Coinbase says cyberattack could cost it up to $400m

Bengaluru — Coinbase forecast a hit of between $180m and $400m from a cyberattack that breached account data of a “small subset” of its customers, the crypto exchange said in a regulatory filing on Thursday.

The company received an anonymous email on May 11, claiming to have information about certain customer accounts as well as internal documents.

While some data — including names, addresses and emails — was stolen, the hackers did not get access to login credentials or passwords, Coinbase said. Still, it will reimburse customers who were tricked into sending funds to the attackers.

Hackers had paid multiple contractors and employees working in support roles outside the US to collect information. The company has fired those involved, it said.

Separately, the New York Times reported that the US Securities and Exchange Commission (SEC) was investigating whether the company had misstated its user numbers.

Coinbase shares extended losses after the report and were last down 6.5%.

“This is a hold-over investigation from the prior administration about a metric we stopped reporting two-and-a-half years ago, which was fully disclosed to the public,” said Paul Grewal, Coinbase’s chief legal officer.

“While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close.”

The SEC declined to comment.

Crypto cracks

The latest developments come days before the company is set to join the benchmark S&P 500 index, casting a shadow over what was expected to be a landmark moment for the crypto industry.

Security remains a challenge for the crypto industry despite its growing mainstream acceptance. In February, Bybit disclosed a hack in which about $1.5bn worth of digital tokens were stolen — widely described the biggest crypto heist ever.

“The cyberattack may push the industry to adopt stricter employee vetting and introduce some reputational risks,” said Bo Pei, an analyst at US Tiger Securities.

Funds stolen by hacking crypto platforms amounted to $2.2bn in 2024, according to a report from Chainalysis, a US-based blockchain analysis firm.

“As our nascent industry grows rapidly, it draws the eye of bad actors, who are becoming increasingly sophisticated in the scope of their attacks,” said Nick Jones, founder of crypto firm Zumo.

Coinbase has refused to pay a ransom of $20m demanded by the attackers and is working with law enforcement agencies. Instead it has established a $20m reward for information on the hackers.

The company is also opening a new support hub in the US and taking other measures to prevent such cyberattacks, it said.

Reuters