The cryptocurrency exchange Coinbase has confirmed a data leak affecting less than 1% of its users. Malefactors resorted to bribing support staff to gain access to confidential information. The exchange assured that it would cover all financial losses and has established a $20 million fund to apprehend the culprits.
This is reported by Business • Media
Data Leak and Its Consequences
The leak involved critical personal data of users, including KYC information, addresses, and phone numbers. Coinbase estimated the costs of mitigating the incident to be between $180 million and $400 million. According to documents submitted to the U.S. Securities and Exchange Commission (SEC), on May 11, 2025, the company received an email from a suspected malefactor claiming to have access to user data and demanding money for non-disclosure of this information.
Coinbase believes that access to the data was obtained through bribery of support staff. Following the discovery of the leak, the company terminated all employees involved in the incident. The data leak included:
- first and last names;
- physical addresses;
- KYC verification data;
- email addresses;
- copies of identification documents;
- corporate documentation;
- encrypted banking information and some identifiers.
Response and Security Measures
The incident did not lead to operational losses; however, it sparked significant criticism among users. CEO of Wintermute, Yevhen Haievoy, noted:
“Despite the fact that Coinbase did not disclose this (much, much) earlier, this is the dark side of the absurd KYC/AML regime we live in. By making it easier for law enforcement and geopolitical games, we simultaneously sacrifice our privacy, imposing a huge tax on virtually all businesses and facilitating robberies, kidnappings, and crimes for criminals.”
The malefactors aimed to build a customer database for future phishing attacks. Previously, crypto detective ZachXBT stated that no centralized cryptocurrency exchange is subjected to as much fraud as Coinbase. The malefactors demanded $20 million for non-disclosure of the data; however, the exchange refused to pay and instead created a $20 million fund to reward those who assist in apprehending the criminals.