Compiled by: Felix, PANews
On May 15, two negative news about Coinbase led to a "Waterloo" for its stock price.
First, Coinbase disclosed a cyber attack incident involving stolen internal data and customer information, with potential financial impact between $180 million and $400 million.
Additionally, sources claim that the US SEC is still investigating whether Coinbase misreported user data before its 2021 listing.
Under the influence of these two negative news, Coinbase's stock price dropped 7.2% during the day.
Customer support leaked user data and demanded $20 million ransom
Coinbase reported that cybercriminals bribed and recruited overseas malicious customer support personnel who abused access to customer support systems, stealing data of less than 1% of monthly trading users (about 80,000-100,000). Although no funds, passwords, or private keys were stolen, and Coinbase Prime accounts were "unaffected", attackers used this data to launch targeted social engineering scams.
Regarding this attack method, some crypto professionals commented that such targeted social engineering attacks (using overseas customer support teams) are not uncommon in the crypto industry. Because active user information from crypto exchanges is far more valuable than imagined. Top exchanges have an average user acquisition cost of $5-50 per effective user, while small and medium exchanges have an average cost of $50-300.
After launching the social engineering scam, the Coinbase attackers sent a ransom letter demanding $20 million worth of bitcoin and threatening to publish the stolen customer data if Coinbase did not pay.
The report stated that attackers obtained:
- Names, addresses, phone numbers, and email addresses
- Masked social security numbers (last 4 digits only)
- Masked bank account numbers and some bank account identifiers
- Government ID document images (such as driver's licenses, passports)
- Account data (balance snapshots and transaction histories)
- Limited company data (including documents, training materials, and communication information available to support staff)
However, login credentials, two-factor authentication codes, private keys, ability to transfer or access customer funds, access to Coinbase Prime accounts, access to any Coinbase or Coinbase customer's hot or cold wallets were "not stolen".
Multiple measures to address the attack, refusing to pay ransom and issuing bounty
After the incident, Coinbase took a series of response measures.
First, they closely cooperated with law enforcement. The internal personnel who leaked data were immediately fired and handed over to US and international law enforcement, with Coinbase stating they will file criminal charges.
Second, they tracked stolen funds. Coinbase worked with industry partners to mark the attacker's addresses to help authorities track and recover assets. They also promised to compensate customers who were tricked into sending money to attackers. To further ensure support operations safety, Coinbase will open new support centers in the US and strengthen security controls and monitoring at all locations.
Regarding the $20 million ransom demanded by attackers, Coinbase responded that they will not pay. Meanwhile, Coinbase will establish a $20 million reward fund to reward those who provide clues and help arrest and convict the attackers.
Coinbase users falling victim to social engineering attacks may have become the "norm"
Despite seemingly proactive response measures, Coinbase's security incidents seem to occur frequently, with significant theft amounts, especially social engineering scams targeting users.
In February this year, on-chain detective ZachXBT disclosed on X platform that Coinbase users lost over $65 million to social engineering scams between December 2024 and January 2025. He stated that the estimated $65 million is likely "far below" the actual amount, as it does not consider cases submitted to Coinbase support and law enforcement.
ZachXBT listed multiple security incidents and "criticized" Coinbase for not properly handling such scams. "Coinbase needs to make urgent changes because more and more users are being scammed out of millions of dollars monthly. Other major exchanges have not experienced similar situations".
ZachXBT also urged Coinbase leadership to consider strengthening measures against social engineering attacks, including allowing KYC-verified users to optionally enter phone numbers on the platform, adding withdrawal-restricted account types for new users, and enhancing community outreach.
These proposals may not have been adopted by Coinbase, but this ransom incident might serve as a wake-up call.
