QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$180 000 000 USD
DECEMBER 2024
UNITED STATES
COINBASE
DESCRIPTION OF EVENTS
Coinbase is a secure and user-friendly platform that facilitates the buying, selling, and storage of cryptocurrencies like Bitcoin and Ethereum. Designed to serve both beginners and experienced investors, it has become one of the most widely used cryptocurrency exchanges in the United States.
Since its founding in 2012, Coinbase has grown into a leading platform in the crypto space. It supports a wide range of services, including basic crypto investing, advanced trading tools, institutional custodial accounts, and a standalone wallet for individual users. It also launched its own U.S. dollar-backed stablecoin to enhance crypto transactions.
Trusted by approximately 73 million verified users, 10,000 institutions, and 185,000 partners across more than 100 countries, Coinbase plays a key role in the global crypto ecosystem. Fully regulated and licensed (except in Hawaii), Coinbase began with Bitcoin trading but has since expanded to support a variety of cryptocurrencies that meet its decentralized standards.
Coinbase users should understand that their personal information has been exposed and they are likely to become subject to targeted attacks.
Coinbase’s recent cybersecurity incident revealed a disturbing evolution in phishing tactics, with scammers leveraging sophisticated social engineering methods rather than direct system breaches. According to an investigative report by blockchain security firm SlowMist, attackers exploited insider access to user data, then launched highly targeted campaigns designed to deceive users into self-compromising their accounts. The hallmark of these attacks is a shift from broad, generic phishing to a “tailor-made” approach using pre-stolen data.
The scam typically begins with the impersonation of Coinbase customer support using spoofed PBX systems and fake email domains. Attackers contact users with convincing messages—such as alerts about “suspicious activity” or “unauthorized access”—to create a false sense of urgency. These communications are coordinated across channels (voice, SMS, and email) and often include spoofed ticket numbers or links to cloned Coinbase login pages. Victims are then guided to install Coinbase Wallet and are told to move funds into a “safe” wallet. However, this wallet’s seed phrase is generated and controlled by the attacker, who quickly drains the assets once the user completes the transfer.
The infrastructure behind these campaigns is alarmingly professional. Scammers use tools like FreePBX and Bitrix24 to spoof calls, bots on Telegram (e.g., @spoofmailer_bot) to send phishing emails, and even large datasets of user information purchased from dark web markets to select and target victims. In some instances, attackers used generative AI tools such as ChatGPT to segment data and automate phishing messages. These campaigns have also spread disinformation—claiming Coinbase was migrating users to self-custody wallets due to legal settlements—adding another layer of manipulation.
Once funds are stolen, scammers often use decentralized exchanges and bridging protocols such as Uniswap, THORChain, and Chainflip to convert and launder assets through DAI or USDT, further complicating recovery efforts. According to MistTrack analysis, some attacker-controlled wallets have received hundreds of BTC and remain partially dormant, highlighting the scale and persistence of this ongoing campaign.
While Coinbase continues to assess the full scope of the breach, the company estimates that remediation and customer reimbursements could cost between $180 million and $400 million.
Coinbase disclosed in its Form 8-K filing that it had been aware of the breached information prior to receiving the extortion email on May 11, 2025. In their documentation to the Maine Attorney General, the company disclosed the actual date of the breach as December 26th, 2024.
The company reported that it had independently detected instances of unauthorized data access by overseas contractors or employees in support roles months before the email was received. Upon discovery, Coinbase terminated the involved personnel, removed access, and implemented heightened fraud-monitoring protections.
In May 2025, Coinbase notified affected customers, enhanced fraud monitoring and established a $20 million reward fund for information leading to the arrest and conviction of the attackers, who had demanded the same amount in ransom. Coinbase also pledged to reimburse customers who were tricked into sending funds to the attackers, with estimated costs ranging from $180 million to $400 million for remediation and customer refunds.
Coinbase released a Form 8-K to the Securities and Exchange Commission, describing the event as a material cybersecurity incident that occurred on May 11, 2025. The company reported receiving a credible extortion email from a threat actor who claimed to possess sensitive data relating to Coinbase customer accounts and internal documents. The information was allegedly acquired through the cooperation of overseas contractors or employees in support roles, who were paid by the threat actor to access internal systems without a legitimate business reason. Coinbase had previously identified and terminated these individuals after detecting unauthorized activity through its own security monitoring systems.
