Coinbase Faces $400M Fallout After Overseas Contractors Linked To Cyber Attack

Coinbase Global is scrambling to contain the damage after disclosing a serious cyberattack that may cost the company up to $400 million and has exposed major weaknesses in its outsourced support structure.

Shares in the cryptocurrency giant plummeted over 7% on Thursday after the company admitted that personal customer data had been compromised.

The breach, which Coinbase described as affecting a “small subset” of users, involved the theft of names, addresses, phone numbers, email accounts, and government-issued ID images.

Passwords and private keys were reportedly not accessed, but the loss of such identifying details poses significant risks for phishing and identity fraud.

According to a regulatory filing, the company received a chilling email on May 11 from an unidentified threat actor who claimed to have obtained internal company documents and customer data. The hackers demanded a $20 million ransom for not leaking information.

But what stands out is how the attackers gained access: Coinbase says the hackers paid several contractors and employees working in support roles outside the United States to help them acquire sensitive customer data.

The individuals, hired to assist with customer service, used their access to pull private account details—marking a stark breakdown in internal access controls.

According to Coinbase those involved have since been terminated and referred to law enforcement. The company says it has not paid the ransom and is working closely with authorities:

In a blog post, the company admitted:

“Cybercriminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks,”

“These agents abused their access to customer support systems to steal the account data for a small subset of customers.”

“We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received,”

Instead, Coinbase is offering a $20 million reward for information that leads to the arrest and conviction of those behind the attack.

It is also moving to “harden” its systems and has announced the creation of a new U.S.-based support hub to improve oversight and reduce exposure from third-party staffing.

The company says it will reimburse any affected customers who were duped into sending funds to the attackers. Its current estimate for remediation and reimbursement costs ranges from $180 million to $400 million.

But the timing couldn’t be worse. The U.S. Securities and Exchange Commission has launched a separate investigation into whether Coinbase has inflated its user numbers, putting the exchange under dual fire—from regulators and cybercriminals.

The revelations raise serious questions about Coinbase’s operational model, particularly its dependence on international contractors for sensitive customer support functions.

While Coinbase insists only a small portion of customers were affected, the damage to user trust may be far more widespread.

For a company managing more than $328 billion in assets, the real cost of the breach may go beyond dollars—it may lie in the confidence lost among investors and customers now left wondering who really has access to their personal data.