When Coinbase said last week that it had refused to pay a $20 million ransom tied to an insider leak, the company estimated the data theft touched “less than one percent” of monthly transacting users. A mandatory filing to the Maine Attorney General now pins the number at 69,461 customers nationwide and dates the breach back to last December.
According to the new disclosure form, a group of unidentified overseas customer-support contractors began siphoning data on December 26, 2024, but the breach didn’t come to light until Coinbase’s security team spotted suspicious activity on May 11 this year, the same day Coinbase received the extortion demand.
In the filing, Coinbase described the incident simply as “insider wrongdoing.”
The company said rogue contractors were bribed to supply names, postal and email addresses, phone numbers and the last four digits of Social Security numbers. Some records also included masked bank details plus images of driver’s licenses or passports, more than enough to mount convincing phishing scams.
Coinbase maintains that no funds were touched and that its Prime, hot-wallet and cold-storage systems were never at risk.
Coinbase began mailing notification letters on May 30 and is offering affected users a year of IDX credit-monitoring and $1 million in identity-theft insurance.
The US cryptocurrency exchange said it will voluntarily reimburse retail customers who were duped into sending cryptocurrency to the scammers, once investigators verify each claim.
It is also opening a new U.S. support hub, adding stronger insider-threat monitoring, and placing additional identity checks and scam-awareness prompts on high-risk withdrawals.
In an SEC filing last week, the company pegged the preliminary cost of remediation and reimbursements at between $180 million and $400 million.
Related: Coinbase Rejects $20M Extortion Demand After Insider Breach
Related: Cryptocurrency Stolen From Thousands of Coinbase Accounts
Related: Coinbase Hack Linked to Group Behind Twilio, Cloudflare Attacks
Related: Coinbase Pays $250K for ‘Market-Nuking’ Security Flaw
