In a shocking development just days before its anticipated entry into the S&P 500, leading crypto exchange Coinbase has disclosed a cyberattack that could cost the company between $180 million and $400 million.
In a recent regulatory filing, Coinbase revealed it received an email on May 11 from an anonymous hacker claiming access to internal documents and customer information. Although login credentials and passwords were not breached, sensitive user data like names, emails, and addresses were compromised. The company has assured that affected customers—specifically those deceived into sending money—will be reimbursed.
The breach was reportedly orchestrated by hiring contractors and employees in non-U.S. support roles. These individuals, now terminated, were bribed to leak insider information, a tactic increasingly used by cybercriminals to bypass technological safeguards.
In an unexpected twist, the attackers demanded a $20 million ransom. However, Coinbase flatly refused to pay. Instead, the company has offered a $20 million bounty for credible tips leading to the identification and capture of the perpetrators. It has also engaged law enforcement and is ramping up its internal security measures, including setting up a new customer support hub in the U.S.
Meanwhile, the U.S. Securities and Exchange Commission (SEC) is reportedly looking into whether Coinbase may have misrepresented its user numbers in the past. According to sources familiar with the matter, the SEC is investigating if inaccuracies in the company’s “verified user” metrics point to deeper issues like poor know-your-customer (KYC) compliance—though the company firmly denies this.
A Coinbase spokesperson stated that the SEC is not currently investigating its compliance with KYC or the Bank Secrecy Act. This comes after the SEC dropped a separate lawsuit earlier this year that accused Coinbase of failing to register as a securities exchange.
Paul Grewal, Coinbase’s Chief Legal Officer, downplayed the investigation, saying, “This is a holdover from the previous administration, centered on a metric we stopped reporting more than two years ago. It was fully disclosed at the time.”
Despite Coinbase’s efforts to project confidence, its stock tumbled 6.5% following the news.
This incident puts a damper on what was supposed to be a celebratory moment for the crypto giant. Its inclusion in the S&P 500 was expected to mark a milestone for the industry’s credibility and growth. Instead, it highlights the persistent security vulnerabilities facing crypto platforms.
In February, another major player, Bybit, reported a record-breaking $1.5 billion crypto heist. A report by Chainalysis revealed that hackers stole a total of $2.2 billion from crypto platforms in 2024 alone.
Analyst Bo Pei from U.S. Tiger Securities noted, “This breach could push the industry to implement stricter employee screening processes and raises serious reputational concerns.”
Nick Jones, founder of crypto startup Zumo, added, “As the crypto industry matures, it also attracts increasingly sophisticated cybercriminals.”
Coinbase now finds itself battling on multiple fronts—financially, legally, and reputationally. Whether it can weather this storm and continue its rise remains to be seen.
