Cryptocurrency exchange Coinbase has reported a significant cyber attack that could result in financial damages of up to $400 million. The breach, revealed in a regulatory filing, involved the theft of user data and funds from a limited number of customers. The development comes just days before Coinbase is set to be added to the S&P 500 index.
The attackers reportedly compromised internal data by paying off multiple employees and contractors in support roles outside the United States. While login credentials and passwords were not accessed, stolen data included names, addresses, and email IDs of affected users.
The company confirmed that all individuals involved in leaking the data have been terminated. According to Coinbase, the attackers contacted the firm via email on May 11, claiming possession of sensitive internal documents and customer account details.
Also read: Polish Ruling Party Hit by Cyberattack Before Vote
Customers to be reimbursed; $20M bounty offered for leads
Although only a “small subset” of users was impacted, the attackers were able to deceive some customers into voluntarily transferring funds. Coinbase has pledged to reimburse all users who were defrauded in this manner, with total estimated losses ranging between $180 million and $400 million.
The company declined to meet the attackers’ $20 million ransom demand. Instead, it has offered a matching $20 million reward for actionable information that could lead to identifying the perpetrators. Law enforcement agencies have been engaged, and investigations are ongoing.
New US support hub and tighter security measures announced
In response to the breach, Coinbase has announced plans to establish a new U.S.-based customer support hub and implement additional safeguards to prevent future attacks. The move is aimed at reinforcing trust as the platform gains mainstream acceptance through its S&P 500 inclusion.
The incident underlines the persistent vulnerabilities in the crypto industry’s infrastructure. It follows another high-profile breach in February, where Dubai-based exchange Bybit reported a loss of approximately $1.5 billion in what is considered the largest crypto heist to date.
