Cryptocurrency exchange Coinbase revealed it could face financial losses ranging from $180 million to $400 million following a cyberattack that compromised sensitive information of a limited number of its users. The disclosure came through a regulatory filing on Thursday, with the company confirming that certain customer account data was accessed by malicious actors.

The breach came to light after Coinbase received an email from an unidentified hacker on May 11. The threat actor claimed to possess both internal company documents and personal data from selected customer accounts. Although the attackers did not manage to obtain user passwords or login credentials, they did access names, email addresses, and physical addresses. Coinbase pledged to reimburse users who were deceived into transferring funds to the fraudsters.

Insider involvement and disciplinary action

Further investigations revealed that the perpetrators had paid contractors and staff operating in non-U.S. support roles to gain insider information. In response, Coinbase terminated the employment of individuals found to be complicit in the breach.

The company also stated it refused to meet a ransom demand of $20 million made by the attackers. Instead, Coinbase announced a $20 million bounty for credible information leading to the identification or capture of the hackers, and confirmed it was working closely with law enforcement.

To prevent similar incidents in the future, the firm plans to launch a new customer support hub in the United States and implement enhanced security protocols.

SEC investigates user metrics

While Coinbase deals with the fallout from the cyberattack, it also faces renewed attention from the U.S. Securities and Exchange Commission (SEC). According to sources familiar with the matter, the regulatory agency has resumed examining whether Coinbase inaccurately reported its verified user numbers.

This inquiry reportedly began under a previous SEC administration and has persisted even after the agency dropped an unrelated lawsuit accusing Coinbase of operating as an unregistered securities platform. The renewed focus centers around potential discrepancies in user statistics and whether such data could suggest lapses in regulatory compliance—especially regarding customer identity verification requirements.

Although two insiders confirmed the probe, a Coinbase spokesperson denied that the investigation involved know-your-customer (KYC) or Bank Secrecy Act compliance. Another source noted that the SEC had not specifically raised those issues, particularly given its decision to abandon the prior case.

Chief Legal Officer Paul Grewal responded to the reports by stating, “This investigation pertains to a metric we discontinued more than two years ago and which we transparently disclosed to the public. We strongly believe this inquiry should be concluded, but we remain open to cooperating with the SEC to resolve the matter.”

The SEC, when contacted, declined to offer any comments on the ongoing investigation.

Stock decline and industry repercussions

Following the announcement, shares of Coinbase (COIN.O) fell sharply, dropping 6.5% as investor concerns mounted. The news arrives just days before Coinbase is expected to be officially added to the S&P 500 Index—a significant milestone for the crypto sector.

However, the timing of the security breach threatens to overshadow what could have been a celebratory moment for both Coinbase and the broader digital asset industry. Analysts suggest that the incident may accelerate calls for stricter employee vetting procedures across crypto companies and pose reputational risks.

Bo Pei, an analyst at U.S. Tiger Securities, stated, “This breach could force the industry to adopt tougher standards around hiring and data access, particularly in offshore support functions.”

Crypto’s ongoing vulnerability

Despite the crypto industry’s push into the financial mainstream, security breaches remain a persistent threat. Earlier this year, crypto exchange Bybit suffered what is considered the largest digital heist in history, losing approximately $1.5 billion in digital assets to hackers.

According to a 2024 report by blockchain analytics firm Chainalysis, hackers stole a staggering $2.2 billion from crypto platforms last year alone. These figures reflect a growing trend of increasingly sophisticated cyberattacks targeting the digital asset ecosystem.

Nick Jones, founder of crypto infrastructure firm Zumo, acknowledged the persistent threat, saying, “As our young industry evolves rapidly, it continues to attract attention from highly capable cybercriminals who are adapting just as fast.”

Legal troubles mount

In addition to the cyberattack and regulatory concerns, Coinbase is now facing legal action. A newly filed lawsuit in the Southern District of New York accuses the company of failing to adequately protect the personally identifiable information of millions of its current and former users.

The legal complaint alleges that Coinbase did not take sufficient measures to safeguard sensitive data, placing its customers at risk. This lawsuit adds another layer of pressure as the company works to regain public trust and shore up its internal controls.