Protecting Our Customers - Standing Up to Extortionists

Security and transparency are core to Coinbase. Consistent with that commitment, we’re publicly detailing an extortion attempt against us and our customers. Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident.

What happened Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users. Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto. They then tried to extort Coinbase for $20 million to cover this up. We said no.

What they got

• Name, address, phone, and email

• Masked Social Security (last 4 digits only)

• Masked bank‑account numbers and some bank account identifiers 

• Government‑ID images (e.g., driver’s license, passport)

• Account data (balance snapshots and transaction history)

• Limited corporate data (including documents, training material, and communications available to support agents)

What they didn’t get

• Login credentials or 2FA codes

• Private keys

• Any ability to move or access customer funds

• Access to Coinbase Prime accounts

• Access to any Coinbase or Coinbase customer hot or cold wallets

What we are doing about it

• Making customers whole — We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.

• Extra customer safeguards — Flagged accounts now require additional ID checks on large withdrawals and include mandatory scam‑awareness prompts. As we monitor high risk transactions, you may experience delays.

• Further securing support operations — Opening a new support hub in the U.S. and adding stronger security controls and monitoring across all locations.

• Hardening defenses — We have increased our investment in insider‑threat detection, automated response, and simulating similar security threats to find failure points in any internal system.

• Staying transparent — Impact notices have gone out to affected users, and we’ll keep the community updated as the investigation progresses.

How we’re responding to the criminals

• $20 million reward fund— Instead of paying the $20 million ransom, we’re establishing a $20 million reward fund for information leading to the arrest and conviction of the attackers.  Email security@coinbase.com along with the word "[BOUNTY]" in subject if you have information on these bad actors.

• Tracing stolen funds — Working with industry partners, we’ve tagged the attackers’ addresses so the authorities can track and work to recover assets.

• Working with Law Enforcement — Insiders were fired on the spot and referred to U.S. and international law enforcement. We will press criminal charges.

How you can stay safe

Expect imposters. Scammers—related to this incident or not—may pose as Coinbase employees and try to pressure you into moving your funds. Remember, Coinbase will never ask for your password, 2FA codes, or for you to transfer assets to a specific or new address, account, vault or wallet. We will never call or text you to give you a new seed phrase or wallet address to move your funds to. If you receive this call, hang up the phone. Coinbase will never ask you to contact an unknown number to reach us.

In addition, here are a set of best practices:

• Turn on withdrawal allow‑listing —Only permit transfers to wallets that you are confident you fully control and where the seed phrase is secure and was not provided to you or shared with anyone. 

• Enable strong 2FA —Hardware keys are best.

• Hang up on imposters —Coinbase will never ask for your password, 2FA codes, or to move funds to a “safe” wallet.

• Lock first, ask later —If something feels off, lock your account in‑app and email security@coinbase.com.

• Review our security tips on avoiding social engineering scams.

Conclusion

Crypto adoption depends on trust. To the customers affected, we’re sorry for the worry and inconvenience this incident caused. We’ll keep owning issues when they arise and investing in world‑class defenses—because that’s how we protect our customers and keep the crypto economy safe for everyone.

Reimbursement criteria

Coinbase will voluntarily reimburse retail customers who mistakenly sent funds to the scammer as a direct result of this incident prior to the date of this post, following a review to confirm the facts.

Forward-looking statements

This blog post contains forward-looking statements, including, but not limited to, statements regarding our current beliefs, understanding and expectations regarding this incident. Factors that could cause actual results to differ from those expressed in these forward-looking statements include the ongoing assessment of the incident; legal, reputational and financial risks resulting from the incident or additional cybersecurity incidents; and the risks described in our Annual Report on Form 10-K for the year ended December 31, 2024 and subsequent Quarterly Reports on Form 10-Q. All forward looking statements are based on information and estimates available to us as of the date hereof. Unless required by law, we expressly disclaim any obligation to update publicly any forward-looking statements, whether as result of new information, future events or otherwise. For more information, please see the Current Report on Form 8-K we will file on May 15, 2025.