Coinbase Breach: Hackers Lurked in Customer Data for 5 Months Before Detection

Security fails silently as exchange giant discovers January intrusion—only after spring cleaning their logs. Classic ’trust us with your crypto’ moment.

How it happened: Attackers exploited a yet-undisclosed vulnerability, turning ’not your keys, not your coins’ into ’not your data, not your privacy.’

The fallout: While Coinbase claims no funds were stolen, the breach exposes the ugly truth about centralized exchanges—they’re honeypots with customer service departments.

Culprits Bribed Foreign-Based Support Staff

According to a Bloomberg report, the perpetrators targeted employees and contractors based outside the United States who were part of Coinbase’s business process outsourcing operations.

By paying off a small group of insiders, they were able to get sensitive user information. The stolen data included names, birth dates, addresses, government-issued ID numbers, banking details, account balances, and creation dates. This information could be used to impersonate either Coinbase or its customers and potentially access other financial accounts.

“It’s a major breach, the amount of personal information shared is staggering,” said Mike Dudas, managing partner at web3 firm 6MV and a victim of the attack.

The source claimed that the hackers had access to user data since January, but Coinbase Chief Security Officer Philip Martin disputed this. He explained that once the firm was aware of the information sharing, permission was revoked, hence the culprits did not have constant access throughout the period.

However, he acknowledged that there were multiple bribery incidents, with Coinbase first detecting signs of suspicious activity from the support agents months before the May 11 ransom demand. Following this, the implicated agents were immediately quarantined and fired.

Details From the Breach

The exchange disclosed the situation to the public in a Thursday announcement. In a blog post, it revealed that less than 1% of monthly transacting users were affected by the incident. The attackers aimed to build a list of customers to impersonate Coinbase and trick users into handing over their crypto assets. When the $20 million ransom demand was rejected, the bad actors increased their extortion attempts.

The company clarified that login credentials, private keys, and Prime accounts were not compromised, and no customer wallets were accessed. In response to the breach, Coinbase has said it will reimburse any users who lost money and boost its internal security systems. It also announced plans to open a new U.S.-based customer support hub.

In addition, the firm launched a $20 million bounty for information leading to the attackers’ arrest, tagged stolen funds for recovery, and is working with authorities to pursue criminal charges against the involved insiders.

The incident adds to a growing list of cyberattacks targeting the industry. A recent report by Immunefi highlighted that crypto projects lost $92.5 million in April 2025 alone across 15 separate attacks. This figure is a 27.3% increase from the $72.6 million lost in April 2024, and more than double the $41.4 million recorded in March 2025.