$20 Million Ransom Demand Hits Coinbase
In May 2025, the world of cryptocurrency was reminded that the most critical security vulnerabilities aren't always found in code. Sometimes, the weakest link is human. U.S.-based crypto giant Coinbase became the target of a breach that underscored the devastating potential of insider threats and social engineering attacks.
In this incident, they bribed customer support staff located abroad—individuals with legitimate access—to leak internal information. This wasn't a breach through the firewall; it was a breach through trust.
As a result, the attackers accessed personal information belonging to approximately 97,000 users, including names, email addresses, phone numbers, and partial social security numbers. While users' passwords and crypto assets remained secure, the attackers demanded $20 million in ransom to keep the stolen data from being leaked.
Coinbase refused to comply. In a bold move, the company instead offered a $20 million reward for information leading to the identification of the attackers. In the aftermath, Coinbase announced plans to relocate its customer support operations to the U.S. and strengthen its internal security oversight.
Interestingly, just months earlier in March 2025, Coinbase had also been targeted by a supply chain attack involving GitHub Actions. That attack attempted to inject malicious code into one of Coinbase’s open-source projects, known as "agentkit," and was linked to CVE-2025-30066 and CVE-2025-30154. Fortunately, the attempt was detected and neutralized before causing damage.
Conclusion:
The Coinbase incident proved once again that technology alone isn't enough. While CVEs and patching vulnerabilities remain essential, organizations must also invest in employee training, ethical awareness, and internal security protocols. In cybersecurity, the human element remains both a powerful defense—and a dangerous liability.