Full Report
In documents filed with regulators in Maine on Tuesday, Coinbase said the information leaked included details like photos of passports and government IDs, as well as account information such as balances and transaction history.
Analysis Summary
# Incident Report: Coinbase Customer Data Theft and Extortion Attempt
## Executive Summary
In December 2024, a significant data breach at cryptocurrency platform Coinbase occurred when cybercriminals bribed overseas support agents, primarily in India, to exfiltrate sensitive customer information. This resulted in the exposure of data belonging to 69,461 individuals, which was subsequently used in social engineering attempts, including extortion against Coinbase. The company responded by terminating involved personnel, implementing new security measures, refusing the initial $20 million extortion demand, and disclosing the incident to regulators while launching remediation efforts.
## Incident Details
- **Discovery Date:** Last week (prior to May 2025 filing) / Attempted Extortion on May 11
- **Incident Date:** Began in December 2024
- **Affected Organization:** Coinbase
- **Sector:** Cryptocurrency Exchange / Financial Technology
- **Geography:** Customer data compromised via overseas support agents (allegedly India)
## Timeline of Events
### Initial Access
- **Date/Time:** Started December 2024
- **Vector:** Insider threat/Social Engineering (Bribing overseas support agents)
- **Details:** Cybercriminals offered cash payments to support agents, reportedly in India, to steal customer data.
### Lateral Movement
- Information is not detailed regarding internal system navigation, but the immediate result was the compilation of a list of customer data for exfiltration.
### Data Exfiltration/Impact
- **Details:** Data belonging to 69,461 customers was stolen. Information included photos of passports, government IDs, names, dates of birth, last four digits of SSNs, bank account numbers, balances, and transaction history.
- **Extortion Attempt:** Following data theft, a third party claimed access and attempted to extort a $20 million payment from Coinbase this week (prior to May filing).
### Detection & Response
- **How it was discovered:** Coinbase discovered the issue internally and subsequently faced an extortion attempt on May 11, 2025.
- **Response actions taken:** Coinbase terminated the involved individuals, added more stringent security measures, refused the $20 million payment demand, notified the SEC, and publicly disclosed the breach. The U.S. Justice Department is investigating.
## Attack Methodology
- **Initial Access:** Insider threat via bribery of external support agents (Social Engineering/Corruption).
- **Persistence:** Undetermined, but the successful exfiltration implies sustained unauthorized access or multiple successful bribes.
- **Privilege Escalation:** Not strictly applicable in the traditional sense, but the agents possessed the requisite access that allowed the data compromise.
- **Defense Evasion:** Exploiting human vulnerabilities (bribes) to bypass standard technical controls.
- **Credential Access:** Agents potentially accessed PII and account details via their legitimate support roles.
- **Discovery:** Attackers used the stolen data to prepare for downstream attacks (social engineering).
- **Lateral Movement:** Not detailed beyond the initial access points affecting customer service infrastructure.
- **Collection:** Stolen data included highly sensitive PII (Passports, IDs, SSN fragments) and financial details.
- **Exfiltration:** Data was compiled and presumably transferred out of Coinbase's accessible systems by the compromised agents.
- **Impact:** Financial extortion attempt against Coinbase and high risk of subsequent identity theft and fraud against affected customers.
## Impact Assessment
- **Financial:** Coinbase expects $180 million to $400 million in remediation and response costs. They pledged to reimburse retail customers scammed into sending funds.
- **Data Breach:** PII (Names, DOBs, ID photos, partial SSNs) and financial data (Bank Account details, balances, transaction history) of 69,461 customers. *Note: Passwords were NOT compromised.*
- **Operational:** Minor operational disruption related to internal investigation, personnel termination, and regulatory notification processes.
- **Reputational:** Significant reputational risk, amplified by concurrent high-profile physical attacks against crypto industry figures globally.
## Indicators of Compromise
- **Network indicators:** Information not disclosed (defanged details not available). Malicious external entity attempting contact post-exfiltration (extortion attempt).
- **File indicators:** Information not disclosed.
- **Behavioral indicators:** Anomalous activity related to overseas support agents granting access or downloading large volumes of customer PII/Account data.
## Response Actions
- **Containment measures:** Terminated the employment of the individuals involved in the breach.
- **Eradication steps:** Added even more stringent security measures (specifics undisclosed).
- **Recovery actions:** Tracing stolen funds, flagging accounts making large withdrawals, and offering a $20 million reward for information on the hackers. Pledging reimbursement for direct financial losses to customers.
## Lessons Learned
- **Key takeaways:** Reliance on overseas, potentially less scrutinized, third-party or contractor support staff presents a significant, exploitable insider threat vector. PII collection policies and access controls must be rigorously reviewed, especially concerning support roles.
- **What could have been done better:** Incident response regarding data safety seems delayed, as the incident began in December 2024 but became public weeks before the May filings when the extortion attempt was made. Stronger initial controls might have prevented the data exfiltration entirely.
## Recommendations
- Conduct immediate, comprehensive audits of all localized support teams, particularly those operating internationally, focusing on access controls, data handling protocols, and anti-bribery/corruption training.
- Enhance technical monitoring around high-volume data retrieval by support personnel.
- Accelerate the implementation of Zero Trust architectures to limit the blast radius of compromised internal roles.
- Improve cryptographic protection for PII backups and operational databases containing sensitive data like passport photos and full account numbers.