Everything You Need to Know About the Coinbase Breach
On May 15th, 2025, Coinbase notified over 69,000 customers that their personal data had been compromised in a data breach. If you are one of these 69,000+ customers, you have already received an email from Coinbase alerting you to this fact.
But even if you are not part of the thousands of Coinbase platform users who are now susceptible to identity fraud, you may be wondering just what happened to cause the cryptocurrency market mogul to leak data. We’ve got everything you need to know here, so keep reading.
What Was the Coinbase Data Breach?
On May 11th, 2025, Coinbase received a ransom note from a malicious hacker who claimed he had the personal details of over 69,000 Coinbase users. He or she then proceeded to demand $20 million in the BTC equivalent to delete the data. Coinbase declined.
Coinbase looked into the breach itself and discovered that the malicious hacker had indeed received information about its customers, and they were able to do so by bribing some non-US Coinbase employees for their agent access. Then this individual was able to download this information over the time period of 6 months.
These employees have all since been found and fired, and Coinbase is offering a $20 million equivalent BTC reward to anyone who can give information leading to the arrest of the hacker.
What Information Was Stolen?
Before you panic, know that the hacker did not steal quite as much information as he thought he stole. Much of what he was given access to was partially masked—meaning he isn’t able to completely take over your social security number and claim benefits in your name.
That being said, he did collect enough to give him leverage to carry out social engineering scams—meaning if someone contacts you claiming to have certain information about you as a Coinbase agent, this could be him. Do not transfer any money at the direction of a Coinbase agent.
The information stolen was as follows:
· Client names
· Client addresses
· Client phone numbers
· Client emails
· Partially masked social security numbers (only the last 4 digits)
· Masked bank account numbers
· Government ID images (submitted to Coinbase for KYC)
· Account data (balances and transaction history)
· Information about Coinbase corporate
While this may sound scary, know that they did not get login credentials, private keys, or the ability to access any accounts. This means your money is not currently in the danger of being stolen, but someone might have enough information about you to convince you to move your funds to their account. Stay vigilant, and do not believe any calls or emails you receive from anyone claiming to work for Coinbase.
What Should You Do?
If you are a current customer of Coinbase, ensure you check your email for notification that your account has been compromised. These emails went out on May 15th, 2025, to everyone affected. If you did not get an email, you were NOT affected.
If you were affected, Coinbase recommends taking the following steps:
· Turn on withdrawal allow listing (only allows withdrawals to trusted accounts)
· Enable 2FA if you haven’t already
· Don’t answer the phone from numbers you don’t recognize.
· If you receive a call from someone claiming to work at Coinbase, hang up.
· Lock your account if you feel threatened. Then contact security@coinbase.com
· Do not click any links in any emails from Coinbase, even if they look legit. Instead, sign directly into your account via a web browser and make any changes there.
· Use a cold wallet to store cryptocurrency funds whenever possible.
Note that Coinbase has already flagged your account, and you will be required to present extra identification the next time you log in.
What If You Have Already Been Scammed?
Unfortunately, because this scheme has been carried out by the malicious actor since December 2024, some individuals have already been scammed. If you or someone you know has already been convinced to move funds off the Coinbase platform maliciously, contact Coinbase customer support immediately.
Remember, only those who received an email on May 15th, 2025, were affected by the breach. If that was you, and you sent money to someone who later turned out to be a scammer (between December 2024 and May 2025), email security@coinbase.com to start the investigation into the transfer. If it is found to be connected to the data breach, you will be reimbursed.
Why Didn’t Coinbase Pay the Ransom?
Many online are asking why Coinbase didn’t pay the ransom, and honestly, we agree with their decision. This is because paying the $20 million ransom would not guarantee that the illegally farmed data would be deleted. Rather, the criminal would receive $20 million, and could continue to carry out social engineering scams.
Coinbase made the right decision, instead placing the $20 million equivalent in BTC as a reward that leads to the criminal’s capture. They are also putting funds into ensuring a breach like this doesn’t happen again.
Who is Behind the Coinbase Breach?
Currently, there is no conclusive information as to who is behind the Coinbase breach, though many cryptocurrency investigators are working to find out (also so they can receive the reward!)
Coinbase is tracking the stolen funds wherever possible, and they do know that the hacker has already used THORChain to launder the stolen money, switching stolen ETH for DAI, a US dollar pegged stablecoin. The hacker has also been mocking known cryptocurrency detectives.
We believe that eventually this thief will be caught, as Coinbase is a powerhouse in the cryptocurrency exchange world, and they have several employees who were part of the heist. While it might take some time, they do have money and well-known investigators at their disposal, so we do have confidence they will find the malicious actor.
Just make sure to brush up on your social engineering scam prevention skills and question anything that comes from Coinbase. Remember, Coinbase will never ask you to transfer money—EVER. They will also not ask for your login information.
