In May 2025, Coinbase discovered and revealed an insider attack on its organization and customers. Some of the organization’s employees collected and exfiltrated sensitive information about some of the company’s customers to use in social engineering attacks. The attackers demanded a $20 million ransom from the company.
Inside the Attack
Social engineering attacks have become increasingly common in the Web3 space, and many of these attacks require personal information about the target to be convincing and effective. One cybercrime group bribed some of Coinbase’s overseas support agents to collect sensitive information about the company’s customers.
In this attack, the rogue agents collected account data for the targets from the internal customer support system. This included sensitive information, including names, last four digits of Social Security Numbers (SSNs), masked bank account information, images used for identity verification, and more. However, the attackers did not have access to passwords, private keys, or funds entrusted to Coinbase’s care.
The attackers demanded a $20 million ransom from Coinbase to cover up the incident. Instead, Coinbase has implemented a $20 million reward for information regarding the group behind the attack. Additionally, the company has reimbursed customers who fell for phishing attacks that were performed using the stolen data and has implemented additional security controls to help prevent similar social engineering attacks from occurring in the future.
Lessons Learned from the Attack
The Coinbase data theft and extortion incident demonstrates the lengths that cybercriminals are willing to go to carry out an effective social engineering attack. While some phishing attacks send generic emails to many people, the Coinbase hackers collected sensitive information about less than 1% of Coinbase’s user base. This allowed them to craft more targeted attacks that had a much higher chance of success than a more generic pretext that is more easily identifiable as a phishing attack.
This incident is one of many replaced attacks in which sophisticated social engineering and off-chain attacks have been used to great effect. Unlike exploits of smart contract vulnerabilities, these threats can’t be identified and prevented via a smart contract security audit.
A comprehensive Web3 security program includes protection for on-chain and off-chain assets and resources alike, considering the full range of potential risks to a company and its customers. Halborn’s advisory services provide teams with the knowledge and resources needed to build robust internal security processes to protect against similar threats. To learn more, get in touch.