Coinbase faces up to $400 million in losses after a cyberattack exposed user data. Regulatory scrutiny adds pressure as the crypto firm boosts security defenses.
 |
| Coinbase confirms cyberattack affecting user data and faces SEC inquiry into user reporting. The company refuses ransom, offers $20M bounty for attacker info. Image: Coinbase/ CH |
New York, USA — May 16, 2025:
Coinbase, the largest publicly traded cryptocurrency exchange in the United States, disclosed Thursday that it may face losses of up to $400 million following a cyberattack that compromised personal data from a limited number of its customers.
In a regulatory filing, Coinbase revealed that on May 11, it received an email from an unknown hacker claiming to possess internal documents and sensitive account information. While attackers accessed names, addresses, and email addresses, the company stated that no passwords or login credentials were exposed.
The company committed to reimbursing customers who were manipulated into transferring funds to the attackers. Investigations revealed that several overseas contractors and support personnel had been paid by the attackers to leak internal information. All individuals implicated have since been dismissed.
Separately, the U.S. Securities and Exchange Commission (SEC) has launched an investigation into whether Coinbase misrepresented user data, particularly concerning its previously reported "verified user" metrics. The inquiry persists despite the SEC dropping a related case involving registration compliance.
Coinbase has denied any wrongdoing related to KYC (know-your-customer) or Bank Secrecy Act violations, asserting that the SEC has not formally raised those issues. The company maintains that the disputed metric was discontinued more than two years ago and publicly disclosed.
Following the revelations, Coinbase’s stock dropped 6.5% as investors reacted to both the cyber breach and the regulatory scrutiny.
The breach comes just days before Coinbase is set to be added to the S&P 500 index — a milestone for the cryptocurrency industry — now overshadowed by serious security and governance concerns.
The firm also faces a class-action lawsuit in New York, where plaintiffs allege Coinbase failed to protect the personally identifiable information of millions of users.
Coinbase has refused to meet the hackers' $20 million ransom demand. Instead, it has offered a $20 million reward for credible leads on the attackers' identity. The company is working with U.S. law enforcement agencies and is also launching a new support hub to strengthen customer protection.
The attack adds to a troubling trend in the crypto space. According to blockchain analytics firm Chainalysis, crypto-related hacks resulted in $2.2 billion in losses in 2024 alone.
Security experts warn that such incidents could prompt the industry to adopt stricter internal security protocols and enhance employee vetting. Nick Jones, CEO of Zumo, a crypto tech firm, noted, “As our industry matures, the sophistication of attacks grows — and so must our defenses.”
Despite the setbacks, Coinbase emphasized its ongoing cooperation with regulators and reaffirmed its commitment to user safety and platform integrity.