MW Coinbase suffers cyber attack as oversees employees were bribed to steal customer data

By Steve Gelsi

Crypto trading firm said clients were already informed of the breach, which may cost it up to $400 million based on current estimates.

Coinbase Global Inc. said Thursday it's working with law enforcement to track down an unknown "threat actor" that paid its contractors working in support roles for the company outside the U.S. to obtain personal information about its customer base.

Coinbase $(COIN)$ did not say how many of its clients were affected, but it had already informed them about the breach after it detected it months ago and fired the contractors involved.

Coinbase said customer passwords and private keys were protected by its systems, and "at no time were any of the targeted contractors or employees able to access customer funds."

However, the affected data included names, home and email addresses, phone numbers, the last four digits of Social Security numbers, masked bank-account numbers and some bank-account identifiers.

The breach also included government-ID images such as passports and driver's licenses, account data such as balance snapshots and transaction history and limited Coinbase corporate data such as documents, training materials and communications to support agents.

Coinbase said it plans to open a new support hub in the U.S. as well as take other prevention measures.

It estimated expenses of $180 million to $400 million for remediation costs and voluntary customer reimbursements related to the problem, and said the dollar figure could change as it assesses the impact. It did not provide a figure for the cost of opening a U.S. service center.

"The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities," the company said.

The cryptocurrency trading company said it refused an email request to be paid by "an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts."

Coinbase said it has already terminated the personnel involved and also "implemented heightened fraud-monitoring protections" in previous months after its security monitoring detected the trouble.

"These prior instances of improper data access were part of a single campaign that succeeded in taking data from internal systems," Coinbase said. "The company has not paid the threat actor's demand and is cooperating with law enforcement in the investigation of this incident."

Coinbase said it plans to open a new support hub in the U.S. as well as take other prevention measures.

Coinbase's stock was down by 2.4% in pre-market trading. The stock has risen 6.1% in 2025 and is set to join the S&P 500 SPX on Monday. The S&P 500 has risen 0.2% in 2025 after dropping sharply in early April.

-Steve Gelsi

This content was created by MarketWatch, which is operated by Dow Jones & Co. MarketWatch is published independently from Dow Jones Newswires and The Wall Street Journal.

(END) Dow Jones Newswires

May 15, 2025 08:17 ET (12:17 GMT)

Copyright (c) 2025 Dow Jones & Company, Inc.