The breach did not involve customer passwords, private keys, or any access to customer funds. However, the compromised data included personal details such as names, addresses, masked Social Security numbers and bank account information, government ID images, transaction history, and internal training materials. Coinbase emphasized that it has not paid the extortion demand and is working with law enforcement authorities to investigate the incident. The company is also implementing additional fraud-prevention measures and launching a new U.S.-based support hub to strengthen internal security protocols.
While no immediate operational disruptions have occurred,
Coinbase has committed to voluntarily reimbursing retail customers who were tricked into sending funds to scammers as a direct result of the incident, pending a review to verify each case.
Coinbase estimates that it may incur between $180 million and $400 million in expenses related to remediation and voluntary reimbursements to affected retail customers. This estimate is preliminary and could change significantly depending on further investigation, potential recoveries, or legal developments.
Coinbase, a leading U.S. cryptocurrency exchange, disclosed a major cybersecurity incident involving insider data leaks used in sophisticated phishing scams. Attackers impersonated Coinbase support to trick users into transferring funds to fraudulent wallets. Although customer funds and passwords weren’t directly accessed, personal data was compromised. Coinbase is cooperating with law enforcement, enhancing security measures, and expects to spend $180–$400 million on remediation and voluntary reimbursements.
SlowMist - "In recent years, Coinbase users have repeatedly become targets of social engineering attacks — and on May 15, Coinbase confirmed insider involvement." - Twitter/X (May 30)
“Customer Support” in the Dark Forest: Social Engineering Scams Target Coinbase Users - SlowMist (Jun 2)
Steve - "Is anyone else getting the fake @coinbase emails and texts? They’re getting increasingly sophisticated. One is a fake verification text to get you to call a fake support number and the other is an email getting you to set up a real wallet they can drain. Stay safe out there." - Twitter/X (May 30)
Protecting Our Customers - Standing Up to Extortionists - Coinbase Blog (May 30)
Coinbase says recent data breach impacts 69,461 customers - BleepingComputer (May 30)
Data Breach Notifications - Maine Attorney General (May 30)
Coinbase discloses over 69,000 users affected by insider-linked data leak - CryptoBriefing (May 30)
Coinbase says cyberattack cost up to $400 million after bribed overseas employees stole customer data - MarketWatch (May 30)
Coinbase says scammers bribed insiders to steal customer data — and it could cost the crypto exchange $400 million - Business Insider (May 30)
Coinbase Global, Inc. - FORM 8-K - United States Securities and Exchange Commission (Jun 2)
Coinbase - "Cyber criminals bribed and recruited rogue overseas support agents to pull personal data on <1% of Coinbase MTUs. No passwords, private keys, or funds were exposed. Prime accounts are untouched. We will reimburse impacted customers." - Twitter/X (Jun 2)
Biran Armstrong - Video Response To Incident - Twitter/X (Jun 2)
Gustl - "gotta hand it to these criminals that they were able to get ahold of coinbase customer support in the first place" - Twitter/X (Jun 2)
Coinbase data breach exposes customer info and government IDs - Bleeping Computer (Jun 2)
Nano Baiter - "This scammer is using leaked Coinbase customer data to spam out fake SMS text messages to users. I could dox the scammer right now but I'd rather conceal his identity until he is brought to justice! Let's give you an inside look into the scammers perspective and workflow." - Twitter/X (Jun 2)
ZachXBT - "Myself and @tanuki42_ spent time reviewing Coinbase withdrawals and gathering data from my DMs for high confidence thefts on various chains. Below is a table we created which shows $65M stolen from Coinbase users in Dec 2024 - Jan 2025." - Twitter/X (Jun 2)
Coinbase hack shows the law probably won’t protect you: Here’s why - CoinTelegraph (Jun 20)
Coinbase Homepage (Jun 20)
https://x.com/zachxbt/status/1886411891213230114 (Jul 2)
