Key Takeaways
- In May 2025, Coinbase suffered a major insider breach where customer support agents in India were bribed to leak sensitive user data, affecting approximately 70,000 high-value clients (1% of users).
- The stolen information included personal details, account balances, and transaction histories, but did not compromise private keys or passwords.
- Scammers used the stolen data for sophisticated “Elite Support” impersonation scams, stealing over $2 million in cryptocurrency through targeted social engineering attacks.
- Coinbase refused to pay the $20 million ransom demand and instead established a bounty program of equal value to catch the perpetrators, while fully refunding affected victims.
- December 2025 saw multiple arrests connected to the breach, including a Canadian scammer exposed by blockchain investigator ZachXBT and a Brooklyn-based criminal who stole $16 million.
Coinbase’s Major Security Breach: What Every Crypto User Needs to Know
Cryptocurrency exchange users were rocked by one of the most sophisticated data breaches in crypto history. The May 2025 Coinbase insider breach exposed approximately 70,000 users to precision-targeted scams that continued throughout the year. Unlike typical phishing campaigns that cast wide nets, these attacks leveraged stolen internal support system data to create alarmingly convincing impersonation scams.
The breach marks a significant evolution in crypto security threats, moving from generic phishing attempts to highly personalized attacks against high-value accounts. By targeting just 1% of Coinbase’s user base—specifically those with substantial holdings—attackers maximized their return while minimizing detection. The precision of these attacks made them particularly dangerous, as scammers possessed legitimate user information typically only available to authentic support personnel.
Security experts note this breach demonstrates how insider threats can bypass even the most sophisticated technical defenses. “When someone with legitimate access becomes compromised, traditional security measures often prove insufficient,” explains cryptocurrency security researcher Maya Williams. “This incident highlights why exchanges need comprehensive insider threat programs alongside their technical safeguards.”
Inside the Coinbase Support Tool Leak: How It Happened
The breach originated from within Coinbase’s own customer support infrastructure. Cybercriminals employed a strategic bribery scheme targeting support personnel with access to sensitive customer data. Rather than attempting to hack through Coinbase’s robust external security systems, the attackers identified the human element as the weakest link in the security chain.
Internal investigations revealed that several support agents working at the Hyderabad, India support center had been approached and ultimately compromised. These employees were convinced to extract and sell confidential customer information from Coinbase’s internal support tools. Screenshots of these support interfaces, containing comprehensive user profiles, were systematically leaked to the criminal organization throughout May 2025.
Bribed Customer Support Agents in India
The bribing operation targeted multiple customer service representatives at Coinbase’s Hyderabad support center. According to sources close to the investigation, criminal organizations identified employees with financial difficulties and offered substantial payments for access to the support tool interface. The payments reportedly ranged from $5,000 to $25,000 per compromised employee, depending on their level of access and the quality of data they could extract.
These compromised agents would take screenshots of customer data while handling legitimate support tickets, creating an extensive database of high-value targets. The operation continued for approximately three weeks before unusual access patterns triggered internal security alerts. By then, data from approximately 70,000 customers had already been compromised.
The December 2025 arrest of a former Coinbase support agent in India confirmed the insider theory and provided investigators with critical insights into how the operation was structured. The agent reportedly confessed to being approached via encrypted messaging apps with promises of payment in untraceable cryptocurrency. The admission highlighted significant gaps in employee monitoring and background verification processes that Coinbase has since moved to address.
The $20 Million Ransom Demand
Following the data theft, attackers made a bold move by directly contacting Coinbase executives with a $20 million ransom demand. They threatened to sell the stolen data on dark web marketplaces if their demands weren’t met within 72 hours. The ransomers provided sample data packages containing verified customer information to demonstrate the legitimacy of their threat.
Coinbase leadership made the strategic decision not to negotiate with the attackers, citing both ethical concerns and the lack of guarantees that paying would prevent the data from being sold anyway. Instead, the company immediately notified law enforcement agencies across multiple jurisdictions and established their own $20 million bounty program targeting the identification and prosecution of those responsible for the breach.
