Crypto giant Coinbase has confirmed its systems have been breached and customer data, including government-issued identity documents, were stolen.
In a legally required filing with U.S. regulators, Coinbase said a hacker this week told the company that they had obtained information about customer accounts, and demanded money from the company in exchange for not publishing the stolen data.
Coinbase said the hacker “obtained this information by paying multiple contractors or employees working in support roles outside the United States to collect information from internal Coinbase systems to which they had access in order to perform their job responsibilities.” The support staff are no longer employed, the company said.
The filing said Coinbase’s systems detected the malicious activity “in the previous months,” and that it has “warned customers whose information was potentially accessed in order to prevent misuse of any compromised information.”
Coinbase said it will not pay the hacker’s ransom. According to a social post by CEO Brian Armstrong, the hackers demanded $20 million from the company.
The company said the hacker stole customer names, postal and email addresses, phone numbers, and the last four-digits of users’ Social Security numbers. The hacker also took masked bank account numbers and some banking identifiers, as well as customers’ government-issued identity documents, such as driver’s licenses and passports. The stolen data also includes account balance data and transaction histories.
The company said some corporate data, such as internal documentation, was also stolen during the breach.
In a blog post, Coinbase said it was opening a new U.S.-based support hub and will strengthen its security defenses.
When reached for comment, Coinbase spokesperson Natasha LaBranche told TechCrunch that the number of affected customers is less than 1% of its 9.7 million monthly customers, per the company’s latest annual report ending March 2025.
Coinbase said it expects to incur costs of around $180 million to $400 million relating to incident remediation and customer reimbursements.
Do you work at Coinbase and know more about the breach? Contact this reporter via Signal with the username: zackwhittaker.1337 or by email: zack.whittaker@techcrunch.com
Updated with more from Coinbase.
Zack Whittaker is the security editor at TechCrunch. He can be reached via encrypted message at zackwhittaker.1337 on Signal, or by email at zack.whittaker@techcrunch.com.
