On May 15th, 2025, Coinbase notified over 69,000 customers that their
personal data had been compromised in a data breach. If you are one of
these 69,000+ customers, you have already received an email from
Coinbase alerting you to this fact.
But even if you are not part of the thousands of Coinbase platform
users who are now susceptible to identity fraud, you may be wondering
just what happened to cause the cryptocurrency market mogul to leak
data. We’ve got everything you need to know here, so keep reading.
What Was the Coinbase Data Breach?
On May 11th, 2025, Coinbase received a ransom note from a malicious
hacker who claimed he had the personal details of over 69,000 Coinbase
users. He or she then proceeded to demand $20 million in the BTC
equivalent to delete the data. Coinbase declined.
Coinbase looked into the breach itself and discovered that the
malicious hacker had indeed received information about its customers,
and they were able to do so by bribing some non-US Coinbase employees
for their agent access. Then this individual was able to download this
information over the time period of 6 months.
These employees have all since been found and fired, and Coinbase is
offering a $20 million equivalent BTC reward to anyone who can give
information leading to the arrest of the hacker.
What Information Was Stolen?
Before you panic, know that the hacker did not steal quite as much
information as he thought he stole. Much of what he was given access to
was partially masked—meaning he isn’t able to completely take over your
social security number and claim benefits in your name.
That being said, he did collect enough to give him leverage to carry
out social engineering scams—meaning if someone contacts you claiming to
have certain information about you as a Coinbase agent, this could be
him. Do not transfer any money at the direction of a Coinbase agent.
The information stolen was as follows:
Client names
Client addresses
Client phone numbers
Client emails
Partially masked social security numbers (only the last 4 digits)
Masked bank account numbers
Government ID images (submitted to Coinbase for KYC)
Account data (balances and transaction history)
Information about Coinbase corporate
While this may sound scary, know that they did not get login
credentials, private keys, or the ability to access any accounts. This
means your money is not currently in the danger of being stolen, but
someone might have enough information about you to convince you to move
your funds to their account. Stay vigilant, and do not believe any calls
or emails you receive from anyone claiming to work for Coinbase.
What Should You Do?
If you are a current customer of Coinbase, ensure you check your
email for notification that your account has been compromised. These
emails went out on May 15th, 2025, to everyone affected. If you did not
get an email, you were NOT affected.
If you were affected, Coinbase recommends taking the following steps:
Turn on withdrawal allow listing (only allows withdrawals to trusted accounts)
Enable 2FA if you haven’t already
Don’t answer the phone from numbers you don’t recognize.
If you receive a call from someone claiming to work at Coinbase, hang up.
Lock your account if you feel threatened. Then contact security@coinbase.com
Do not click any links in any emails from Coinbase, even if they look
legit. Instead, sign directly into your account via a web browser and
make any changes there.
Use a cold wallet to store cryptocurrency funds whenever possible.
Note that Coinbase has already flagged your account, and you will be
required to present extra identification the next time you log in.
What If You Have Already Been Scammed?
Unfortunately, because this scheme has been carried out by the
malicious actor since December 2024, some individuals have already been
scammed. If you or someone you know has already been convinced to move
funds off the Coinbase platform maliciously, contact Coinbase customer
support immediately.
Remember, only those who received an email on May 15th, 2025, were
affected by the breach. If that was you, and you sent money to someone
who later turned out to be a scammer (between December 2024 and May
2025), email security@coinbase.com to start the investigation into the
transfer. If it is found to be connected to the data breach, you will be
reimbursed.
Why Didn’t Coinbase Pay the Ransom?
Many online are asking why Coinbase didn’t pay the ransom, and
honestly, we agree with their decision. This is because paying the $20
million ransom would not guarantee that the illegally farmed data would
be deleted. Rather, the criminal would receive $20 million, and could
continue to carry out social engineering scams.
Coinbase made the right decision, instead placing the $20 million
equivalent in BTC as a reward that leads to the criminal’s capture. They
are also putting funds into ensuring a breach like this doesn’t happen
again.
Who is Behind the Coinbase Breach?
Currently, there is no conclusive information as to who is behind the
Coinbase breach, though many cryptocurrency investigators are working
to find out (also so they can receive the reward!)
Coinbase is tracking the stolen funds wherever possible, and they do
know that the hacker has already used THORChain to launder the stolen
money, switching stolen ETH for DAI, a US dollar pegged stablecoin. The
hacker has also been mocking known cryptocurrency detectives.
We believe that eventually this thief will be caught, as Coinbase is a
powerhouse in the cryptocurrency exchange world, and they have several
employees who were part of the heist. While it might take some time,
they do have money and well-known investigators at their disposal, so we
do have confidence they will find the malicious actor.
Just make sure to brush up on your social engineering scam prevention
skills and question anything that comes from Coinbase. Remember,
Coinbase will never ask you to transfer money—EVER. They will also not
ask for your login information.
This article was brought to you by the Crypto Dice game on MintDice. Originally posted to the MintDice Blog.