Timeline of the May 2025 Breach
The attack unfolded in several distinct phases over approximately six weeks. Initial access began in early May when the first support agents were successfully compromised. For approximately three weeks, data extraction continued undetected as the attackers built their database of high-value targets. By late May, Coinbase’s security team had identified unusual patterns in support tool access and began an internal investigation.
On May 27, the investigation confirmed unauthorized data access, prompting Coinbase to lock down support systems and begin containment procedures. The ransom demand arrived on May 29, giving executives just three days to respond. By early June, Coinbase had publicly disclosed the breach, notified affected users, and implemented emergency security protocols across their entire support infrastructure.
What Information Was Stolen in the Breach?
The Coinbase insider breach exposed an alarming breadth of user data that gave scammers everything they needed to execute convincing impersonation attacks. Unlike many cryptocurrency breaches that primarily target login credentials or wallet keys, this attack focused on obtaining comprehensive user profiles from internal support systems. The stolen screenshots provided attackers with a complete picture of high-value targets, enabling unprecedented levels of personalization in their scams.
The company’s official breach notification revealed that approximately 1% of Coinbase users were affected, specifically targeting accounts with substantial holdings. This strategic approach allowed attackers to focus their efforts on fewer victims while maximizing potential returns. The selective nature of the targeting also helped the operation remain under the radar longer than mass-attack campaigns typically do.
Personal User Data Exposed
The compromised support tool screenshots contained extensive personal identifiers that would normally establish trust in legitimate support interactions. Names, email addresses, phone numbers, and home addresses were all clearly visible in the support interface. More concerning was the exposure of government ID images that users had submitted during the KYC (Know Your Customer) verification process, providing scammers with photographic identification to reference during social engineering attempts.
The combination of these data points created a perfect storm for impersonation attacks. When scammers called victims, they could immediately establish credibility by referencing multiple personal details that would typically only be known to legitimate Coinbase representatives. This immediate establishment of trust significantly increased the success rate of their subsequent social engineering tactics.
Account Balances and Transaction Details
Perhaps the most damaging aspect of the breach was the exposure of real-time account balances and detailed transaction histories. The support tool screenshots revealed exact cryptocurrency holdings down to the smallest fraction, allowing scammers to precisely target users with substantial assets. Transaction histories provided insights into user behavior patterns, including frequency of trades, preferred cryptocurrencies, and typical transaction sizes.
Armed with this financial data, attackers could tailor their approach to each victim’s specific situation. For instance, if a user regularly made large transfers to external wallets, scammers would reference similar-sized “suspicious transactions” in their impersonation calls to create urgency. This level of customization made the scams exceptionally difficult to identify, even for security-conscious users.
The depth of financial information exposed also allowed scammers to wait for optimal moments to strike. By monitoring balance fluctuations, they could time their attacks to coincide with large deposits or periods of high account activity when users might be less suspicious of additional transaction requests.
What Wasn’t Compromised: Private Keys and Passwords
Despite the severity of the breach, Coinbase confirmed that private keys and password hashes remained secure. The support tool interface did not provide access to these critical authentication elements, which prevented attackers from directly accessing accounts without user interaction. This security limitation forced scammers to rely on social engineering rather than direct account takeovers.
The distinction between exposed data and protected authentication credentials is crucial for understanding the nature of the subsequent attacks. Rather than simply draining accounts directly, attackers had to convince users to voluntarily transfer funds or provide additional security information. This requirement for user participation created a potential point of detection and prevention that some security-conscious users were able to leverage.
How Scammers Used the Stolen Data to Target Users
The sophistication of the attacks following the data breach represented a significant evolution in cryptocurrency scams. Armed with legitimate user information, scammers abandoned crude phishing attempts in favor of highly targeted social engineering campaigns. Their methodology combined psychological manipulation with technical convincers to create scenarios that even experienced cryptocurrency users found difficult to identify as fraudulent.
MEXC Exchange’s security team, which has been tracking these attack patterns across multiple exchanges, notes that these techniques represent a concerning trend in the cryptocurrency space. By focusing on human vulnerabilities rather than technical exploits, attackers are increasingly circumventing traditional security measures that exchanges have implemented.
