Coinbase has revealed a data breach involving bribed overseas support agents who leaked customer information. This incident resulted in an unsuccessful $20 million extortion attempt and led the company to implement stricter security measures.
Coinbase, one of the world’s leading cryptocurrency exchanges, has disclosed a data breach involving a small group of its overseas customer support agents. According to the company, unknown cybercriminals bribed these agents to gain unauthorized access to sensitive customer data, affecting less than 1% of its 9.7 million monthly transacting users.
The attackers then used the stolen data to contact users while impersonating Coinxzbase, tricking some into transferring their cryptocurrency assets. No funds were stolen directly from Coinbase accounts, but several customers were duped into handing over assets through social engineering scams.
On May 11, 2025, the attackers attempted to extort Coinbase for $20 million, claiming to possess internal documents and customer information. The extortion attempt failed.
The breach targeted outsourced support agents based in India, who were offered cash in exchange for access to Coinbase’s customer support tools. This insider manipulation began as early as January 2025, with attackers allegedly gaining "effectively on-demand access" to customer information for nearly five months. Coinbase disputes the claim that persistent access was maintained throughout.
Compromised data includes:
Crucially, no passwords, private keys, or customer funds stored in Coinbase accounts were compromised, and Coinbase Prime users remain unaffected.
See also: What is personally identifiable information (PII)
“Criminals targeted our customer support agents overseas,” Coinbase said in a statement, adding, “They used cash offers to convince a small group of insiders to copy data in our customer support tools.”
“There were a number of specific bribery incidents… but [attackers] did not have persistent access,” said Philip Martin, Coinbase’s Chief Security Officer, in comments to Bloomberg.
“The compromised agents have all been terminated,” Coinbase confirmed to Fortune.
The company is now reimbursing users who lost funds due to the phishing scam and is enforcing stricter security protocols, including additional ID verification on flagged accounts and withdrawal restrictions.
Insider threats are one of the most difficult cybersecurity challenges to detect and prevent. According to the 2024 Insider Threat Report by Cybersecurity Insiders, 90% of organizations find insider attacks as difficult or more difficult to detect than external ones, yet only 16% consider themselves extremely effective at managing them. This difficulty arises because, unlike external attackers, insiders, such as employees, contractors, or third-party vendors, already have legitimate access to systems and data, which can be exploited intentionally (through sabotage or theft) or unintentionally (via negligence or manipulation).
Bribery, social engineering, and weak access controls can turn trusted individuals into vulnerabilities.
Read also: The danger of unintentional insiders
Insider threats are a growing concern, especially as companies increasingly rely on outsourced support teams with access to sensitive data. The Coinbase breach shows how even a small group of compromised insiders can be leveraged by attackers to bypass traditional security measures. It highlights the urgent need for tighter access controls, better oversight, and stronger deterrents against internal misuse.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
They can happen through intentional misconduct (like theft or sabotage) or unintentional actions (like falling for phishing scams or mishandling data). In some cases, insiders are bribed or coerced by external attackers.
Read also: Mitigating the threat of insider data breaches in healthcare organizations
Personal data such as names, email addresses, phone numbers, identification documents, financial information, and login credentials are commonly targeted.