TL;DR
- Coinbase confirmed the data theft of 69,461 users after external agents were bribed in December 2024.
- Hackers demanded $20 million to avoid selling the information on dark web markets.
- The SEC and the Department of Justice launched investigations. The exchange estimates losses of up to $400 million.
Coinbase confirmed that 69,461 users were affected in a data breach that took place in December 2024. The incident, which involved bribing external customer support agents to extract system information, was detailed in a filing sent to the Maine Attorney General’s Office.
The compromised data includes identity verification details such as names, addresses, and email addresses. The company assured that passwords, private keys, and user funds remained secure.
Hackers Demand $20 Million
The situation escalated after it was revealed that the attackers demanded a $20 million ransom to keep the stolen information off dark web markets. Coinbase had previously stated that the breach affected less than 1% of its active monthly users. However, the scale and nature of the leaked data triggered criticism over the company’s response and the reliability of its security protocols.
Following the attack, the U.S. Securities and Exchange Commission opened an investigation to determine whether Coinbase manipulated its user metrics ahead of its 2021 IPO. The company downplayed the inquiry, describing it as a leftover procedure from previous administrations. In parallel, the Department of Justice also launched an independent investigation, at the company’s own request, to identify those responsible and pursue criminal charges.
Coinbase Estimates Losses Could Reach $400 Million
The incident reignited debate over mandatory identity verification policies on financial service platforms. Michael Arrington, a well-known entrepreneur and investor in the industry, sharply criticized the company’s slow response to the breach and questioned the effectiveness of KYC regulations. He argued that the combination of rigid regulations, corporate self-interest, and weak legal consequences for data breaches leaves users exposed to risks that are almost entirely preventable.
Coinbase estimates that the financial impact of the attack could range between $180 million and $400 million, factoring in remediation costs and customer compensation. However, the monetary figure took a back seat to growing concerns about the human damage caused by the exposure of sensitive personal data.
