Coinbase 100,000 user data leaked, hacker demands $20 million for silence

On May 15th, two negative news about Coinbase caused its stock price to suffer a "Waterloo". First, Coinbase disclosed a cyber attack incident involving stolen internal data and customer information, with potential financial impact between $180 million and $400 million. Additionally, sources claimed that the US SEC is still investigating whether Coinbase misreported user data before its 2021 listing. Under the influence of these two negative news, Coinbase's stock price dropped 7.2% during the day. Customer Support Leaked User Data and Demanded $20 Million Ransom In the report, Coinbase stated that cybercriminals bribed and recruited overseas malicious customer support personnel who abused their access to customer support systems, stealing data from less than 1% of monthly trading users (approximately 8-10,000). Although no funds, passwords, or private keys were stolen, and Coinbase Prime accounts were "unaffected", the attackers used this data to launch targeted social engineering scams. Regarding this attack method, some crypto professionals commented that such targeted social engineering attacks (using overseas customer support teams) are not uncommon in the crypto industry. Active user information from crypto trading platforms is far more valuable than imagined. Top trading platforms' average user acquisition cost is $5-50 per effective user, while medium and small platforms' cost ranges from $50-300. After launching the social engineering scam, the Coinbase attackers sent a ransom letter demanding $20 million worth of Bitcoin and threatening to publish the stolen customer data if Coinbase did not pay. The report indicated that attackers obtained: · Names, addresses, phone numbers, and email addresses · Masked social security numbers (only last 4 digits) · Masked bank account numbers and some bank account identifiers · Government ID document images (such as driver's licenses, passports) · Account data (balance snapshots and transaction histories) · Limited company data (including documents, training materials, and communication information available to customer support personnel) However, login credentials, two-factor authentication codes, private keys, ability to transfer or access customer funds, access to Coinbase Prime accounts, access to Coinbase or Coinbase customer hot or cold wallets were "not stolen". Multiple Measures to Counter Attack, Refuse Ransom and Issue Bounty After the incident, Coinbase took a series of response measures. First, they closely cooperated with law enforcement. The internal personnel who leaked data were immediately fired and handed over to US and international law enforcement, with Coinbase stating they would file criminal charges. Secondly, they tracked stolen funds. Coinbase worked with industry partners to mark the attackers' addresses to help authorities track and recover assets. They also promised to compensate customers who were tricked into transferring money to attackers. To further ensure support operations safety, Coinbase will open new support centers in the US and strengthen security controls and monitoring at all locations. Regarding the $20 million ransom, Coinbase responded that they would not pay. Meanwhile, they will establish a $20 million reward fund to incentivize those providing clues that help arrest and convict the attack criminals. Coinbase Users Facing Social Engineering Attacks May Have Become "Norm" Despite seemingly proactive response measures, Coinbase's security incidents appear to occur frequently, with substantial theft amounts, especially social engineering scams targeting users. In February this year, on-chain detective ZachXBT disclosed on X platform that Coinbase users lost over $65 million to social engineering scams between December 2024 and January 2025. He stated that the estimated $65 million might be "far below" the actual amount, as it did not consider cases submitted to Coinbase support and police. ZachXBT listed multiple security incidents and "criticized" Coinbase for not properly handling such scams. "Coinbase urgently needs to change, as more users are being scammed millions of dollars monthly. Other large trading platforms have not experienced similar situations." ZachXBT also urged Coinbase's leadership to consider strengthening measures against social engineering attacks, including allowing KYC-verified users to optionally input phone numbers on the platform, adding withdrawal-restricted account types for new users, and enhancing community outreach. These proposals might not have been adopted by Coinbase, but this ransom incident might serve as a wake-up call.