Coinbase shows bribery can lead to breaches

In May 2025, cryptocurrency giant Coinbase revealed a data breach with a unique root cause–bribery.  In this case, employees were bribed into handing over access to sensitive customer data.

While a relatively small breach impacting less than 1% of Coinbase’s 9.7 million monthly users, the incident shows that bribery can still lead to detrimental breaches. 

The data breach

Coinbase has confirmed that it suffered a data breach after cybercriminals successfully bribed outsourced customer support agents to gain access to internal systems. The company disclosed that a few overseas support agents, specifically those based in India, were paid off by threat actors in exchange for copying customer data from Coinbase’s support tools. According to Coinbase, less than 1% of its 9.7 million monthly transacting users were affected.

“Criminals targeted our customer support agents overseas,” Coinbase said in a public statement. “They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users.”

The attackers used the stolen information to impersonate Coinbase and deceive customers into transferring their cryptocurrency assets. On May 11, 2025, the same threat actors attempted to extort $20 million from the company, claiming to have access to sensitive internal documents and customer information. The extortion attempt was unsuccessful.

The data stolen includes:

• Names, addresses, phone numbers, and email addresses
• Masked Social Security numbers (last four digits only)
• Masked bank account details and some identifiers
• Government-issued ID images
• Account data like transaction history and balance snapshots
• Limited internal support documentation and communications

Notably, no passwords, private keys, or Coinbase Prime accounts were compromised. The agents involved have since been terminated, and Coinbase has begun reimbursing affected customers who were tricked into transferring their funds.

See also: What is the difference between PII and PHI? 

What makes this breach different

Unlike typical cyberattacks that exploit software vulnerabilities or rely on phishing campaigns, this breach was enabled by human cooperation, specifically through bribery.

Coinbase’s Chief Security Officer, Philip Martin, explained the attackers had spent months identifying and approaching individuals with system access: “What these attackers were doing was finding Coinbase employees and contractors based in India who were associated with our business process outsourcing or support operations... and bribing them in order to obtain customer data.”

Although Coinbase disputes the attackers' claim of "on-demand access" over several months, the company acknowledges that suspicious behavior from certain agents was detected as early as January 2025.

This breach reminds organizations that internal threats, particularly from outsourced or poorly monitored teams, can be just as damaging as external hacking attempts. It also shows that threat actors may try to buy their way in if they are unable to penetrate a system. 

Read also: The danger of unintentional insiders

The problem

At the core of this breach is a growing cybersecurity concern: the human element. To support this, Cybersecurity Insiders notes, “From 2019 to 2024, the number of organizations reporting insider attacks increased from  66% of organizations to 76%, indicating a substantial increase in detected insider threats.” This trend reflects the rise in insider threats and the need for improved detection capabilities, demonstrating the persistent challenge of managing insider risks in increasingly complex digital environments.

Organizations must note that digital security tools like encryption and firewalls can’t prevent a support agent from copying data when paid off by a malicious actor. In this case, the attackers bypassed Coinbase’s digital defenses by targeting underpaid or under-supervised workers with access to sensitive data.

This incident raises a red flag for businesses worldwide: even the most advanced digital infrastructure can be compromised by a simple cash transaction.

Key questions for businesses

As attackers increasingly resort to social engineering and bribery, companies must ask themselves:

• How secure are our people?
• Are we monitoring access effectively?
• Are our employees incentivized to protect user data?

If the answers to these questions are unclear or uncomfortable, it may be time to re-evaluate internal security practices.

The solution

Coinbase has taken immediate steps to strengthen its defenses:

• Fired compromised agents
• Reimbursed customers tricked through impersonation scams
• Enforced additional identity verification for large withdrawals
• Created a $20 million reward fund for information leading to the attackers’ arrest and conviction

But broader, long-term solutions are needed. These may include:

Stronger access controls and monitoring

Companies must adopt strict access control policies. Only employees who need specific data to perform their roles should be granted access to it. Additionally, real-time monitoring and behavior analytics can help flag unusual access patterns or data exfiltration attempts before damage occurs.

Employee vetting and ethics training

Comprehensive background checks and continuous ethics training can make employees more aware of the risks and responsibilities that come with data access. This includes both internal employees and third-party vendors and contractors.

Competitive compensation and incentives

One of the biggest motivators for accepting a bribe is financial strain. Ensuring fair compensation and offering bonuses tied to security compliance can reduce the temptation to sell access.

Anonymous reporting mechanisms

Organizations should implement secure, anonymous channels for reporting suspicious behavior or bribery attempts. This creates a culture of accountability and vigilance among employees.

Minimize data exposure

Segment data across systems and restrict access to the minimum necessary for each role. This limits the amount of information any one employee can access and reduces the fallout in the event of a breach.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What is the long-term impact of such breaches?

Beyond financial loss, insider breaches can damage customer trust, tarnish brand reputation, and lead to regulatory scrutiny or legal consequences.

What can businesses do to prevent insider threats?

Best practices include enforcing access controls, monitoring employee activity, offering fair compensation, implementing ethics training, and using behavioral analytics to detect anomalies.

Read also: Mitigating the threat of insider data breaches in healthcare organizations

Are outsourced teams more vulnerable to insider threats?

Yes, outsourced or third-party teams may have less oversight, making them more susceptible to bribery or coercion if not properly vetted and monitored.