Coinbase
Analysis of the Coinbase insider threat exposing 30 individuals' KYC data and crypto wallet balances.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Coinbase
Cryptocurrency exchange platform publicly traded on Nasdaq (COIN), serving over 100 million verified users worldwide.
Sector
Fintech / Cryptocurrency
Region
Global
Date of Incident
2024 (insider access identified December 2024)
Date Disclosed
February 2026 (ShinyHunters leak of support tool screenshots)
Estimated Impact
30 individuals (initial); up to 70,000 customers in broader incident
Data Types Exposed
Names, email addresses, phone numbers, dates of birth, government-issued IDs (KYC), cryptocurrency wallet balances and transactions
Attack Type
Insider Threat
Attack Vector
Bribery and recruitment of overseas customer support agents at an external vendor
Threat Actor
Bribed insiders; data later leaked by ShinyHunters
Current Status
Insiders fired and referred to law enforcement. Coinbase refused $20M ransom and established $20M reward fund. Reimbursement policy for tricked customers. Broader incident affected up to 70,000 customers.
Severity Assessment
Critical despite small initial scope. KYC data combined with wallet balances creates physical safety risks for cryptocurrency holders. The broader incident affected up to 70,000 customers.
What Happened
In February 2026, Coinbase disclosed an insider incident affecting approximately 30 individuals. An employee accessed customer data without authorisation.
Despite the small number affected, the compromised data includes names, emails, phone numbers, KYC details, and wallet balances. Crypto wallet balances and KYC data could enable physical threats or extortion against high-value targets.
Timeline
2024
Overseas customer support agents at an external vendor are bribed to access customer data
December 2024
Insider access identified by Coinbase
February 2026
ShinyHunters leak support tool screenshots; Coinbase publicly discloses the incident
February 2026
Coinbase refuses $20M ransom demand and establishes $20M reward fund for information leading to attacker identification
Threat Actor Profile
The initial compromise involved bribery and social engineering of overseas customer support agents at an external vendor, rather than traditional hacking.
ShinyHunters later leaked screenshots from Coinbase's support tools, connecting the insider breach to the broader cybercrime ecosystem.
Impact and Risk Assessment
For Affected Individuals
KYC data combined with cryptocurrency wallet balances creates physical safety risks. Knowledge that an individual holds significant cryptocurrency, combined with their home address from KYC records, can enable physical robbery or extortion.
Up to 70,000 customers were affected in the broader incident. Coinbase has established a reimbursement policy for customers who were tricked into sending funds to attackers.
For Organisations
Coinbase refused a $20 million ransom and instead established a $20 million reward fund for information leading to the identification of the attackers.
The incident highlights the risk of outsourced customer support operations, particularly for companies holding high-value financial data.
Regulatory Context
As a publicly traded company, Coinbase faces SEC disclosure requirements. Financial services and money transmission regulations in multiple jurisdictions apply.
KYC data protection is a regulatory requirement under anti-money laundering laws in most jurisdictions.
What Should You Do?
If You Are a Potentially Affected Individual
If you are a Coinbase customer, be particularly cautious of unsolicited communications that reference your account or holdings.
Review your account security settings and enable all available security features including hardware security keys.
Be aware that knowledge of cryptocurrency holdings combined with personal address information creates physical safety risk.
If You Are a Security or Risk Professional
Organisations outsourcing customer support for high-value accounts should implement enhanced monitoring, access controls, and background screening for support agents.
Consider the unique physical safety risks that cryptocurrency holder data creates and apply proportionate security controls.
Insider threat programmes should explicitly address the risk of bribery and recruitment of support staff, particularly at external vendors.
Learnings and Recommendations
In cryptocurrency, even a small number of compromised accounts can represent enormous financial exposure. Wallet balance data combined with personal addresses creates physical safety risks.
Insider threat programmes should include enhanced monitoring for access to high-value customer accounts.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.