Crypto exchange giant Coinbase has confirmed a significant data breach involving bribed support contractors, compromised customer information, and a $20 million extortion demand. The attack is expected to cost the company up to $400 million in remediation and reimbursements—and it didn’t involve a single line of malware.
Here’s everything we know so far.
How did the Coinbase breach occur?
According to a regulatory filing and accompanying blog post, the attackers paid overseas support contractors to abuse their legitimate access to Coinbase’s internal systems. These insiders quietly pulled sensitive customer data, including names, addresses, phone numbers, emails, masked bank account numbers, partial social security digits, government-issued IDs, and account balances.
The company said passwords, private keys, and funds were not accessed. But that wasn’t the point. The attackers specifically wanted data that could be used to create highly-targeted phishing campaigns and identity theft scams (more on that below).
The breach was first detected internally in the months prior, prompting Coinbase to cut ties with the individuals involved and warn potentially affected users. But on May 11, the attack went public when the company received a ransom note: pay $20 million in crypto, or the stolen data will be exposed.
Coinbase refused. Instead, it publicly disclosed the breach, announcing a $20 million reward for information that leads to the attackers’ arrest.
Ramifications
Financially, Coinbase expects the breach to cost between $180 million and $400 million. Much of that will go toward reimbursing customers tricked into sending crypto to attackers posing as Coinbase representatives. In recent weeks alone, an estimated $45 million has been lost to phishing scams targeting crypto users.
The reputational cost may be harder to quantify. The company is fresh off an announcement that it’s joining the S&P 500 and acquiring international assets to expand its global footprint. CEO Brian Armstrong recently declared Coinbase’s ambition to become “the number one financial services app in the world.” But a data breach relating to the insider threat raises uncomfortable questions about the company’s cybersecurity posture.
Lessons learned
This wasn’t a sophisticated cyberattack in the traditional sense. There was no code injection or zero-day exploit. Cybercriminals exploited the human factor—paying insiders to steal sensitive data on their behalf.
It’s a huge lesson for organizations of all sizes. Contractors and third parties with access to sensitive systems are a massive—and often underestimated—attack surface. Insiders shouldn’t be trusted by default, and credentials alone aren’t enough to keep your data safe. Companies need specialized tools that can detect when legitimate access turns into suspicious activity.
Enter data security posture management (DSPM). DSPM tools provide deep visibility into how sensitive data is accessed, moved, and exposed—regardless of who holds the credentials. It can detect patterns that traditional monitoring misses: abnormal queries, excessive data exports, or unusual access by support roles.
Had DSPM been tightly deployed, the signs would have been spotted (and mitigated) much earlier. Actions like support agents pulling high-value data, unusual access times, or documentation requests that didn’t match job functions would have raised the alarm—and been blocked.
Polymer’s DSPM platform is built for exactly this kind of risk. We surface insider threats in real time, automatically block high-risk behaviors, and make sure sensitive data stays where it belongs—regardless of employee intentions.
Request a demo to see how we can help you mitigate insider threat risks.
