The Coinbase hack that shadowed its S&P rise — and the investigators who saw it coming

What should worry users more — the data leaked during the Coinbase hack, or the fact that it may have started months ago?

Inside the Coinbase data breach

On May 15, Coinbase, one of the largest crypto exchanges, confirmed a major data breach that has raised concerns across crypto circles. The breach was not caused by a technical failure but by a human vulnerability involving social engineering.

Criminal actors reportedly bribed third-party contractors working in overseas customer support roles to extract sensitive user data from Coinbase’s internal systems. 

These insiders then bypassed standard cybersecurity protections, granting attackers direct access to restricted databases.

Coinbase detected the intrusion through internal monitoring, but evidence suggests the breach may have begun months earlier. The company publicly disclosed the incident on May 15, only after confirming unauthorized access, a delay that has contributed to user frustration.

Approximately less than 1% of Coinbase’s 9 million monthly transacting user accounts were affected. Coinbase estimates that addressing the breach could cost up to $400 million, including expenses for remediation, user reimbursements, and potential revenue losses.

No crypto assets, private keys, API credentials, or transaction histories were compromised. However, the exposed data includes names, email addresses, phone numbers, physical addresses, and in some U.S. cases, partial Social Security numbers. 

Some users have also reported on social media that their Know Your Customer documents, such as passports or driver’s licenses, may have been accessed, although Coinbase has not confirmed this. 

While the breach does not give attackers direct access to user funds, the stolen information increases the risk of targeted phishing campaigns, identity theft, or harassment, especially for users whose residential addresses were exposed.

The market reaction was swift. Coinbase stock (COIN) dropped 7.2% on the day of the announcement, closing at $244.44 after reaching an intraday low of $241.

The timing amplified the fallout, as the company had only recently been added to the S&P 500 index, a milestone typically viewed as a marker of institutional credibility and operational maturity.

Coinbase exploit spurs a $20M bounty

Following the discovery of the breach, Coinbase outlined a detailed response plan aimed at limiting damage, reinforcing internal safeguards, and helping affected customers recover.

Coinbase believes the attackers were not attempting to drain accounts directly but were instead building a list of users they could deceive into giving up control.

In parallel, the criminals demanded $20 million from Coinbase in exchange for withholding the leaked information. Coinbase refused and instead launched its own $20 million bounty, offered to anyone who helps bring the attackers to justice.

Meanwhile, Coinbase has committed to reimbursing users who were tricked into sending their crypto to scammers as a direct result of this incident. These reimbursements will be made following a case-by-case assessment to confirm that the losses were specifically tied to the fallout from the breach.

In addition to reimbursements, Coinbase has introduced new security measures for affected users. These include additional identity verification for large withdrawals and scam-awareness prompts that now appear during certain transactions.

Users flagged as high-risk may also experience intentional delays in transaction processing as part of ongoing risk monitoring.

Internally, Coinbase is working to reduce future exposure by increasing security oversight at its global support centers. A new support hub is being set up in the U.S. with enhanced monitoring and restrictions.

The company has also increased its investment in automated insider threat detection and is now stress-testing internal systems using simulated attacks to identify weak points.

Users have been advised to enable wallet withdrawal allow-listing, use hardware keys for two-factor authentication wherever possible, and lock their account via the app if anything feels suspicious.

The Coinbase data breach didn’t start in May

Long before Coinbase acknowledged the breach, independent blockchain investigator ZachXBT had been raising concerns about a growing pattern of user-targeted scams tied to the platform.

In early February 2025, he published a detailed thread documenting over multi-million dollar thefts from Coinbase users across just two months — December 2024 and January 2025.

Working alongside analyst Tanuki42, ZachXBT gathered case data from blockchain flows and victim messages, identifying a recurring pattern in which users were tricked through sophisticated impersonation tactics.

“This is the result of aggressive risk models and Coinbase’s failure to stop its users losing $300M+ per year to social engineering scams,” he wrote on Feb. 3.

His findings suggested a much larger underlying issue. One case involved a user who lost approximately $850,000 after being contacted by someone pretending to be Coinbase support.

The attacker had access to personal details, mimicked Coinbase’s phone number, and followed up with spoofed emails carrying fake support tickets. The victim was then instructed to whitelist a malicious address and transfer funds to a so-called verification wallet.

