By Colin Kellaher and Vicky Ge Huang

Coinbase Global said Thursday that it has refused to pay a $20 million ransom demand from cybercriminals who bribed the company's overseas customer support agents to steal sensitive user data.

The cryptocurrency exchange estimated that the incident could cost from $180 million to $400 million, between fixing the underlying issues and reimbursing customers, according to a regulatory filing.

The disclosure sent the company's stock down more than 7% on Thursday morning. The data breach is a setback for the largest U.S. crypto exchange, which has cultivated a reputation for safety and largely avoided the type of attacks and thefts that have crippled many overseas exchanges.

The company said it received an email on Sunday from an unknown party who claimed to have obtained information about certain customer accounts, adding that the threat actor appears to have obtained the information by paying multiple contractors or employees working in support roles outside the U.S.

Coinbase said it determined that the email was credible, and that while customer funds weren't accessed, the stolen data included personal information such as names, addresses, phone numbers and email addresses; masked Social Security and bank-account numbers; government--ID images such as driver's licenses and passports; and account data such as balance snapshots and transaction histories.

Tens of thousands of users were potentially affected. The company said less than 1% of Coinbase's monthly transacting users had their data pulled. That could be as many as 97,000 customers, based on Coinbase's latest usage disclosures.

Coinbase said it is working with law enforcement to investigate the incident, adding that it is opening a new support hub in the U.S. and taking other measures to harden its defenses. It pledged to reimburse users who were tricked into sending funds to the attackers. The company also said it fired the insiders who cooperated with the hackers and will press criminal charges against them.

In a video, Coinbase CEO Brian Armstrong said the company was refusing to pay the $20 million bitcoin ransom demand and setting up a $20 million reward fund for information that could lead to the arrest and conviction of the attackers.

"For these would-be extortionists or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice," Armstrong said in the video.

The breach came as Coinbase is slated to join the S&P 500 next week, a development celebrated by crypto proponents as a key step toward the mainstream adoption of digital assets. Coinbase stock surged 24% on Tuesday after news of the coming index inclusion.

Write to Colin Kellaher at colin.kellaher@wsj.com and Vicky Ge Huang at vicky.huang@wsj.com

(END) Dow Jones Newswires

May 15, 2025 11:09 ET (15:09 GMT)

Copyright (c) 2025 Dow Jones & Company, Inc.