In May 2025, Coinbase—the largest U.S.-based crypto exchange—faced a troubling security incident that rattled confidence in its customer safety protocols. What started as a mysterious email evolved into a full-fledged data breach with potentially long-lasting implications for the platform’s users.
A Ransom Demand Sparks Investigation
On May 11, Coinbase received an unsolicited email from an anonymous source claiming to have obtained sensitive user data. The threat actor demanded $20 million in exchange for not leaking the information. While the message set off alarm bells, it wasn’t completely out of the blue. Earlier in the year, blockchain sleuth ZachXBT had already warned of suspicious activity involving Coinbase accounts, citing social engineering attacks and internal security gaps.
According to his findings, roughly $65 million had been siphoned from Coinbase users between December 2024 and January 2025. These figures, drawn from user-submitted incidents on-chain, hinted that the actual number could be significantly higher if one included support tickets and law enforcement reports.
What the Hackers Actually Got
Coinbase later confirmed that the breach compromised a range of personally identifiable information (PII). This included full names, email addresses, phone numbers, home addresses, images of government-issued IDs, and even the last four digits of Social Security numbers. Also affected were account balance snapshots, transaction histories, and partially masked bank account details.
Fortunately, the attackers were unable to access more sensitive assets—login credentials, private keys, 2FA codes, and crypto wallets remained untouched. Prime accounts and any direct access to customer funds were also unaffected.
An Unusual Hack with Insider Ties
Unlike the typical DeFi exploits involving smart contract vulnerabilities, this breach resembled a traditional corporate espionage event. Cybercriminals reportedly recruited a small group of overseas Coinbase support agents—primarily from India—and paid them to leak internal documents and user data.
Once Coinbase’s internal security team detected anomalies, the implicated employees were swiftly terminated. Only 69,461 accounts were affected, a small slice of Coinbase’s user base, but the nature of the stolen data elevated the seriousness of the breach.
Turning the Tables on Hackers
When the attackers demanded a $20 million ransom, Coinbase refused to pay. Instead, they filed an official disclosure with the SEC and offered a $20 million reward for information that could lead to the perpetrators’ arrest. The exchange also notified affected users, filed a formal breach notice with the Maine Attorney General, and launched a range of support and security upgrades.
In a bold twist, on May 21, the hackers exchanged roughly $42.5 million worth of Bitcoin for Ether using THORChain, inscribing a mocking message to ZachXBT in the Ethereum transaction—complete with a meme video. The hacker’s trolling underscored just how emboldened cybercriminals have become.
Coinbase’s Response: From Remediation to Reinforcement
To reassure customers and bolster defenses, Coinbase deployed a comprehensive post-breach strategy:
- Customer Protection Measures: Affected users were offered one year of complimentary credit monitoring, identity restoration services, and dark web monitoring.
- Extra ID Verification: Additional verification steps are now mandatory for large withdrawals from compromised accounts, including scam-awareness prompts.
- Support Expansion: Coinbase is establishing a U.S.-based customer support hub with enhanced monitoring to prevent future insider leaks.
- Cooperation With Authorities: The company is working closely with law enforcement to pursue those behind the attack.
- Transparency: Users were promptly informed about the breach, and ongoing updates are being provided to maintain trust.
Estimated costs to cover reimbursements and damage control are expected to range between $180 million and $400 million.
Staying Safe After a Breach
Events like this are a reminder that even the most secure platforms are vulnerable. To minimize risk:
- Never share passwords or 2FA codes, even with someone claiming to be support.
- Whitelist withdrawal addresses so funds can only go to trusted wallets.
- Use strong, app-based or hardware key 2FA, avoiding SMS when possible.
- Report any suspicious activity immediately and freeze your account if needed.
- Stay updated on new scams and protective measures through official exchange channels.
The Coinbase breach of 2025 may end up being remembered not only for its scale but also for the company’s no-compromise response. In an industry where silence and cover-ups often prevail, Coinbase’s decision to confront the situation head-on may set a new precedent in how crypto companies deal with cyber extortion and insider threats.
