On May 11, 2025, the CEO of America’s biggest crypto exchange opened an email from criminals claiming to hold the personal data of tens of thousands of Coinbase customers: names, home addresses, photos of government IDs, partial bank details. The price for silence: $20 million in Bitcoin. The most alarming part wasn’t the demand. It was how the data got out.

Key Takeaways

  • $20 million ransom demanded on May 11, 2025: Coinbase refused, and instead put the same $20 million up as a bounty on the attackers.
  • 69,461 customers had personal data stolen, according to a filing with the Maine Attorney General’s office.
  • No software was hacked: criminals simply bribed outsourced support agents who already had legitimate access to customer data.
  • Total cost: $180 million to $400 million, with roughly $355 million already spent by Coinbase’s Q3 2025 earnings report.
  • The leak ran for months, from late 2024 until the extortion email finally exposed its full scale.
  • First arrest: December 27, 2025, when police in Hyderabad, India detained an ex-support agent.

How Did the Coinbase Data Breach Happen?

The Coinbase breach happened because criminals bribed outsourced customer support agents (many working overseas, mainly in India) to copy customer data straight out of the company’s internal tools. Nobody broke through a firewall. Nobody found a zero-day exploit or wrote custom malware. The attackers went after the people who answer the phone when you’re locked out of your account, and offered them cash. Some said yes.

Once bribed, those agents didn’t need to hack anything. They already had access. The internal tools they used every day to help customers displayed names, email addresses, phone numbers, home addresses, dates of birth, the last four digits of Social Security numbers, masked bank account numbers, and photos of government-issued IDs. They couldn’t see passwords or private keys, and they couldn’t move anyone’s crypto. It didn’t matter.

Reporting later traced the leak to staff at an outsourcing firm’s operations in India. Reuters reported the scheme surfaced at a TaskUs site in Indore after an employee was allegedly caught photographing her screen, and that hundreds of workers there were subsequently let go. Coinbase has said the insiders involved were fired and referred to law enforcement.

The stolen data became the weapon for the next stage: impersonation. Criminals called customers pretending to be Coinbase support, already armed with the victim’s address, bank, and partial SSN. When someone who knows everything about you says they’ve detected suspicious activity on your account, the “security steps” they walk you through, which quietly move your crypto to a wallet they control, sound completely believable. It’s the same playbook covered across our hacks archive: humans, not software, are the way in.

How Much Did the Coinbase Breach Cost?

Coinbase estimated the total cost of the breach at $180 million to $400 million, covering customer reimbursements, security upgrades, and legal fees. By its Q3 2025 earnings report it had already spent roughly $355 million. That makes a few thousand dollars in bribes one of the highest-leverage crimes in corporate history.

The leaking had reportedly been going on since late 2024, and Coinbase’s security team noticed something was off as early as January 2025. But the full scale only landed with that May email. When Coinbase dug in, a filing with the Maine Attorney General’s office put the count at 69,461 customers: under 1% of its roughly 9.7 million monthly transacting users, and cold comfort to anyone whose passport photo was in a criminal’s hands.

DateEvent
Late 2024Bribed support agents begin leaking customer data
January 2025Coinbase security flags unusual access patterns
May 11, 2025$20 million extortion email arrives
May 2025Public disclosure, the same week Coinbase joins the S&P 500
Q3 2025Remediation costs hit roughly $355 million
December 27, 2025Ex-support agent arrested in Hyderabad, India

The timing was brutal: Coinbase disclosed the breach in an SEC filing on May 15, 2025 (the same week it was added to the S&P 500), and the stock fell more than 6% the morning the news broke. Within days, customers had filed multiple class-action lawsuits. And the stolen data carried dangers beyond fraud: home addresses of known crypto holders are kidnapping targets, a threat underscored by a string of abductions of crypto figures in France that same year.

Flipping the Ransom Into a Bounty

Most companies facing a $20 million extortion demand quietly negotiate. Coinbase did the opposite. CEO Brian Armstrong posted a video to X and drew the line in five words:

“We will not fund criminals,” Brian Armstrong said in response to the extortion demand.

Then came the power move. Instead of paying the $20 million, Coinbase offered the exact same amount as a bounty for information leading to the attackers’ arrest and conviction. Every associate who knew what the criminals had done suddenly had 20 million reasons to talk. The bribed agents were fired the same day and referred to US and international law enforcement, and Coinbase pledged to reimburse every customer tricked by the impersonation scams. Chief security officer Philip Martin skipped the corporate boilerplate entirely, telling Fortune, in effect: this sucks, we own it, we’re making it right.

The contrast with the industry norm is stark. Caesars Entertainment reportedly paid its extortionists around $15 million in 2023 to keep stolen data quiet. Coinbase also said it would stand up new US-based support operations and tighten insider-threat monitoring, an admission that the cheap-support model itself was the vulnerability.

Why This Should Scare Everyone

The Coinbase breach isn’t really a crypto story. It’s an insider story, and insiders are now an industry. Security researchers tracked over 91,000 attempts by criminals to recruit company insiders on platforms like Telegram in 2025 alone. Verizon’s 2025 breach report found third-party involvement in breaches doubled to 30% in a single year.

The recent record reads like one long lesson in the same exploit:

  • Twitter, July 2020: attackers phone-phished employees and hijacked about 130 high-profile accounts (Obama, Musk, Apple) for a Bitcoin scam.
  • MGM Resorts, September 2023: one convincing call to an IT help desk shut down casino floors and hotel systems, at a reported cost of roughly $100 million.
  • Coinbase, 2024-25: no call needed. The insiders were simply paid to open the door themselves.

The math is simple: why spend months attacking a hardened network when a few thousand dollars handed to someone in customer support opens the door? It’s the same logic the Lapsus$ gang used when a teenager hacked GTA 6 from a hotel room after the group openly offered telecom employees weekly payments for access. And it’s the same logic the Medusa ransomware gang followed when it tried to buy a BBC journalist with a cut of a future ransom. Your bank, your phone carrier, your clinic: all of them have support staff staring at your data on a screen, and every one of them can, in theory, be bribed.

The Critical Choice

The decision that made this breach inevitable was made years before the ransom email: giving thousands of outsourced support agents a full view of customers’ most sensitive data without monitoring intense enough to catch one of them going rogue. Coinbase saved money on support the way nearly every large company does. And for roughly five months, nobody noticed the screenshots leaving the building. The world’s most expensive security stack cannot protect you from a person who already has the password.

But a second choice defined how the story ended. When the email arrived, Coinbase chose confrontation over quiet payment: refusing the ransom, publishing the details, and putting a $20 million price on the attackers’ heads. One choice created the disaster; the other turned it into a manhunt.

Where Things Stand Now

On December 27, 2025, Armstrong posted again: thanks to police in Hyderabad, an ex-Coinbase customer service agent had been arrested: “another one down and more still to come.” Coinbase confirmed it is working with the Brooklyn District Attorney’s office and the US Department of Justice, which opened its own investigation in 2025. The extortionists never saw a penny. The $20 million bounty remains active, and Coinbase says anyone with information can email security@coinbase.com with “bounty” in the subject line.