Coinbase Declines $20M Ransom After Insider-Driven Phishing Breach, Faces Up to $400M in Recovery Costs
Cryptocurrency exchange Coinbase has revealed that it refused to pay a $20 million ransom demanded by attackers who orchestrated a phishing attack by enlisting rogue customer support agents overseas. The breach exposed limited user data and is expected to cost the company between $180 million and $400 million in reimbursement and remediation.
In a blog post dated May 15, Coinbase disclosed that external threat actors successfully bribed several third-party support contractors, granting them access to internal systems. These insiders misused their privileges to steal partial account data affecting less than 1% of Coinbase’s monthly active users. No funds, private keys, or Coinbase Prime accounts were compromised.
Following the theft, the cybercriminals attempted to extort $20 million in Bitcoin from Coinbase in exchange for keeping the incident quiet. Coinbase rejected the demand and instead announced a $20 million bounty for information leading to the perpetrators’ arrest and conviction.
Coinbase noted that it would cover losses for users deceived by phishing attacks, projecting recovery costs as high as $400 million. These figures were disclosed in an 8-K filing with the SEC, categorized under “voluntary customer reimbursements” and internal remediation actions.
CEO Brian Armstrong confirmed on X that attackers had spent months targeting Coinbase’s overseas support agents with bribes. In response, the exchange is revamping its internal security protocols and plans to relocate parts of its support operations to prevent future breaches.
Phishing remains a serious risk for Coinbase users. Blockchain analyst ZachXBT recently estimated that over $45 million was lost to such schemes in just the first week of May. He also reported that annual user losses from social engineering scams on Coinbase exceed $300 million.
