Coinbase confirmed a costly data breach where bribed overseas support agents stole personal details of nearly 70,000 users, prompting a multi-million dollar remediation effort after the company refused a $20 million ransom.

• The insider angle: Cybercriminals compromised customer names, addresses, phone numbers, government IDs, account balances, and transaction histories by recruiting rogue support agents. However, Coinbase emphasized that customer passwords, private keys, and Coinbase Prime accounts were not directly accessed.

• Paying the piper, or not: Attackers demanded $20 million, which Coinbase declined, instead offering a matching $20 million reward for the hackers' capture. The exchange now faces estimated costs between $180 million and $400 million for security fixes and reimbursing affected users.

• Cleaning house: Coinbase stated the breach began around December 26, 2024, with the company receiving a ransom email on May 11, 2025—a date also noted in its Maine Attorney General filing. In response, the exchange says it dismissed implicated staff, is boosting fraud detection, and plans a new U.S. support hub.

This breach exposes the persistent threat of insider collusion and the high financial and reputational stakes for crypto platforms, even as they invest heavily in security.

Elsewhere in the threat ecosystem, the Fog ransomware group emerged as a major global threat, while May saw PureRAT malware driving a surge in attacks on Russian organizations. North American companies also faced a sharp rise in ransomware incidents early in the year, as groups like Black Basta continue their double extortion tactics across industries.