Real-Time Social Engineering Calls
Scammers leveraged VoIP technology to spoof Coinbase support phone numbers, making incoming calls appear legitimate on caller ID systems. Using scripts refined through multiple attacks, they created a sense of urgency by claiming to detect unauthorized transactions in progress. The callers demonstrated intimate knowledge of account details, referencing exact balances and recent legitimate transactions to establish credibility. Most calls followed a pattern of escalating urgency, with scammers claiming they needed immediate action to prevent funds from being stolen.
Voice recordings obtained by investigators revealed sophisticated social engineering techniques, including strategic pauses to simulate checking systems and technical language borrowed directly from authentic Coinbase communications. The scammers would often keep victims on the line for extended periods, sometimes exceeding an hour, to prevent them from having time to verify the legitimacy of the call through official channels. This tactic, combined with the artificial time pressure of “ongoing unauthorized transactions,” created a perfect psychological trap.
Case Study: The $2 Million Canadian Scammer Operation
The most prolific operation linked to the Coinbase data breach was run by a Canadian scammer known online as “Haby” or “Harvi.” This individual orchestrated a sophisticated campaign that ultimately stole over $2 million in cryptocurrency from dozens of victims. Haby’s operation stood out for its meticulous approach and comprehensive documentation, which ultimately contributed to his exposure and identification by blockchain investigators.
Haby posed as a member of Coinbase’s fictional “Elite Support” team, targeting high-net-worth individuals with holdings exceeding $100,000. His approach involved alerting victims to supposedly suspicious transactions and then guiding them through a “security protocol” that required transferring assets to a “temporary secure vault”—actually a wallet he controlled. The operation maintained detailed records of each victim, including call recordings and transaction confirmations, which later became crucial evidence when blockchain investigators began tracking his activities.
ZachXBT’s Investigation and Blockchain Analysis
The breakthrough in the case came when prominent blockchain investigator ZachXBT began tracing a series of suspicious transactions linked to Coinbase user complaints. The investigation began after Haby made a critical operational security mistake—posting a screenshot on December 30, 2024, showing a 21,000 XRP theft worth approximately $44,000 from a Coinbase user. This single error provided ZachXBT with a wallet address that became the starting point for unraveling the entire operation.
Through meticulous blockchain analysis, ZachXBT matched the wallet address to multiple additional thefts from Coinbase users, eventually documenting over $500,000 in stolen assets from just a handful of victims. The investigation revealed that Haby had attempted to obfuscate the stolen funds by swapping XRP to Bitcoin through instant exchanges, but left sufficient on-chain evidence to establish clear connections between multiple fraudulent transactions. The blockchain’s immutable record allowed investigators to document a pattern of thefts that would have been nearly impossible to link through traditional financial systems.
The case broke wide open when ZachXBT discovered a leaked video showing Haby conducting an actual social engineering call with a target. The screen recording not only exposed his email address and Telegram account but also revealed his operational methods in detail. Additional Instagram screenshots displayed posts where Haby bragged about his social engineering successes, with one story post inadvertently revealing “From Harvi’s MacBook Air” in the device information—a critical clue that helped investigators confirm his identity.
Coinbase’s Response to the Security Crisis
Facing one of the most significant security challenges in its history, Coinbase implemented a comprehensive crisis response strategy that prioritized user protection while pursuing the perpetrators. The company’s approach combined immediate security measures with longer-term infrastructure improvements designed to prevent similar breaches in the future. Their response became a case study in cryptocurrency exchange crisis management, balancing transparent communication with decisive action.
Within 24 hours of confirming the breach, Coinbase had established a dedicated incident response team comprising security engineers, fraud specialists, and customer support leaders. This cross-functional team operated with direct reporting lines to the executive leadership, enabling rapid decision-making and resource allocation throughout the crisis. The company also engaged external security firms to provide independent assessment and validation of their response efforts.
3. Enable Advanced Security Features on Your Exchange Accounts
Two-factor authentication (2FA) is no longer optional in today’s cryptocurrency landscape. Configure app-based 2FA using tools like Authy or Google Authenticator rather than SMS-based verification, which remains vulnerable to SIM swapping attacks. The Coinbase breach demonstrated that attackers specifically targeted accounts with weaker security configurations, often avoiding those with hardware security keys enabled.
