Coinbase Support Data Breach Sophisticated Phishing

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:02, 5 June 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/coinbasesupportdatabreachsophisticatedphishing.php}} {{Unattributed Sources}} thumb|Coinbase Building/LogoCoinbase, a leading U.S. cryptocurrency exchange, disclosed a major cybersecurity incident involving insider data leaks used in sophisticated phishing scams. Attackers impersonated Coinbase support to trick users into transferring funds to fraudulent wallets. A...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Coinbase Building/Logo

Coinbase, a leading U.S. cryptocurrency exchange, disclosed a major cybersecurity incident involving insider data leaks used in sophisticated phishing scams. Attackers impersonated Coinbase support to trick users into transferring funds to fraudulent wallets. Although customer funds and passwords weren’t directly accessed, personal data was compromised. Coinbase is cooperating with law enforcement, enhancing security measures, and expects to spend $180–$400 million on remediation and voluntary reimbursements.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About Coinbase

Coinbase is a secure and user-friendly platform that facilitates the buying, selling, and storage of cryptocurrencies like Bitcoin and Ethereum. Designed to serve both beginners and experienced investors, it has become one of the most widely used cryptocurrency exchanges in the United States.

Since its founding in 2012, Coinbase has grown into a leading platform in the crypto space. It supports a wide range of services, including basic crypto investing, advanced trading tools, institutional custodial accounts, and a standalone wallet for individual users. It also launched its own U.S. dollar-backed stablecoin to enhance crypto transactions.

Trusted by approximately 73 million verified users, 10,000 institutions, and 185,000 partners across more than 100 countries, Coinbase plays a key role in the global crypto ecosystem. Fully regulated and licensed (except in Hawaii), Coinbase began with Bitcoin trading but has since expanded to support a variety of cryptocurrencies that meet its decentralized standards.

The Reality

Coinbase users should understand that their personal information has been exposed and they are likely to become subject to targeted attacks.

What Happened

Organized scammers, using insider-leaked data and advanced social engineering tactics, impersonated Coinbase support to trick users into migrating funds to attacker-controlled wallets, resulting in massive crypto thefts.

Key Event Timeline - Coinbase Support Data Breach Sophisticated Phishing
Date Event Description
April 14th, 2024 7:51:28 PM MDT Coinbase Starts Drafting Post Date found in the source code metadata for some elements of the blog post. This may have been when the public response template started being drafted by Coinbase internally. However, Coinbase has publicly declared that they did not know of the data breach prior to May 11th.
December 26th, 2024 Date The Breach Occurred The date of the breach, according to information provided to the Maine attorney general.
March 14th, 2025 9:03:00 AM MDT Steve Reports Phishing Twitter/X user SteveKBark reports that they received text messages with fake verification codes and emails falsely claiming that Coinbase is transitioning to self-custodial wallets. These increasingly sophisticated phishing attempts include fake support numbers and deceptive wallet setup prompts designed to steal users' funds. He warns others to stay vigilant against these scams.
May 11th, 2025 Hackers Disclose The Breach According to Coinbase, hackers disclosed the breach and attempted to extort them for $20m to not release the data.
May 15th, 2025 4:49:00 AM MDT Coinbase Announces Breach Coinbase announces the breach of customer personal information.
May 15th, 2025 4:50:00 AM MDT Brian Armstrong Video Posted Brian Armstrong shares a video with high level details about the extortion attempt and promises to reimburse customers. The $20m will be used as a reward for information leading to the arrests of the extortionists.
May 15th, 2025 4:53:54 AM MDT Coinbase Public Disclosure Coinbase publicly discloses that a group of overseas support agents was bribed by cybercriminals to leak customer data used in targeted social engineering attacks, affecting less than 1% of users. While no passwords, private keys, or funds were directly compromised, Coinbase is reimbursing victims and launching a $20 million reward fund for information leading to the attackers' arrest, refusing to pay a ransom. The company is reinforcing internal security, enhancing fraud detection, and cooperating with law enforcement to hold the perpetrators accountable.
May 21st, 2025 3:33:06 AM MDT BleepingComputer Articel Published BleepingComputer publishes an article revealing that Coinbase’s recent data breach impacted 69,461 customers after overseas support contractors improperly accessed sensitive customer data. The article includes details on insider misconduct, the exposure of sensitive customer information, potential social engineering risks, a ransom demand, and Coinbase’s commitment to customer reimbursements and enhanced security measures.
May 21st, 2025 7:43:25 AM MDT CryptoBriefing Article Published CryptoBriefing publishes an article on the incident.
May 21st, 2025 10:09:00 PM MDT SlowMist Shares Report SlowMist publishes a report about the advanced phishing tactics targeting Coinbase users, revealing a coordinated and highly sophisticated social engineering campaign. The scams, which have stolen hundreds of millions of dollars, involve impersonating Coinbase support through spoofed calls, emails, and texts, pressuring users into migrating their funds into attacker-controlled wallets. The report emphasizes that Coinbase’s infrastructure wasn't breached; rather, human vulnerabilities were exploited. SlowMist recommends platforms to enhance user education, implement behavioral risk detection, and address insider threats, while advising users to remain skeptical, compartmentalize their identities, and verify all communications through official channels.

