Coinbase flips $20M extortion demand into bounty for info on attackers
Coinbase responded to a security incident with combative measures Thursday after the company said cybercriminals bribed some of the cryptocurrency exchange’s international support staff to steal data on customers. The unnamed threat group stole personally identifiable information and other sensitive data on less than 1% of Coinbase’s monthly users, the company said in a blog post.
The cybercriminals contacted customers under the guise of an employee at Coinbase in an attempt to dupe people into relinquishing their cryptocurrency. “They then tried to extort Coinbase for $20 million to cover this up. We said no,” the company said.
Coinbase flipped the script as part of its response. “Instead of paying this $20 million ransom, we’re turning it around and we’re putting out a $20 million award for any information leading to the arrest and conviction of these attackers,” Coinbase CEO Brian Armstrong said in a video posted on X.
“For these would-be extortionists, or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” he added.
The move from the largest cryptocurrency exchange in the United States is rare, but not entirely unprecedented, especially in the crypto space.
When North Korean-linked Lazarus Group stole $1.46 billion in Ethereum from cryptocurrency exchange Bybit in February, the company announced a $140 million bounty program for organizations that help trace or freeze the stolen funds.
Coinbase’s financial reward goes beyond that, however, by directly targeting the cybercriminals that gained access to customer data and initiated an extortion campaign. The company’s decision poses ethical and judicial challenges.
John Fokker, head of threat intelligence at Trellix, declined to speak about the Coinbase incident directly but said financial rewards for information about criminal activity belong under the purview of law enforcement.
When money is up for grabs, especially an amount as high as $20 million, some people will feel justified in sentencing or judging a suspected criminal when they want to get the reward, he said.
“There’s all these risks that could happen for individuals who are even acting up on it,” Fokker added.
Coinbase’s public counter-extortion effort marks a reversal of the usual playbook, transforming breach response into a potential global manhunt, said Jason Soroko, senior fellow at cybersecurity firm Sectigo.
“This move shifts the narrative from victimhood to proactive offense weaponizing transparency and financial incentive against cybercriminals,” he said in an email. “This gambit sets a precedent for the digital asset industry bounties. Seeking justice rather than being silent is a new tactic.”
Coinbase is also working with industry partners and law enforcement to track and recover the assets. Insiders involved in the attacks were immediately fired and referred to U.S. and international law enforcement. “We will press criminal charges,” the company said.
The crypto giant also said it will reimburse customers who sent funds to the attackers prior to its public disclosure Thursday.
Stolen data includes names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers and identifiers, government ID images and account data. Coinbase corporate data, including documents related to account-management systems and communications available to support agents, was also compromised.
Coinbase said it received an extortion demand from the threat group Sunday, but the company observed evidence of potentially malicious activity months prior, according to a filing with the Securities and Exchange Commission.
“These instances of such personnel accessing data without business need were independently detected by the company’s security monitoring in the previous months,” Coinbase CFO Alesia Haas said in the SEC filing. “Upon discovery, the company had immediately terminated the personnel involved and also implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed in order to prevent misuse of any compromised information.”
The company determined the prior instances of improper data access were part of a single campaign that resulted in data theft from internal systems.
Coinbase said it instituted additional safeguards to monitor high-risk transactions, increased investment in insider-threat detection and plans to open a new support hub in the United States.
The company did not detail the amount of funds or number of customers impacted, but said an investigation into the full financial impact is ongoing. “Any customers who have been impacted by this have been notified at this point,” Armstrong said.
Coinbase said its preliminary estimate puts costs related to remediation and customer reimbursements in the range of $180 million to $400 million. The company has a current market cap of $66.4 billion and was added to the S&P 500 earlier this week.
The company’s challenges don’t end there. Hours after Coinbase disclosed the cyberattack and detailed its response, The New York Times reported the SEC is investigating whether the company previously inflated its user numbers in previous regulatory filings.