Consider investing in a hardware security key like YubiKey or Trezor for 2FA authentication. These physical devices must be present to complete sensitive account actions, making remote attacks virtually impossible even when scammers have extensive personal information. Many exchanges now support these advanced security options directly in their settings.
Implement IP address allowlisting when available, restricting account access to specific trusted networks. Review and adjust security settings quarterly, especially after exchange platform updates that might introduce new security features or change existing configurations.
4. Create a Separate Email for Crypto Activities
Using a dedicated email address exclusively for cryptocurrency activities creates an additional security layer against sophisticated phishing attempts. This segregation helps contain potential exposure if other accounts become compromised. Consider registering a domain-based email address rather than using free providers, as this provides additional verification options and typically offers enhanced security features.
When creating this dedicated email, implement the strongest password possible and ensure it has independent two-factor authentication separate from your exchange accounts. This email should never be used for social media, online shopping, or other standard online activities that might expose it to data breaches.
- Use a password manager to generate and store a unique, complex password
- Enable advanced security features like login alerts and suspicious activity monitoring
- Consider a private email service with enhanced encryption and privacy features
- Regularly scan for unauthorized forwarding rules or filters that might redirect communications
Conduct periodic security audits on this dedicated email account, checking for signs of unauthorized access attempts or suspicious activity in the login history. Many premium email providers offer detailed access logs that can help identify potential security breaches before they impact your cryptocurrency holdings.
5. Use Hardware Wallets for Long-Term Holdings
The most effective protection against exchange-based scams is reducing exchange exposure altogether. Hardware wallets like Ledger, Trezor, or KeepKey physically separate your private keys from internet-connected devices, making them immune to the type of social engineering attacks that succeeded following the Coinbase breach. For any cryptocurrency you don’t actively trade, transfer assets to cold storage and implement a proper key backup strategy using metal seed phrase storage in secure, geographically distributed locations.
The Wider Impact on Crypto Exchange Security
The Coinbase insider breach has catalyzed a fundamental reassessment of security models across the cryptocurrency exchange ecosystem. As the largest regulated exchange in many markets, Coinbase’s security practices often set industry standards, making this breach particularly influential in driving industry-wide reforms. Exchanges globally have been forced to confront the reality that technical security measures alone cannot protect against insider threats and sophisticated social engineering attacks that bypass traditional safeguards.
Industry-Wide Security Protocol Overhauls
In the months following the Coinbase breach, major exchanges including Binance, Kraken, and MEXC implemented enhanced internal controls specifically targeting potential insider threats. These measures include segregation of customer data access, requiring multiple employee authorizations for sensitive data viewing, and implementing sophisticated behavioral analytics that flag unusual employee system usage patterns. Many exchanges have also introduced “clean desk” policies in support environments, prohibiting personal devices and implementing strict controls on screen capturing capabilities.
The breach has accelerated adoption of zero-trust security models throughout the industry, where no user or employee is implicitly trusted regardless of position or credentials. This approach enforces verification for every system interaction, significantly reducing the potential damage from compromised insider accounts. Several exchanges have also implemented biometric verification layers for support staff accessing customer data, creating an auditable physical record of every data access event.
New Support Verification Standards
A direct response to the Coinbase impersonation scams has been the development of new verification standards for legitimate customer support interactions. Major exchanges now implement unique per-user support PINs generated at the beginning of each support session, complex callback verification procedures for account security discussions, and dedicated secure messaging channels within authenticated exchange apps. These measures create verification steps that cannot be replicated by scammers, even when they possess extensive user information from breached support systems.
Take Control of Your Crypto Security Today
The sophisticated nature of the attacks following the Coinbase support tool breach demonstrates that cryptocurrency security requires constant vigilance and a multi-layered approach. By implementing the protection strategies outlined above and staying informed about evolving security best practices, you can significantly reduce your vulnerability to even the most sophisticated scams. MEXC Exchange remains committed to leading industry security practices and educating users about emerging threats in the cryptocurrency landscape.
Frequently Asked Questions
The Coinbase insider breach has generated numerous questions from concerned cryptocurrency users. Below we address the most common concerns with practical, actionable information to help you protect your digital assets and navigate similar situations should they arise in the future.
How do I know if my Coinbase account was affected by the breach?
