The large-scale extortion scheme targeting Coinbase customers has affected close to 70,000 individuals, according to a new official document from the US-based cryptocurrency exchange.
Following its disclosure of the breach on May 15, Coinbase filed a data breach notification to the Office of Maine’s Attorney General on May 21.
In the notification, the crypto exchange stated insider wrongdoing as the description of the break.
“A small number of individuals, performing services for Coinbase at our overseas retail support locations, improperly accessed customer information,” the document read.
It also confirmed that the breach occurred on December 26, 2024, and affected 69,461 customers.
The document shows that Coinbase didn’t discover the breach until May 11, 2025.
This was the day the attackers sent an email attempting to extort a $20m ransom payment in exchange for not releasing the stolen information online, according to a US Securities and Exchange Commission filing.
However, the crypto exchange refused to pay the ransom and instead established a $20m reward fund for tips that could help find the attackers who coordinated this attack and bring them to justice.
Coinbase’s Data Breach Timeline Challenged
According to Taylor Monahan, a prominent figure in the cryptocurrency community, currently responsible for security at MetaMask, the data breach occurred far earlier than the date given by Coinbase in its breach notification.
“Threat actors had ongoing access via multiple insiders over a prolonged period of time,” Monahan claimed on X.
As evidence, here’s a very small cutout of one high value customer’s Coinbase account.
This wasn’t pulled on Dec 26, 2024 honey. pic.twitter.com/UiDbS0iqdV
— Tay 💖 (@tayvano_) May 21, 2025
She also referred to an article published on the Cryptoforensic Investigators website on May 16, stating that “the $20m ransom may be quite recent (May 11), but what has not been made so clear in Coinbase’s disclosure is that the data breach is not nearly as recent.”
The article claimed that select attackers had been targeting higher net worth users “for quite a few months using info gleaned in the data breach” and had achieved significant success in their phishing campaigns, stealing tens of millions of dollars.
The authors added that at least $46m had been identified as stolen in March 2025 through Coinbase phishing and social engineering campaigns, with one user losing 400 bitcoins.
Cryptoforensic Investigators said they had noticed a considerable uptick in a specific type of theft from Coinbase users, with a modus operandi combining phishing, social engineering and vishing.
The article continued: “It has been clear to us that given a major uptick in Coinbase phishing thefts for many months now, along with the information the attackers mention on calls with victims while pretending to be ‘Coinbase support’… There was an underlying data breach that happened months ago.”
The authors estimated that the breach may have occurred “as many as eight to 10 months ago” and that many victims had been targeted since.
“While phishing attacks on Coinbase users have been ongoing for many years, it is abundantly clear that many of the successful phishing attacks in recent months would not have happened if not for the Coinbase data breach,” Cryptoforensic Investigators concluded.
Cryptocurrency Under Cyber-Threat
Many Coinbase stakeholders, including TechCrunch founder Michael Arrington, have voiced concerns over potential repercussions from this incident.
The Coinbase breach occurred against a challenging backdrop for cryptocurrency firms, which are facing a surge in extortion attempts, both online and offline, as evidenced by the recent high-profile heist at Bybit on February 21 and the attempted kidnapping of an undisclosed cryptocurrency entrepreneur’s family members in Paris on May 13.
It has also recently been revealed that a Coinbase-related open-source project was the ultimate target of a malicious scheme that exposed data in hundreds of GitHub repositories.
Photo credits: Nadezda Murmakova/bangoland/Shutterstock