Cybercriminals bribed Coinbase's overseas support agents to steal customer data and demanded a ransom of $20 million in Bitcoin. The exchange's response? A $20 million bounty on the attackers' heads.

Rogue agents were bribed to leak sensitive user data, including names, addresses, masked bank details, and ID documents. While no funds, passwords, or private keys were compromised, and Coinbase Prime accounts remained "untouched," the attackers used the data to launch targeted social engineering scams on customers.

All compromised agents were based in India and have been terminated, Coinbase's chief security officer, Philip Martin, confirmed in a Fortune interview.

The Damage

Less than 1% of Coinbase's monthly transacting users were affected by the breach, according to the exchange's disclosure.

In an SEC filing Thursday, Coinbase estimated the incident could cost between $180 million and $400 million in "remediation costs and voluntary customer reimbursements", a figure that could "meaningfully increase or decrease" as the situation evolves.

Coinbase shares dropped about 10% on Thursday following the disclosure.

Reactions have been mixed. While some praised Coinbase for its transparency, others criticized the delayed disclosure.

"Coinbase not disclosing this (much, much, much...) earlier notwithstanding, this is the dark side of the idiotic and nonsensical KYC/AML regime we live in," wrote Wintermute CEO Evgeny Gaevoy on X.

The exchange had previously launched similar bounty programs, including one in 2022 following another extortion attempt.

As crypto continues its integration with traditional finance (evidenced by Coinbase's entry into the S&P 500), security practices must evolve beyond the "move fast and break things" mentality that has characterised the industry's growth phase.

The question now becomes whether Coinbase's bounty approach will serve as a deterrent or simply raise the stakes for future attacks.