‘Would rather pay bounty than ransom’: Coinbase on $20M extortion attempt

Coinbase (Nasdaq:COIN), the largest crypto exchange in the US, is offering a $20 million bounty for information leading to those behind a May 2025 breach that compromised customer data.

In a Wednesday evening filing with the Securities and Exchange Commission (SEC), the company said it was informed, on May 11, of a breach affecting its customers’ data and internal processes documentation.

Information and details of the breach came in the form of extortion emails by the hackers themselves, which Coinbase said it found to be credible. Stolen documents include personal details of customers like name, address, masked SSN and bank account numbers, government ID images, and account information like balance and transaction details.

“We are publicly detailing an extortion attempt against us and our customers,” Coinbase said in a blog post. “Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident.”

Contractors and employees outside the US are suspected

Coinbase was able to confirm the breach through a preliminary investigation and consequently traced it to employees outside of the US.

“The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities,” the company said in the filing.

Instances of such personnel accessing data without business need were independently detected by the Company’s security monitoring in the previous months, Coinbase said, adding that all such instances were part of a single campaign leading to the theft of data in May from internal systems.

Speaking on the attack vector used, Ishpreet Singh, chief information officer at Black Duck, said, “Regarding security architecture, moving to a zero-trust network model will help them to enforce micro-segmentation. It’s important to carry out advanced security risk training, including social engineering defense training. Sensitive user data should be heavily segmented and encrypted with keys inaccessible to support agents.”

Following the discovery, Coinbase promptly terminated the individuals involved, ramped up its fraud-monitoring measures, and notified affected customers as a precaution against misuse of exposed information.

Hackers are demanding a ransom of the same amount

According to the filing, the email communication by the threat actor demanded $20 million in exchange for not publicly disclosing the information. It remains to be seen how threat actors respond to Coinbase refusing to pay the ransom.

“Coinbase’s decision to publicly counter-extort with a $20 million bounty is an interesting reversal of the usual playbook, transforming breach response into what could turn into a global manhunt,“ said Jason Soroko, senior fellow at Sectigo. ”This move shifts the narrative from victimhood to proactive offense, weaponizing transparency and financial incentive against cybercriminals.“ Coinbase said while it has not faced major operational disruptions from the incident so far, it estimates potential costs between $180 million and $400 million for remediation and customer reimbursements, with the final impact still under review and subject to change.