Coinbase data breach 2025: What was stolen and what you need to know

Background of Coinbase’s May 2025 breach

Coinbase, America’s largest cryptocurrency exchange, received an unsolicited email from an chartless menace histrion connected May 11, 2025. They claimed to person delicate accusation astir its customers and demanded a ransom of $20 million. 

Before examining the breach, it is absorbing to recognize however it happened astatine a nationalist institution that spends millions monthly connected cybersecurity. In February, blockchain researcher ZachXBT reported accrued thefts involving Coinbase users. He blamed assertive hazard models and pointed retired Coinbase’s nonaccomplishment to forestall $300 cardinal successful yearly losses from social engineering scams. 

A array ZachXBT shared connected X showed $65 cardinal stolen from users betwixt December 2024 and January 2025. He besides said the existent losses could beryllium higher, arsenic his information lone came from his nonstop messages astir onchain thefts, and excluded Coinbase enactment tickets and constabulary reports helium couldn’t access. 

The fearfulness of cybercriminals stealing invaluable accusation came existent connected May 11 erstwhile Coinbase published a blog station confirming that relationship balances, ID images, telephone numbers, location addresses and partially hidden slope details were stolen during the information breach.

On May 21, the aforesaid menace histrion swapped astir $42.5 cardinal from Bitcoin (BTC) to Ether (ETH) via THORChain. They utilized Ethereum transaction input information to constitute “L bozo,” pursuing it with a meme video of NBA subordinate James Worthy smoking a cigar, seemingly mocking ZachXBT, who aboriginal flagged the connection connected his Telegram channel.

What happened: Timeline of the Coinbase breach

The 2025 Coinbase breach wasn’t a typical crypto hack involving astute contracts oregon blockchain vulnerabilities. Instead, it was similar a accepted IT information failure, marked by insider manipulation, firm espionage and an extortion attempt.

Below is simply a breakdown of however the incidental unfolded:

• Insider recruitment and accusation theft began: To bargain accusation from Coinbase, chartless cyber attackers began recruiting immoderate overseas lawsuit work agents (based successful India) moving for Coinbase. These insiders were paid to leak delicate lawsuit information and interior documentation, peculiarly that astir lawsuit work and relationship absorption systems. The stolen accusation was intended for aboriginal impersonation scams targeting users.
• Security detection and worker termination: Coinbase’s interior information squad yet detected suspicious enactment linked to these employees. The progressive unit were swiftly terminated, and the institution alerted affected users. Though conscionable 69,461 accounts were impacted, a fraction of Coinbase’s idiosyncratic base, the extent of stolen idiosyncratic information made the breach significant.
• Extortion effort via email (May 11, 2025): Coinbase received an unsolicited email claiming to person interior strategy details and personally identifiable accusation (PII). This was aboriginal confirmed arsenic credible successful an 8-K SEC filing. 
• Coinbase refuses to wage $20M ransom (May 14, 2025): Rather than accepting extortion, Coinbase flipped the script. The institution reported the breach to instrumentality enforcement, disclosed it publically and offered a $20 cardinal reward for accusation starring to the attackers’ arrest, turning defence into offense. 
• Breach disclosure and nationalist notification: Shortly aft the SEC filing, Coinbase publically confirmed the breach, clarifying the scope and quality of the attack. A information breach notification was filed with the Maine Attorney General’s office, officially stating 69,461 users were affected. 

This timeline reflects however a crypto institution responded otherwise to an attempted cyber-extortion, with transparency, absorption and bold countermeasures. This whitethorn bring successful a alteration successful the mode companies respond to threats from cyber criminals.

Did you know? North Korea’s Lazarus Group has stolen implicit $6 cardinal successful crypto since 2017, including a record-breaking $1.46 cardinal from Bybit successful 2025. 

What information was compromised successful the Coinbase information breach successful 2025?

According to a notification missive issued by Coinbase, attackers sought this accusation due to the fact that they planned to motorboat societal engineering attacks. The accusation they stole could assistance them look credible to victims and perchance person them to determination their funds.

Coinbase elaborate the accusation the menace actors had got entree to and what they could not. 

