Cryptocurrency is riddled with fraud and cybersecurity issues that must be addressed before mainstream adoption can be achieved. Coinbase, the largest cryptocurrency exchange based in the United States, carries a significant responsibility to protect its customers’ funds and data.

Unfortunately, on May 14th, 2025, Coinbase filed an 8-K with the SEC disclosing a breach involving loss of customer data. Let’s dive in and analyze the filing and read between the lines.

On May 11, 2025, Coinbase, Inc., a subsidiary of Coinbase Global, Inc. (“Coinbase” or the “Company”), received an email communication from an unknown threat actor claiming to have obtained information about certain Coinbase customer accounts, as well as internal Coinbase documentation, including materials relating to customer-service and account-management systems.

In the first sentence, I’m immediately intrigued by some vague language. Disclosures often contain ambiguous wording for various reasons: the company may not yet know the full extent of the compromise, or it may be intentionally limiting specificity to reduce potential legal exposure from customers. It could, of course, be a combination of both.

The use of the word “certain” to describe the customer accounts accessed suggests that the threat actor’s actions were targeted. If the breach had been more random or indiscriminate, I would have expected language like “limited” or “partial.”

Additionally, the mention that the threat actor had information regarding internal Coinbase documentation and materials related to customer-service and account-management systems raises questions about the depth of the breach. If Coinbase’s systems had been fully compromised, I would have expected all customer accounts to be affected. Based on this phrasing, I infer that the attacker did not gain full control of internal systems but rather leveraged limited access to extract as much valuable data as possible.

Let’s move on to the next sentence.

The communication demanded money in exchange for not publicly disclosing the information. The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities.

Interesting. It’s very common for companies to have offshore support representatives. What I find less common is that a threat actor was able to bribe multiple customer support representatives to participate in a single campaign. I would find it more plausible that the threat actors themselves were hired directly by Coinbase to participate in the same campaign. There are numerous examples of North Korean citizens obtaining employment under false pretenses with the intent to extract information or money.

Moving on…

These instances of such personnel accessing data without business need were independently detected by the Company’s security monitoring in the previous months. Upon discovery, the Company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information. Since receipt of the email, the Company has assessed the email to be credible, and has concluded that these prior instances of improper data access were part of a single campaign (the “Incident”) that succeeded in taking data from internal systems. The Company has not paid the threat actor’s demand and is cooperating with law enforcement in the investigation of this Incident.

Another interesting aspect of cybersecurity as it relates to 8-K disclosures is timing. Companies have four business days to file an 8-K after learning of a material event. In this case, the incident occurred several months earlier, and Coinbase was already aware of it. However, the company did not classify the event as material until it received the ransom demand on May 11.

This raises important questions: Were customers notified of the compromise months ago, with the 8-K filed only after the ransom demand? Or was nothing disclosed until the demand came through and Coinbase was effectively forced to act?

It does read as if the customers were informed months ago. But does it require the ransom notice to make it material?

Now let’s see what was lost and why it matters:

The Incident did not involve the compromise of passwords or private keys, and at no time were any of the targeted contractors or employees able to access customer funds. While the Company is still investigating the affected data, it included:

•Name, address, phone, and email;

•Masked Social Security (last 4 digits only);

•Masked bank-account numbers and some bank account identifiers;

•Government‑ID images (e.g., driver’s license, passport);

•Account data (balance snapshots and transaction history); and

•Limited corporate data (including documents, training material, and communications available to support agents).

The Company is continuing to review and bolster its anti-fraud protections to mitigate the risk that the compromised information could be used in social-engineering attempts. To the extent any eligible retail customers previously sent funds to the threat actor as a direct result of this Incident, the Company intends to voluntarily reimburse them after it completes its review to confirm the facts. The Company is also in the process of opening a new support hub in the United States and taking other measures to harden its defenses to prevent this type of incident.

If passwords and keys were not compromised, then what exactly is being reimbursed? The extracted information allows the threat actor to target customers through phishing attempts using their phone numbers and email addresses, and there have been many cases where such attempts have succeeded.

Even more concerning are the physical threats that some crypto holders with high account balances have received. Remember earlier when Coinbase stated that “certain” accounts were accessed? My guess is that those accounts belonged to customers with significant balances.

While Coinbase has not experienced material operational impacts from these events as of the date hereof, the full financial impact of the Incident on the Company is still in the process of being assessed. Based on the information available to the Company on the date hereof and based on facts that continue to evolve, the Company has preliminarily estimated expenses to be within the range of approximately $180 million to $400 million relating to remediation costs and voluntary customer reimbursements relating to this Incident, prior to further review of potential losses, indemnification claims, and potential recoveries, which could meaningfully increase or decrease this estimate. The Company plans to aggressively pursue all remedies. As the Company’s investigation is ongoing, the full impact of these events are not yet known.

Even when cyberattacks do not result in immediate financial loss, the severity of the issue becomes evident through the cost of reimbursements and the potential for litigation.

Nearly every breach is preventable. So where did things go wrong in this case?

Coinbase is SOC 2 compliant and claims to align with NIST 800-53. These two security and operational frameworks provide sufficient controls to prevent incidents like this. The fact that Coinbase detected unauthorized access months earlier indicates that some controls were working as intended. But something was missed. Not something as straightforward as a zero-day exploit or common malware.

This points to gaps in hiring practices, especially when offshore teams or external contractors are involved. Background checks and employee vetting are typically managed by HR, but they are also subject to monitoring and auditing under IT and operational control frameworks. The boundaries between these functions often lead to disconnects that allow things to slip through. As any CISO will tell you, security is not just an IT issue; it is an organization-wide responsibility.

This article reflects my personal opinion. You should always refer to the company for official statements and the most up-to-date information.