Technical Details

Coinbase’s recent cybersecurity incident revealed a disturbing evolution in phishing tactics, with scammers leveraging sophisticated social engineering methods rather than direct system breaches. According to an investigative report by blockchain security firm SlowMist, attackers exploited insider access to user data, then launched highly targeted campaigns designed to deceive users into self-compromising their accounts. The hallmark of these attacks is a shift from broad, generic phishing to a “tailor-made” approach using pre-stolen data.

The scam typically begins with the impersonation of Coinbase customer support using spoofed PBX systems and fake email domains. Attackers contact users with convincing messages—such as alerts about “suspicious activity” or “unauthorized access”—to create a false sense of urgency. These communications are coordinated across channels (voice, SMS, and email) and often include spoofed ticket numbers or links to cloned Coinbase login pages. Victims are then guided to install Coinbase Wallet and are told to move funds into a “safe” wallet. However, this wallet’s seed phrase is generated and controlled by the attacker, who quickly drains the assets once the user completes the transfer.

The infrastructure behind these campaigns is alarmingly professional. Scammers use tools like FreePBX and Bitrix24 to spoof calls, bots on Telegram (e.g., @spoofmailer_bot) to send phishing emails, and even large datasets of user information purchased from dark web markets to select and target victims. In some instances, attackers used generative AI tools such as ChatGPT to segment data and automate phishing messages. These campaigns have also spread disinformation—claiming Coinbase was migrating users to self-custody wallets due to legal settlements—adding another layer of manipulation.

Once funds are stolen, scammers often use decentralized exchanges and bridging protocols such as Uniswap, THORChain, and Chainflip to convert and launder assets through DAI or USDT, further complicating recovery efforts. According to MistTrack analysis, some attacker-controlled wallets have received hundreds of BTC and remain partially dormant, highlighting the scale and persistence of this ongoing campaign.

Total Amount Lost

While Coinbase continues to assess the full scope of the breach, the company estimates that remediation and customer reimbursements could cost between $180 million and $400 million.

The total amount at risk has been estimated at $400,000,000 USD. The total amount lost has been estimated at $180,000,000 USD.

Immediate Reactions

Coinbase disclosed in its Form 8-K filing that it had been aware of the breached information prior to receiving the extortion email on May 11, 2025. In their documentation to the Maine Attorney General, the company disclosed the actual date of the breach as December 26th, 2024.

The company reported that it had independently detected instances of unauthorized data access by overseas contractors or employees in support roles months before the email was received. Upon discovery, Coinbase terminated the involved personnel, removed access, and implemented heightened fraud-monitoring protections.

Ultimate Outcome

In May 2025, Coinbase notified affected customers, enhanced fraud monitoring and established a $20 million reward fund for information leading to the arrest and conviction of the attackers, who had demanded the same amount in ransom. Coinbase also pledged to reimburse customers who were tricked into sending funds to the attackers, with estimated costs ranging from $180 million to $400 million for remediation and customer refunds.

