifiers
  • Limited corporate data (including documents, training material, and communications available to support agents)

What attackers couldn’t get

  • Login credentials or 2FA codes
  • Private keys
  • Access to Coinbase Prime accounts
  • Any ability to move or access customer funds
  • Access to any Coinbase or Coinbase customer hot or cold wallets

Did you know? In 2022, Crypto.com lost $30 million from 483 accounts. Initially, they claimed no funds were stolen, but later admitted the breach and refunded victims, highlighting the importance of transparency in crypto hacks.

How Coinbase responded to the 2025 criminal data breach

In response to the 2025 data breach, Coinbase implemented a comprehensive strategy to mitigate damage, support affected users and strengthen its security infrastructure.

Key actions taken by Coinbase included:

  • Refusal to pay ransom: Coinbase declined the $20 million ransom demanded by the attackers. Instead, the company established a $20 million reward fund for information leading to the arrest and conviction of those responsible.
  • Customer reimbursements: The company committed to reimbursing customers who were deceived into sending funds due to the breach. Estimated costs for remediation and reimbursements range between $180 million and $400 million.
  • Theft protection services: The company is providing all affected individuals with one year of complimentary credit monitoring and identity protection services. This includes credit monitoring, a $1 million insurance reimbursement policy, identity restoration services, and dark web monitoring to detect if any personal information appears on illicit online platforms.
  • Enhanced customer safeguards: Affected accounts will require additional ID verification for large withdrawals, including mandatory scam-awareness prompts to prevent further social engineering attacks.
  • Strengthened support operations: Coinbase is opening a new support hub in the US. It has implemented stronger security controls and monitoring across all locations to prevent insider threats.
  • Collaboration with law enforcement: The company is cooperating closely with US and international law enforcement agencies. Insiders involved in the breach were terminated and referred for criminal prosecution.
  • Transparency and communication: Coinbase immediately notified affected customers once the breach was recognized. It is providing ongoing updates about the breach and the steps being taken to address it.

These measures reflected Coinbase's commitment to customer protection and its proactive approach to cybersecurity challenges.

Did you know? Crosschain bridges, like Nomad Bridge, lost $190 million in 2022 due to complex smart contract vulnerabilities. These bridges are hacker favorites because they store massive crypto assets, making them lucrative targets.

How to stay safe in the event of Coinbase-like data breaches

In the wake of large-scale data breaches of crypto platforms, you should take proactive steps to protect yourself from social engineering attacks. 

Here is how you could stay safe in such an event:

  • Never share sensitive information with impersonators: Scammers often pose as support staff or security agents after a breach. They may push you toward moving funds to crypto wallets they share with you or revealing sensitive information under various texts. Never share your password, two-factor authentication (2FA) codes, or recovery phrases with such impersonators. No crypto exchange will ask you to transfer crypto to a “new” or “safe” wallet. 
  • Turn on allow-listing of wallet addresses: Some exchanges provide this feature, which restricts withdrawals to pre-approved wallet addresses you fully control. This prevents unauthorized transfers even if your account is compromised. 
  • Enable strong 2FA: For 2FA, use a hardware security key or a trusted authentication app. Avoid relying on SMS-based 2FA, which is vulnerable to SIM-swapping attacks. 
  • Be cautious with unsolicited communication: Hang up immediately if someone calls claiming to be from a crypto platform and asks for security credentials or requests asset transfers. Do not respond to unknown texts or emails with your personal information. 
  • Lock first, investigate later: If anything feels suspicious, lock your account immediately through the app or platform and report the incident to customer support via official channels. 
  • Stay informed: Regularly review security tips and updates from your crypto services to recognize and avoid evolving scam tactics.