Coinbase — overseas-contractor breach

In May 2025 Coinbase disclosed that attackers had recruited and bribed customer-support contractors employed by Coinbase’s overseas business-process-outsourcing partners to extract internal customer data on a subset of high-net-worth users. The data taken included names, addresses, dates of birth, masked Social Security numbers, masked bank-account numbers, government-ID images and account balances, but did not include passwords, two-factor authentication codes, or wallet seed phrases. Coinbase confirmed in its 8-K filing that no customer funds had been stolen.

The attackers attempted to extort Coinbase for $20 million, threatening public disclosure. Coinbase publicly refused to pay, fired the implicated contractors, terminated relationships with the affected outsourcers, and offered a parallel $20 million bounty for information leading to the attackers’ arrest. The company disclosed estimated remediation and reimbursement costs of $180-400 million in the same filing. The incident is studied as a textbook example of the insider-recruitment threat against the customer-support tier of large financial-services platforms — the same channel exploited at Robinhood (2021), Twilio (2022), and many others.