Coinbase released a Form 8-K to the Securities and Exchange Commission, describing the event as a material cybersecurity incident that occurred on May 11, 2025. The company reported receiving a credible extortion email from a threat actor who claimed to possess sensitive data relating to Coinbase customer accounts and internal documents. The information was allegedly acquired through the cooperation of overseas contractors or employees in support roles, who were paid by the threat actor to access internal systems without a legitimate business reason. Coinbase had previously identified and terminated these individuals after detecting unauthorized activity through its own security monitoring systems.

The breach did not involve customer passwords, private keys, or any access to customer funds. However, the compromised data included personal details such as names, addresses, masked Social Security numbers and bank account information, government ID images, transaction history, and internal training materials. Coinbase emphasized that it has not paid the extortion demand and is working with law enforcement authorities to investigate the incident. The company is also implementing additional fraud-prevention measures and launching a new U.S.-based support hub to strengthen internal security protocols.

While no immediate operational disruptions have occurred,

Total Amount Recovered

Coinbase has committed to voluntarily reimbursing retail customers who were tricked into sending funds to scammers as a direct result of the incident, pending a review to verify each case.

The total amount recovered has been estimated at $180,000,000 USD.

Ongoing Developments

Coinbase estimates that it may incur between $180 million and $400 million in expenses related to remediation and voluntary reimbursements to affected retail customers. This estimate is preliminary and could change significantly depending on further investigation, potential recoveries, or legal developments.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist - "In recent years, Coinbase users have repeatedly become targets of social engineering attacks — and on May 15, Coinbase confirmed insider involvement." - Twitter/X (Accessed May 30, 2025)
  2. “Customer Support” in the Dark Forest: Social Engineering Scams Target Coinbase Users - SlowMist (Accessed Jun 2, 2025)
  3. Steve - "Is anyone else getting the fake @coinbase emails and texts? They’re getting increasingly sophisticated. One is a fake verification text to get you to call a fake support number and the other is an email getting you to set up a real wallet they can drain. Stay safe out there." - Twitter/X (Accessed May 30, 2025)
  4. Protecting Our Customers - Standing Up to Extortionists - Coinbase Blog (Accessed May 30, 2025)
  5. Coinbase says recent data breach impacts 69,461 customers - BleepingComputer (Accessed May 30, 2025)
  6. Data Breach Notifications - Maine Attorney General (Accessed May 30, 2025)
  7. Coinbase discloses over 69,000 users affected by insider-linked data leak - CryptoBriefing (Accessed May 30, 2025)
  8. Coinbase says cyberattack cost up to $400 million after bribed overseas employees stole customer data - MarketWatch (Accessed May 30, 2025)
  9. Coinbase says scammers bribed insiders to steal customer data — and it could cost the crypto exchange $400 million - Business Insider (Accessed May 30, 2025)
  10. Coinbase Global, Inc. - FORM 8-K - United States Securities and Exchange Commission (Accessed Jun 2, 2025)
  11. Coinbase - "Cyber criminals bribed and recruited rogue overseas support agents to pull personal data on <1% of Coinbase MTUs. No passwords, private keys, or funds were exposed. Prime accounts are untouched. We will reimburse impacted customers." - Twitter/X (Accessed Jun 2, 2025)
  12. Biran Armstrong - Video Response To Incident - Twitter/X (Accessed Jun 2, 2025)
  13. Gustl - "gotta hand it to these criminals that they were able to get ahold of coinbase customer support in the first place" - Twitter/X (Accessed Jun 2, 2025)
  14. Coinbase data breach exposes customer info and government IDs - Bleeping Computer (Accessed Jun 2, 2025)
  15. Nano Baiter - "This scammer is using leaked Coinbase customer data to spam out fake SMS text messages to users. I could dox the scammer right now but I'd rather conceal his identity until he is brought to justice! Let's give you an inside look into the scammers perspective and workflow." - Twitter/X (Accessed Jun 2, 2025)
  16. ZachXBT - "Myself and @tanuki42_ spent time reviewing Coinbase withdrawals and gathering data from my DMs for high confidence thefts on various chains. Below is a table we created which shows $65M stolen from Coinbase users in Dec 2024 - Jan 2025." - Twitter/X (Accessed Jun 2, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Coinbase_Support_Data_Breach_Sophisticated_Phishing&oldid=6763"