Key Points:
-
Coinbase expects a financial hit of up to $400 million due to a cyberattack that exposed limited customer data.
-
Hackers bribed external contractors and employees to access sensitive information.
-
The company refused a $20 million ransom demand and is working with law enforcement.
Cryptocurrency giant Coinbase disclosed on Thursday that it may face losses of up to $400 million following a sophisticated cyberattack that compromised customer data and targeted users with social engineering scams.
In a regulatory filing, the company stated it had received a threatening email on May 11 from an unidentified actor claiming to have obtained internal documents and data linked to a “small subset” of Coinbase customers. Although login credentials and passwords were not accessed, some personal data — including names, email addresses, and physical addresses — was stolen.
Coinbase traced the breach to paid contractors and overseas employees working in support roles who were bribed to leak the information. Those involved have since been terminated, according to the company. Affected users who were deceived into transferring funds will be reimbursed.
“The attackers exploited human vulnerabilities,” Coinbase said in a statement. “We’ve since taken swift action to address the breach, including establishing a $20 million reward for information leading to the arrest and conviction of those responsible.”
The company declined to meet the hackers’ $20 million ransom demand and is actively cooperating with law enforcement. It plans to open a new U.S.-based support hub to enhance internal security practices.
Regulatory Scrutiny Intensifies
In a separate development, Coinbase is under investigation by the U.S. Securities and Exchange Commission (SEC) regarding whether the company inaccurately reported user data in previous financial disclosures. Two sources confirmed that the agency is examining Coinbase’s “verified user” metric, even though it was discontinued over two years ago.
Coinbase’s chief legal officer Paul Grewal pushed back, labeling the inquiry a “holdover” from the prior administration. “We disclosed this metric publicly and stopped reporting it long ago,” he said. “We believe this investigation should not proceed.”
Coinbase has denied that the SEC is probing its compliance with know-your-customer or Bank Secrecy Act rules. The SEC declined to comment.
Market Impact and Industry Risks
The cyberattack and news of regulatory scrutiny weighed on investor sentiment. Coinbase shares fell by over 6% following the announcements, just days ahead of its anticipated inclusion in the S&P 500 index — a milestone for the crypto industry.
Security concerns remain a persistent challenge for digital asset platforms. According to blockchain analytics firm Chainalysis, hackers stole $2.2 billion from crypto firms in 2024 alone. Analysts warn that rising sophistication among cybercriminals may prompt stricter vetting of global employees and greater regulatory oversight.
“The incident underscores growing vulnerabilities in the crypto sector,” said Bo Pei, an analyst at U.S. Tiger Securities. “As mainstream adoption rises, so too does the need for heightened cybersecurity.”
Coinbase says it remains committed to protecting customer assets and rebuilding trust following the breach.