Coinbase directly notified all users whose information was compromised in the May 2025 breach. These notifications were sent via multiple channels including email, SMS, and in-app messaging to ensure delivery. The notifications contained specific details about what information was exposed and recommended security measures tailored to each user’s situation.
If you’re uncertain whether your account was affected, login to your Coinbase account and check the Security Notifications section in your account settings. Coinbase created a permanent record of all breach-related communications within this section to ensure users can verify legitimate notifications.
Even if you didn’t receive a notification, consider implementing additional security measures as a precaution. The breach specifically targeted high-value accounts, but security best practices benefit all cryptocurrency holders regardless of exposure in this specific incident.
Coinbase also established a dedicated support portal for breach-related inquiries where users can verify their breach status using their account email without revealing additional personal information. This portal includes a verification mechanism that prevents scammers from using it to identify potential targets.
- Check your email, SMS, and in-app notifications for official communications
- Review the Security Notifications section in your account settings
- Contact Coinbase through official channels only using contact information from their verified website
- Be suspicious of any unsolicited communications claiming to be related to the breach
- Enable the enhanced security features Coinbase deployed after the incident
What immediate steps should I take if I suspect I’m being targeted by scammers?
If you receive a suspicious call, email, or message claiming to be from Coinbase support, immediately disengage without providing any information or taking any actions. Do not click links, download attachments, or follow instructions, even if the communication references accurate personal details. End any ongoing calls and independently contact Coinbase through their official website by manually typing the URL rather than following any provided links.
Document the interaction with screenshots, call recordings if available, and notes about what information the potential scammer referenced. This documentation can help Coinbase security teams identify and counter emerging attack patterns. Report the incident through Coinbase’s official fraud reporting channel and consider filing reports with relevant law enforcement agencies, particularly if you’ve experienced financial losses.
Did Coinbase compensate users who lost funds in the scams?
Yes, Coinbase established a comprehensive victim compensation program following the breach. The company committed to fully reimbursing verified losses resulting from scams that leveraged data obtained in the May 2025 breach. This program required victims to file detailed reports documenting the fraud, including transaction details and any communications with scammers. While traditional financial institutions often limit fraud liability coverage, Coinbase’s decision to provide full compensation represented an unprecedented commitment to user protection in the cryptocurrency exchange industry.
How can I verify if a Coinbase support call is legitimate?
- Coinbase will never call you first without you requesting contact through the official support system
- Legitimate support will never ask you to transfer funds to another wallet for “security reasons”
- Support representatives cannot view your full password, recovery phrase, or private keys
- Official support will never request remote access to your device or ask you to install software
- Genuine representatives will be able to reference your support ticket number if you initiated the contact
When in doubt, politely end the call and independently contact Coinbase through their official website. Inform the caller that you’ll call back through official channels to continue the conversation. Legitimate Coinbase support will understand and encourage this security measure.
Following the breach, Coinbase implemented a verification callback system where users can request a unique verification code through the authenticated mobile app during support interactions. This code confirms you’re speaking with legitimate Coinbase personnel, as the code is delivered through systems that require authentication scammers cannot access.
Remember that Coinbase will never direct you to purchase cryptocurrency to send to another address as part of a support process, ask for your full password, or pressure you to make immediate decisions about your account security.
Should I continue using Coinbase after this security incident?
While the breach raised legitimate security concerns, Coinbase’s transparent response and comprehensive security overhaul have addressed many of the vulnerabilities exploited in the May 2025 incident. The company implemented enhanced employee monitoring systems, compartmentalized customer data access, and deployed advanced behavioral analytics to detect potential insider threats before they can access sensitive information.
The decision to continue using any exchange should be based on your personal risk assessment and security requirements. Consider Coinbase’s established regulatory compliance history, insurance policies for digital assets, and their demonstrated willingness to compensate users affected by security breaches. Compare these factors against alternative exchanges’ security track records and response protocols to security incidents.
Many security experts suggest diversifying exchange usage rather than concentrating all cryptocurrency activities on a single platform. This approach limits exposure to any single security failure while allowing you to maintain access to the specific features and trading pairs each exchange offers. Whatever platform you choose, implementing the security best practices outlined in this article significantly reduces your vulnerability to similar attacks in the future.