ZachXBT traced this theft to a wallet address labeled ‘coinbase-hold.eth’, which had received funds from more than 25 other victims.

He also highlighted the existence of cloned Coinbase websites and admin panels shared across Telegram groups, which scammers used to automate phishing attacks in real time.

Beyond user deception, ZachXBT pointed to operational lapses on Coinbase’s side. He outlined examples of previously unreported security failures, including misconfigured API keys used for tax software and bugs that allowed verification codes to be sent to non-existent accounts.

He also identified gaps in internal systems that may have contributed to losses through Coinbase Commerce and the laundering of funds from external exchange hacks.

“Coinbase has quietly had related security incidents they did not publicly address,” he noted, estimating that some of these lapses led to tens of millions in user losses without formal acknowledgment.

What made these scams more dangerous, he argued, was the company’s apparent delay in flagging suspicious addresses and the difficulties victims faced in reaching effective support.

Many users who contacted him reported minimal response and unresolved cases, especially outside U.S. time zones.

“The threats in this space are always evolving, and you may only have minutes to react,” ZachXBT said, adding that major competitors like Kraken and Binance have demonstrated faster responses and fewer such issues.

Even as he criticized Coinbase’s handling of risk and transparency, ZachXBT acknowledged that not all fault lay with the company’s broader workforce.

“Most of the fault lies on leadership for these decisions,” he wrote, pointing out that the platform still delivers useful features such as stablecoin ramps, passive yield tools, and Base ecosystem development.

However, he urged the leadership team to introduce structural safeguards, such as optional phone number removal for advanced users, special withdrawal restrictions for elderly or beginner accounts, and stronger legal action against domestic threat actors.

During early April, ZachXBT had become increasingly critical of the platform’s direction. “You had customer data leaked you have yet to transparently disclose,” he tweeted, while recounting being locked out of his account twice in a single month without a clear explanation.

Following Coinbase’s public admission of the breach in May, his earlier warnings began to receive broader recognition. He estimated that between $200 million and $400 million may have been stolen from high-net-worth Coinbase users since late 2024, with attackers specifically targeting accounts holding seven to eight figures

Can trust survive the Coinbase hack?

The public response to Coinbase’s breach has been swift and largely critical, with concerns extending far beyond the exposure of funds.

Prominent figures in the crypto and cybersecurity space have questioned not just the breach itself, but the internal policies that allowed such sensitive information to be accessible to third-party support teams in the first place.

Adam Cochran, a partner at Cinneamhain Ventures, raised serious concerns about how a firm as large and well-resourced as Coinbase failed to maintain proper data security protocols.

“No element of KYC/AML policy requires this kind of stuff to be accessible to your customer support agents… They got physical addresses, and government IDs. Things you can’t change, and things that put customers at physical risk,” he stated.

Cochran’s concerns were amplified by attorney Ariel Givner, who pointed to the timing of the disclosure. According to her, the extortion email demanding $20 million was sent on May 11, but users were only notified after Coinbase chose not to comply.

“It appears they knew of this a few days ago… yet are only now telling customers because they didn’t pay the bribe,” she wrote, citing the SEC filing as the moment the company was compelled to make it public.

Others have highlighted how widespread the fallout may be. One X user shared that “every person I know who uses Coinbase [has] been getting phishing calls and text messages,” suggesting that the impact may be broader than the reported 1%.

Meanwhile, Mike Alfred, a well-known investor, shared that even “tech savvy people” were affected, including a Stanford graduate friend who lost 3 Bitcoins.

“The person on the phone knew literally everything about him and his account,” he explained, pointing directly to insider knowledge and calling it an “inside job.”

There is also growing concern over the long-term consequences for those whose data is now in circulation.

Alex Valaitis, a founder and crypto strategist, commented, “They just put lifelong targets on these users’ backs.” With names, home addresses, and government ID scans now in the hands of attackers, the fear is no longer limited to digital risk.

“Even if those users transfer their funds out of Coinbase, they need to look over their shoulder the rest of their lives,” he warned.

This sense of physical exposure has parallels to recent incidents in France, where known crypto holders have been targeted in a string of kidnappings and extortion attempts.

In those cases, attackers used previously leaked data to track down individuals, in some cases entering homes or physically threatening family members.

While no such incidents have been linked to this breach yet, the concern now is that the release of residential and identity data could increase the risk of similar events in the future.