Coinbase has been betrayed from within. The cryptocurrency exchange said that cyber criminals bribed some of its support agents to share personal information about Coinbase customers. Attackers acquired data such as names, addresses, emails, phone numbers, images of government IDs, masked bank account numbers and masked sections of social security numbers. The perpetrators tricked some Coinbase users into sending them money and also demanded $20 million from the company to not publicly disclose the ill-gotten information.

Coinbase has not paid the ransom and is cooperating with law enforcement to press charges. In the blog post, the company said it would offer a $20 million reward for information that could lead to arresting and convicting the remaining attackers.

A Maine Attorney General filing (via TechCrunch) says the breach affected 69,461 customers. The hack began on December 26, 2024, and ran until May 11.

Coinbase said that users’ login credentials, two-factor authentication codes and private keys are still secure. It will reimburse customers who sent funds to the extortionists and will place additional safeguards on vulnerable accounts. According to an SEC filing, the incident is projected to cost Coinbase $180 million to $400 million.

Update, May 21, 2025, 11:23 PM ET: This story has been updated with new info from the Maine Attorney General filing.