SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data Protection
#
MFA
#
Fintech

Coinbase offers USD $20 million bounty after insider data breach

Today
Author image
By Sean Mitchell, Publisher

Coinbase, one of the world's largest cryptocurrency exchanges, has confirmed it suffered a significant data breach orchestrated by cybercriminals who leveraged the access of overseas employees and contractors. The company disclosed that around 1% of its customer base had sensitive personal information stolen, an estimated one million individuals, according to cybersecurity experts. The attackers have since demanded USD $20 million in ransom for the stolen data—a demand Coinbase has firmly rejected, choosing instead to offer a bounty of equal value for information leading to the identification and apprehension of those responsible.

The breach exposed a wide array of customer details, including contact information, masked social security and bank account numbers, account data, images of government-issued IDs, and limited corporate information. Although the company has stated that passwords and user funds were not directly stolen, cybersecurity analysts warn that the information now in the hands of criminals could facilitate convincing phishing attacks and further unauthorised access. Estimates from Coinbase put the potential fallout from the breach at up to USD $400 million.

Nick Tausek, Lead Security Automation Architect at Swimlane, noted the magnitude of the incident: "While passwords and funds weren't directly stolen, the attackers are now armed with enough personally identifiable information to convincingly impersonate Coinbase and siphon off crypto from unsuspecting users." Tausek underscored the importance of robust insider threat detection, particularly as companies increasingly rely on outsourced and globalised workforces. "A single insider with the right access, or in this case, the wrong incentives, can punch a hole in even the most fortified security posture," he said.

The breach reportedly involved workers based outside the United States, paid to extract customer information from internal Coinbase systems. Randolph Barr, Chief Information Security Officer at Cequence, reflected on the broader implications of the attack: "This breach highlights the enduring risk of insider threats—especially when elevated access is given to third-party contractors. While it's easy to blame humans, it's more important to ask: What controls were (or weren't) in place to prevent this? If access control, alerting, and separation of duties were more rigorously enforced, this breach may have been preventable." Barr also supported Coinbase's decision to reject the ransom and offer a bounty instead, describing it as a "bold and strategic move that flips the narrative."

Gabrielle Hempel, a Security Operations Strategist at Exabeam, stressed that the incident exposes deeper vulnerabilities within the cryptocurrency sector. "The fact that contractors could be bribed to access and leak sensitive data indicates a huge lapse in access controls and monitoring mechanisms. As the cryptocurrency sector keeps maturing, security lapses like this aren't just technical failures but massive vulnerabilities that can have far-reaching consequences," Hempel said.

Andrew Costis, Engineering Manager for the Adversary Research Team at AttackIQ, also advised that organisations must "implement effective breach detection and prevention security measures," and called insider threats "harder to detect than traditional threats." He recommended all affected users enable multi-factor authentication as a precaution.

Aditya Sood, Vice President of Security Engineering and AI Strategy at Aryaka, emphasised the sophisticated tactics attackers used: "Attackers strategically exploited the human and organisational vulnerabilities in Coinbase's support ecosystem by targeting third-party contractors or employees. The attackers could infiltrate internal systems under the radar, as this reflects a sophisticated insider-threat tactic where access is not forcibly taken but subtly acquired through manipulation of human elements." Sood recommended the adoption of identity-aware access controls, real-time threat detection, and continuous behavioural analytics monitoring to mitigate such risks in the future.

Coinbase CEO Brian Armstrong has stated that the company will be enhancing its security measures. The firm is currently offering a USD $20 million reward for information that helps identify and apprehend the criminals, underscoring its stance against negotiating with extortionists. The breach serves as a stark reminder of the persistent risk posed by insider threats, especially as companies expand their reliance on external and offshore personnel to scale their operations.

The incident has placed additional scrutiny on Coinbase as it continues to expand its services and faces increasing expectations regarding its corporate governance and risk management practices within the broader financial sector.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
BioCatch & The Knoble launch toolkit to bolster scam defences
Emerging AI security risks exposed in Pangea's global study
Russian group Sednit using webmail flaws to target Ukraine allies
UK unveils £16 million plan to boost retail cyber defences
GitLab 18 debuts with AI-native features for DevSecOps teams
Top stories
Proofpoint to acquire Hornetsecurity, boosting AI security for SMBs
Tenable One unifies risk data with new connectors & dashboards
Arctic Wolf launches Incident360 Retainer for cyber resilience
Zyxel Networks achieves top customer ratings for firewall & VPNs
GenAI use in healthcare sparks rise in sensitive data violations