What attackers got

• Name, address, phone, and email
• Government‑ID images (e.g., driver’s license, passport)
• Masked Social Security (last 4 digits only)
• Account information (balance snapshots and transaction history)
• Masked slope relationship numbers and immoderate slope relationship identifiers
• Limited firm information (including documents, grooming material, and communications disposable to enactment agents)

What attackers couldn’t get

• Login credentials oregon 2FA codes
• Private keys
• Access to Coinbase Prime accounts
• Any quality to determination oregon entree lawsuit funds
• Access to immoderate Coinbase oregon Coinbase lawsuit blistery oregon acold wallets

Did you know? In 2022, Crypto.com mislaid $30 cardinal from 483 accounts. Initially, they claimed nary funds were stolen, but aboriginal admitted the breach and refunded victims, highlighting the value of transparency successful crypto hacks.

How Coinbase responded to the 2025 transgression information breach

In effect to the 2025 information breach, Coinbase implemented a broad strategy to mitigate damage, enactment affected users and fortify its information infrastructure.

Key actions taken by Coinbase included:

• Refusal to wage ransom: Coinbase declined the $20 cardinal ransom demanded by the attackers. Instead, the institution established a $20 cardinal reward money for accusation starring to the apprehension and condemnation of those responsible.
• Customer reimbursements: The institution committed to reimbursing customers who were deceived into sending funds owed to the breach. Estimated costs for remediation and reimbursements range betwixt $180 cardinal and $400 million.
• Theft extortion services: The institution is providing each affected individuals with 1 twelvemonth of complimentary recognition monitoring and individuality extortion services. This includes recognition monitoring, a $1 cardinal security reimbursement policy, individuality restoration services, and acheronian web monitoring to observe if immoderate idiosyncratic accusation appears connected illicit online platforms.
• Enhanced lawsuit safeguards: Affected accounts volition necessitate further ID verification for ample withdrawals, including mandatory scam-awareness prompts to forestall further societal engineering attacks.
• Strengthened enactment operations: Coinbase is opening a caller enactment hub successful the US. It has implemented stronger information controls and monitoring crossed each locations to forestall insider threats.
• Collaboration with instrumentality enforcement: The institution is cooperating intimately with US and planetary instrumentality enforcement agencies. Insiders progressive successful the breach were terminated and referred for transgression prosecution.
• Transparency and communication: Coinbase instantly notified affected customers erstwhile the breach was recognized. It is providing ongoing updates astir the breach and the steps being taken to code it.

These measures reflected Coinbase's committedness to lawsuit extortion and its proactive attack to cybersecurity challenges.

Did you know? Crosschain bridges, similar Nomad Bridge, mislaid $190 cardinal successful 2022 owed to analyzable smart contract vulnerabilities. These bridges are hacker favorites due to the fact that they store monolithic crypto assets, making them lucrative targets.

How to enactment harmless successful the lawsuit of Coinbase-like information breaches

In the aftermath of large-scale information breaches of crypto platforms, you should instrumentality proactive steps to support yourself from societal engineering attacks. 

Here is however you could enactment harmless successful specified an event:

• Never stock delicate accusation with impersonators: Scammers often airs arsenic enactment unit oregon information agents aft a breach. They whitethorn propulsion you toward moving funds to crypto wallets they stock with you oregon revealing delicate accusation nether assorted texts. Never stock your password, two-factor authentication (2FA) codes, oregon betterment phrases with specified impersonators. No crypto exchange volition inquire you to transportation crypto to a “new” oregon “safe” wallet. 
• Turn connected allow-listing of wallet addresses: Some exchanges supply this feature, which restricts withdrawals to pre-approved wallet addresses you afloat control. This prevents unauthorized transfers adjacent if your relationship is compromised. 
• Enable beardown 2FA: For 2FA, usage a hardware information cardinal oregon a trusted authentication app. Avoid relying connected SMS-based 2FA, which is susceptible to SIM-swapping attacks. 
• Be cautious with unsolicited communication: Hang up instantly if idiosyncratic calls claiming to beryllium from a crypto level and asks for information credentials oregon requests plus transfers. Do not respond to chartless texts oregon emails with your idiosyncratic information. 
• Lock first, analyse later: If thing feels suspicious, fastener your relationship instantly done the app oregon level and study the incidental to lawsuit enactment via authoritative channels. 
• Stay informed: Regularly reappraisal information tips and updates from your crypto services to admit and debar evolving scam tactics.