Full Report
The crypto giant said the unauthorized access to customer data dates back to late December 2024.
Analysis Summary
# Incident Report: Coinbase Customer Data Exfiltration via Insider Bribery
## Executive Summary
Coinbase experienced a sustained data breach that began in late December 2024 and was discovered when the threat actor issued a ransom demand in early May 2025. The attackers successfully compromised customer data, affecting at least 69,461 individuals, by bribing Coinbase customer support employees to gain unauthorized access. Coinbase refused to pay the $20 million ransom demand and notified relevant authorities.
## Incident Details
- Discovery Date: Early May 2025 (Upon receiving a credible ransom note)
- Incident Date: Began December 26, 2024, and continued until May 2025
- Affected Organization: Coinbase
- Sector: Cryptocurrency / Fintech
- Geography: Berkeley, California (Implied headquarters/reporting location)
## Timeline of Events
### Initial Access
- Date/Time: December 26, 2024
- Vector: Bribing internal employees (Customer Support Agents)
- Details: Threat actor bribed Coinbase customer support workers to gain access to customer data over several months.
### Lateral Movement
- *Details not explicitly specified, but access was maintained over months, suggesting repeated authenticated access via compromised employee credentials or sessions.*
### Data Exfiltration/Impact
- **Duration:** Months following access starting December 26, 2024.
- **Data Stolen:** Customer names, email and postal addresses, phone numbers, government-issued identity documents, account balances, and transaction histories.
### Detection & Response
- **Detection:** Early May 2025, when the attacker sent a credible ransom note demanding $20 million.
- **Response Actions:** Coinbase refused to pay the ransom and subsequently reported the breach via a filing with the Maine Attorney General and a public blog post.
## Attack Methodology
- **Initial Access:** Social engineering/Bribery targeting Customer Support staff (Insider Threat vector leveraged by external actor).
- **Persistence:** Sustained access over several months through compromised legitimate support channels.
- **Privilege Escalation:** N/A (Access appears to have been granted through compromised/bribed support roles).
- **Defense Evasion:** Bribed employees likely allowed the activity to blend with normal support operations.
- **Credential Access:** Direct access granted by bribed employees; external credential theft methods are not specified.
- **Discovery:** Confirmed external reconnaissance/scanning is not mentioned.
- **Lateral Movement:** Not detailed, but implied movement to specific customer records via authorized access paths.
- **Collection:** Gathering of extensive customer PII, financial data, and government ID information.
- **Exfiltration:** Not detailed, but data was successfully stolen.
- **Impact:** Unauthorized disclosure and theft of sensitive customer records.
## Impact Assessment
- **Financial:** A $20 million ransom demand was issued, which Coinbase refused to pay. (Direct cost of remediation and potential fines not detailed).
- **Data Breach:** At least 69,461 customers affected. Data includes PII, government IDs, account balances, and transaction histories.
- **Operational:** Operational disruption related to internal investigation and communication efforts.
- **Reputational:** Public disclosure via TechCrunch and SEC filings, significant reputational damage for a major crypto exchange.
## Indicators of Compromise
- *No specific defanged IPs, URLs, or file hashes were provided in the source material.*
- **Behavioral Indicators:** Unusual access patterns or large-scale data extraction by customer support accounts between December 2024 and May 2025.
## Response Actions
- **Containment:** Not explicitly detailed, but containment would have involved immediately revoking access and isolating/auditing the compromised support accounts.
- **Eradication:** Not detailed, but assumed actions involved terminating relationships with bribed employees and hardening access controls for support teams.
- **Recovery:** Not detailed, focusing primarily on customer notification compliant with breach laws.
## Lessons Learned
- **Insider Threat Vulnerability:** The reliance on bribing customer support staff indicates a severe failure in vetting, monitoring, or insider threat controls within the highly privileged support organization.
- **Data Exposure Scope:** Access granted to support staff allows for deep exposure to sensitive customer data, including government IDs and financial details.
## Recommendations
- Implement mandatory rigorous background checks and continuous monitoring for all employees with access to sensitive customer data systems.
- Enforce strict Principle of Least Privilege (PoLP) for support staff, ensuring they only access the minimum data necessary for their immediate function.
- Enhance logging and alerting for bulk data lookups executed by support accounts, triggering immediate alerts for unusual data retrieval volumes.
- Review and strengthen controls around employee incentive structures to mitigate external bribery attempts.