Cyber-attack Timeline:

Educational guides to understanding attacks & enhancing resilience

Company: Coinbase

Created by CM-Alliance:
INCIDENT IMPACT RESPONSE World leaders in cyber incident planning, response and crisis management

MAY 15, 2025 MAY 15, 2025 MAY 15, 2025

Coinbase CEO releases video on X disclosing a cyber incident Coinbase 8-K Filing reveals that the crypto exchange received an email Coinbase shares
The CEO of Coinbase, Brian Armstrong released a video on from the threat actor on May 11 slide by 4.1%
his X account disclosing a cyber incident the Crypto platform On May 11, America’s largest cryptocurrency exchange received an The disclosure
has been suffering from. He said: unsolicited email. It came from an unknown threat actor, who claimed to prompted the
l “Cyber criminals bribed and recruited rogue overseas possess information about some of the company’s internal systems, plus firm’s share price
support agents to pull personal data sensitive personally identifying information (PII) belonging to a subset of to fall by 4.1%
on <1% of Coinbase MTUs.” its customers. The email was deemed credible, Coinbase admitted in an Source: BBC
l “No passwords, private keys, or funds were exposed. 8-K filing with the Securities and Exchange Commission (SEC) on May 14.
Prime accounts are untouched.” Source: Dark Reading

MAY 15, 2025 MAY 15, 2025 MAY 15, 2025 MAY 15, 2025
Coinbase estimates cost of attack between $180m and $400m Due to the impact Coinbase CEO Brian Armstrong said in his X post: “Criminals had Coinbase had detected the breach months earlier &
In a filing with the US Securities and Exchanges Commission, of the cyber bribed some of the company’s customer service agents who terminated employees involved
Coinbase estimated that the cost of the cyber-attack will attack, coinbase live outside the U.S. to hand over personal data on customers, Coinbase had detected the breach independently in previous
amount to anywhere between $180m and $400m. shares fell 6% in like names, dates of birth and partial social security numbers.” months, per the filing. It immediately terminated the
It said this figure came from “remediation costs and voluntary trading around “(The stolen data) allows them to conduct social engineering employees involved, warned customers whose information
customer reimbursements”, however, this figure could change midday. attacks where they can call our customers impersonating may have been accessed and enhanced its fraud monitoring
as a result of “potential losses, indemnification claims, and Source: AP News Coinbase customer support and try to trick them into sending protections. The threat actor paid overseas contractors and
potential recoveries”. their funds to the attackers,” Armstrong said. employees in support rolls to obtain the information, it said.
Source: BBC Source: X Source: CNBC

MAY 15, 2025 MAY 15, 2025 MAY 15, 2025

Coinbase explained in a new blog Coinbase says less than 1% of total users impact but information Coinbase announces $20m bounty for
post that the attackers’ goal was to stolen is significant information on its attackers
hoard potential victims for follow- Coinbase has said that reportedly, less than 1% of its total user base has been Coinbase took an unprecedented step in the
on business impersonation attacks. impacted, but the information that attackers stole about that small chunk of history of private sector cyber attacks.
They also went ahead and pilfered customers is significant. Login credentials and blockchain private keys were spared, It took the $20 million ransom demanded by
internal company documentation but customers’ names, home and email addresses, phone numbers, Social Security its cyber attackers and turned it around, now
relating to customer service and numbers (SSNs), masked bank account numbers, images of driver’s licenses and offering it as a reward for any information
account management systems. passports, and Coinbase account balances and transaction histories were all pilfered. leading to the threat actors’ arrest.
Source: Dark Reading Source: Dark Reading Source: Dark Reading

[email protected] cm-alliance.com +44 203 189 1422 @cm_alliance Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices.
Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely
© 2025 Cyber Management Alliance Ltd available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
Cyber-attack Timeline:
Educational guides to understanding attacks & enhancing resilience
Company: Coinbase

Created by CM-Alliance:
INCIDENT IMPACT RESPONSE World leaders in cyber incident planning, response and crisis management

MAY 15, 2025 MAY 19, 2025 MAY 20, 2025

Coinbase said: US DoJ probes Coinbase attack with international The COO of SkySlope, Paul William Harmon
l “To the customers affected, we’re sorry law enforcement agencies said in an X post that hackers entered Coinbase
for the worry and inconvenience this The U.S. Department of Justice has opened a probe into a recent systems in January 2025: “In January, hackers
incident caused,” breach at the world’s largest cryptocurrency exchange Coinbase found a simple backdoor to Coinbase customer
l “We’ll keep owning issues when they Global, the company said. “We have notified and are working with data. The company’s own employees. They
arise.” The victim company also, expectedly, the DOJ and other US and international law enforcement agencies bribed contract workers in customer support,
fired the staff members who shared and welcome law enforcement’s pursuit of criminal charges against offering cash for sensitive user information.
customer information with the hackers. these bad actors,” said Paul Grewal, Chief Legal Officer, Coinbase. This continued for nearly 5 months undetected.”
Source: Dark Reading Source: Reuters Source: X

[email protected] cm-alliance.com +44 203 189 1422 @cm_alliance Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices.
Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely
© 2025 Cyber Management Alliance Ltd available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.