Cyber-Attack Timeline: Coinbase

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

Coinbase Cyber Attack Timeline Coinbase Summary

Download Our  Timeline Document & Summary Image on the Coinbase Attack


The Coinbase Cyber Heist: Insider Collusion Meets Ransom Demands

In early 2025, Coinbase began detecting suspicious activity linked to its customer support reps—what followed was a shocking revelation of insider collusion. Cybercriminals allegedly bribed overseas contractors to access internal systems and steal user data. Though only a small fraction of users were directly affected, the threat was serious enough for attackers to demand a $20 million ransom in Bitcoin, threatening to leak the data if their demands weren’t met.

Coinbase CEO Brian Armstrong took a bold public stance: “We will not fund criminal activity,” refusing to bow to the ransom threat. Instead, the company offered a $20 million reward for tips leading to the attackers. 

Our detailed Coinbase Cyber Attack Timeline breaks down every critical moment—from the first signs of insider manipulation to the public ransom standoff and beyond. Understand how the breach unfolded, how leadership responded, and what it means for cybersecurity in 2025.

Download the full timeline now and gain actionable insights to strengthen your own incident response strategy.

Don't forget to read our blog on the Coinbase Cyber Attack.

 

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Coinbase Cyber Attack Timeline and Visual Summary.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on the Coinbase Cyber Attack

  • 1. What happened in the Coinbase cyber attack?

    In May 2025, Coinbase — the largest cryptocurrency exchange in the United States — disclosed that cyber criminals had bribed and recruited rogue overseas customer-support agents and contractors to steal personal data belonging to less than 1% of its monthly transacting users. Rather than breaching Coinbase's systems technically, the attackers used insiders to obtain the data, then attempted to extort the company. No passwords, private keys or customer funds were exposed, and Coinbase Prime accounts were untouched. Coinbase refused the ransom demand and instead offered a $20 million reward for information leading to the attackers' arrest, while estimating remediation and reimbursement costs at $180 million to $400 million.

  • 2. When did the Coinbase cyber attack take place?

    The insider-led data theft is reported to have begun around January 2025 and continued for several months before detection — by one industry executive's account, for nearly five months undetected. Coinbase received an extortion email from the threat actor on 11 May 2025, disclosed the incident in an 8-K filing with the US Securities and Exchange Commission (SEC) on 14 May 2025, and CEO Brian Armstrong went public via a video on X on 15 May 2025. The US Department of Justice confirmed it had opened a probe on 19 May 2025.

  • 3. Who was behind the Coinbase cyber attack?

    The threat actor was not publicly identified. Rather than exploiting a technical vulnerability, criminals bribed overseas contractors and customer-support agents — Coinbase's own outsourced support staff — to hand over customer data in exchange for cash. An unknown actor then emailed Coinbase on 11 May 2025 claiming to hold the stolen customer information and internal documentation, and demanded payment. No named individual or group had been formally attributed at the time of reporting.

  • 4. How did the attackers gain access to Coinbase data?

    The attackers did not hack Coinbase's infrastructure. Instead, they bribed and recruited rogue overseas support agents and contractors who had legitimate access to internal customer-service and account-management systems, paying them cash for sensitive user information. This makes it an insider-threat and social-engineering attack rather than a technical intrusion — a reminder that people and outsourced third-party functions are a primary attack surface.

  • 5. What data was stolen in the Coinbase breach?

    The stolen data included customers' names, home and email addresses, phone numbers, dates of birth, partial Social Security numbers, masked bank-account numbers, images of government IDs such as driver's licenses and passports, and Coinbase account balances and transaction histories. The attackers also took internal company documentation relating to customer-service and account-management systems. Login credentials, passwords, blockchain private keys and customer funds were not compromised.

  • 6. How many Coinbase customers were affected?

    Coinbase reported that less than 1% of its monthly transacting users were affected. While the proportion was small, the information stolen about those customers was significant and well-suited to targeted impersonation and social-engineering scams.

  • 7. Was a ransom demanded, and did Coinbase pay it?

    Yes, a ransom was demanded but Coinbase refused to pay. The threat actor demanded $20 million to suppress the stolen data. Rather than pay, CEO Brian Armstrong publicly declined, stating the company would not fund criminal activity, and Coinbase turned the figure around by offering a $20 million reward for information leading to the arrest and conviction of those responsible.

  • 8. How much did the Coinbase cyber attack cost?

    In its filing with the SEC, Coinbase estimated the cost at between $180 million and $400 million, covering remediation costs and voluntary customer reimbursements. The company cautioned that this figure could change as a result of potential losses, indemnification claims and potential recoveries. These are company estimates rather than final, confirmed totals.

  • 9. How did the attack affect Coinbase's share price?

    Financial press reported that news of the disclosure pushed Coinbase shares down by around 4.1%, and that the stock fell roughly 6% in trading around midday on 15 May 2025, the day the incident was made public. The movements were attributed to investor reaction to the breach disclosure and the estimated remediation costs.

  • 10. What was the attackers' goal in the Coinbase breach?

    Rather than directly draining accounts, the attackers aimed to harvest victims for follow-on social-engineering and business-impersonation scams. The stolen personal data allowed them to contact customers while posing as Coinbase support and attempt to trick them into transferring their funds to attacker-controlled accounts. The theft of internal customer-service documentation supported making those impersonation attempts more convincing.

  • 11. How did Coinbase respond to the cyber attack?

    Coinbase had independently detected the suspicious activity in the months before disclosure, immediately terminated the employees and contractors involved, and warned affected customers. It enhanced its fraud-monitoring protections, disclosed the incident in an 8-K filing with the SEC, refused the ransom demand and offered a $20 million reward. Coinbase notified and worked with the US Department of Justice and other US and international law enforcement agencies, and issued a public apology to affected customers.

  • 12. What can organisations learn from the Coinbase cyber attack?

    The Coinbase incident shows that attackers do not always need to break in technically — they can simply bribe insiders. The key lessons are that outsourced and third-party support staff need strict least-privilege access, monitoring and segregation of duties; insider-threat detection matters as much as perimeter security; sensitive customer data should be minimised and tightly governed; and both staff and customers need awareness training to resist social-engineering and impersonation scams. A tested incident response plan and a clear ransom-decision position also help leaders respond with confidence. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.