Thursday, June 4, 2026
HomeCrypto NewsCointelegraph Bitcoin & Ethereum Blockchain News
Crypto News

Cointelegraph Bitcoin & Ethereum Blockchain News

David Graham
By David Graham
0
23

Background of Coinbase’s May 2025 breach

Coinbase, America’s largest cryptocurrency exchange, received an unsolicited email from an unknown threat actor on May 11, 2025. They claimed to possess sensitive information about its customers and demanded a ransom of $20 million. 

Before examining the breach, it is interesting to understand how it happened at a public company that spends millions monthly on cybersecurity. In February, blockchain investigator ZachXBT reported increased thefts involving Coinbase users. He blamed aggressive risk models and pointed out Coinbase’s failure to prevent $300 million in yearly losses from social engineering scams. 

A table ZachXBT shared on X showed $65 million stolen from users between December 2024 and January 2025. He also said the real losses could be higher, as his data only came from his direct messages about onchain thefts, and excluded Coinbase support tickets and police reports he couldn’t access. 

A table shared by ZachXBT showed $65M were stolen from Coinbase users in Dec. 2024 - Jan. 2025

The fear of cybercriminals stealing valuable information came true on May 11 when Coinbase published a blog post confirming that account balances, ID images, phone numbers, home addresses and partially hidden bank details were stolen during the data breach.

On May 21, the same threat actor swapped about $42.5 million from Bitcoin (BTC) to Ether (ETH) via THORChain. They used Ethereum transaction input data to write “L bozo,” following it with a meme video of NBA player James Worthy smoking a cigar, seemingly mocking ZachXBT, who later flagged the message on his Telegram channel.

Coinbase data hacker trolling ZachXBT

What happened: Timeline of the Coinbase breach

The 2025 Coinbase breach wasn’t a typical crypto hack involving smart contracts or blockchain vulnerabilities. Instead, it was like a traditional IT security failure, marked by insider manipulation, corporate espionage and an extortion attempt.

Below is a breakdown of how the incident unfolded:

  • Insider recruitment and information theft began: To steal information from Coinbase, unknown cyber attackers began recruiting some overseas customer service agents (based in India) working for Coinbase. These insiders were paid to leak sensitive customer data and internal documentation, particularly that around customer service and account management systems. The stolen information was intended for future impersonation scams targeting users.
  • Security detection and employee termination: Coinbase’s internal security team eventually detected suspicious activity linked to these employees. The involved staff were swiftly terminated, and the company alerted affected users. Though just 69,461 accounts were impacted, a fraction of Coinbase’s user base, the depth of stolen personal data made the breach significant.
  • Extortion attempt via email (May 11, 2025): Coinbase received an unsolicited email claiming to possess internal system details and personally identifiable information (PII). This was later confirmed as credible in an 8-K SEC filing. 
  • Coinbase refuses to pay $20M ransom (May 14, 2025): Rather than accepting extortion, Coinbase flipped the script. The company reported the breach to law enforcement, disclosed it publicly and offered a $20 million reward for information leading to the attackers’ arrest, turning defense into offense. 
  • Breach disclosure and public notification: Shortly after the SEC filing, Coinbase publicly confirmed the breach, clarifying the scope and nature of the attack. A data breach notification was filed with the Maine Attorney General’s office, officially stating 69,461 users were affected. 

This timeline reflects how a crypto company responded differently to an attempted cyber-extortion, with transparency, resistance and bold countermeasures. This may bring in a change in the way companies respond to threats from cyber criminals.

Michael Rubin, an attorney for Coinbase, filed a data breach notification with Maine Attorney General

Did you know? North Korea’s Lazarus Group has stolen over $6 billion in crypto since 2017, including a record-breaking $1.46 billion from Bybit in 2025. 

What data was compromised in the Coinbase data breach in 2025?

According to a notification letter issued by Coinbase, attackers sought this information because they planned to launch social engineering attacks. The information they stole could help them appear credible to victims and possibly convince them to move their funds.

Coinbase detailed the information the threat actors had got access to and what they could not. 

What attackers got

  • Name, address, phone, and email
  • Government‑ID images (e.g., driver’s license, passport)
  • Masked Social Security (last four digits only)
  • Account data (balance snapshots and transaction history)
  • Masked bank account numbers and some bank account identifiers
  • Limited corporate data (including documents, training material, and communications available to support agents)

What attackers…

cointelegraph.com

Previous article
Hybrid leader Toyota targets major growth in plug-in vehicles
Next article
US treasury auctions off $70 billion of 5-year notes at a high yield of 4.071%
RELATED ARTICLES

Most Popular

Load more

Recent Comments

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT US

Newspaper is your homepage for Forex news, Markets outlook, UK politics , US Politics, Economy Energy news , Stocks exchange , investing EFTS and crypto News. We provide you with the latest breaking news and videos straight from the global industry.

Contact us: [email protected]

FOLLOW US

Copyright © 2019 - 2026 by FXNews24 . All rights reserved.