DOJ investigates Coinbase hack after $20M ransom attempt

The US Department of Justice is investigating a data breach involving bribed third-party contractors linked to Coinbase, after attackers accessed and leaked user data.

According to a Bloomberg report, investigators from the DOJ’s criminal division in Washington are examining the circumstances that led to the breach. 

The department is reportedly working with international law enforcement partners as part of the inquiry.

Coinbase disclosed the incident to authorities and confirmed that it is cooperating with the DOJ.

“We have notified and are working with the DOJ and other US and international law enforcement agencies and welcome law enforcement’s pursuit of criminal charges against these bad actors,” Coinbase’s chief legal officer, Paul Grewal, was quoted as saying.

The Justice Department has not issued an official comment on the investigation.

However, the agency is said to be focused on how contractors outside the US exploited their access to Coinbase’s internal systems and whether the firm’s internal controls were sufficient.

Coinbase users at risk

The probe centres around a $20 million extortion attempt made by the attackers, who had gained access to user data after bribing third-party support agents.

Coinbase said it received a ransom demand via email on 11 May.

The breach was initially confirmed by Coinbase on 15 May, which said a small subset of users were affected. 

While no passwords or funds were compromised, the attackers obtained personal data including names, email addresses, and, in some cases, partial Social Security numbers and ID documents.

Coinbase attributed the breach to social engineering tactics.

Those behind the attack reportedly bribed overseas contractors who were able to bypass standard security measures and access restricted internal systems.

 While the breach was flagged by internal tools, external investigations suggest the breach had been ongoing for months.

Prior to Coinbase’s disclosure, independent blockchain analyst ZachXBT had been raising concerns regarding the issue. 

Back in February, ZachXBT highlighted a string of scams hitting Coinbase users, pointing to attackers using insider-level data to carry out thefts.

Working with Tanuki42, ZachXBT identified patterns in which scammers impersonated Coinbase support, accessed private data, and tricked users into transferring funds.

Some of the activity was linked to a wallet labeled “coinbase-hold.eth.”

He also criticised the platform for earlier security lapses, such as bugs in verification systems and the use of misconfigured API keys, claiming Coinbase failed to address or publicly disclose them. 

ZachXBT estimated user losses between late 2024 and early 2025 could total $300 million or more.

Coinbase responds

In the meantime, Coinbase launched an internal probe and started moving parts of its support team to the US for better oversight.

The support agents involved in the incident were reportedy fired.

Coinbase has also offered a $20 million bounty for information leading to the attackers, and has vowed to reimburse affected users on a case-by-case basis.

Further, it has bolstered its security by introducing enhanced identity verification for high-risk transactions, scam-awareness prompts during withdrawals, and intentional processing delays for flagged accounts.

The post DOJ investigates Coinbase hack after $20M ransom attempt appeared first on Invezz