Coinbase has disclosed a significant data breach involving insider threats, as revealed in a recent SEC filing. The breach did not stem from a direct compromise of Coinbase’s systems, but rather from external attackers bribing a group of customer support agents to extract customer data.

The attackers intended to impersonate Coinbase and trick users into handing over their crypto assets, eventually demanding a $20 million ransom to suppress the incident. Coinbase refused to pay and instead announced a $20 million reward for information leading to the attackers’ arrest.

The compromised information includes a range of personal and financial data, such as names, addresses, phone numbers, email addresses, partial Social Security numbers, masked bank details, ID images, and transaction histories. Fortunately, login credentials, two-factor authentication codes, and access to wallets or funds were not exposed. Coinbase acted swiftly by terminating the involved agents, notifying affected users—estimated to be less than 1% of monthly transacting users—and implementing enhanced monitoring and access controls.

In response to the breach, Coinbase has taken several steps to protect its customers and pursue justice. These include launching a global investigation, increasing security across its operations, and instituting stricter identity verification protocols for affected accounts. The company also pledged to reimburse retail customers who lost funds due to scam activity resulting from this breach. Coinbase continues to warn users about impersonation attempts and has reaffirmed that its support agents will never request passwords, 2FA codes, or seed phrases. Criminal charges are being pursued against the responsible former employees.