Coinbase offers $20 million bounty after extortion attempt with stolen data

Cryptocurrency trading platform Coinbase said it was the victim of an extortion attempt involving stolen data and is offering $20 million for information leading to the arrest and conviction of the perpetrator.

The industry giant said in a regulatory filing with the Securities and Exchange Commission (SEC) that an “unknown threat actor” emailed a demand on May 11 for $20 million, threatening to publish stolen data about Coinbase customers and other company information. “We said no,” Coinbase said Thursday in a blog post explaining the incident.

“Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users,” the blog post said. “Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto.”

A company executive told Fortune that the compromised agents worked in India and have all been fired. Data published by cryptocurrency news site The Block says Coinbase had about 9.7 million monthly transacting users during the first quarter of this year, meaning that fewer than 100,000 were likely affected in the incident.

The 8-K filing said Coinbase estimates it will spend $180 million to $400 million on remediation and response costs, but those numbers could change as it continues to assess the situation.

The company said the stolen data included names, addresses, phone numbers and email addresses; “masked” versions of the last four digits of customer Social Security numbers and similarly encoded bank-account numbers; images of government IDs such as driver’s licenses; account data such as transaction histories; and “limited corporate data.”

The scheme did not capture login credentials or two-factor authentication codes, private keys, “the ability to move or access customer funds,” access to Coinbase Prime accounts or access to cryptocurrency wallets, the company said.

“Expect imposters,” the blog post said. “Scammers—related to this breach or not—may pose as Coinbase employees and try to pressure you into moving your funds. Remember, Coinbase will never ask for your password, 2FA codes, or for you to transfer assets to a specific or new address, account, vault or wallet.”

Coinbase said it will reimburse anyone tricked into sending funds to the attacker and is “cooperating closely with law enforcement to pursue the harshest penalties possible.” It did not specify how many people already might have fallen for related scams.

Coinbase is one of the world’s largest crypto exchanges and had a market capitalization of about $67 billion as of Thursday morning. Its stock, traded on the Nasdaq, was added to the S&P 500 index earlier this week.