A wave of kidnappings and a trend for bodyguards: the aftermath of the Coinbase leak

In early May 2025, the Coinbase exchange reported the largest leak of user data in its history. Despite the platform’s assurances that all assets are safe, some of its customers have already been victimized by thieves and extortionists. GetBlock AML Research explains how Coinbase’s unprofessionalism has caused a wave of crypto investor kidnappings.

Backstory

On May 11, 2025, the Coinbase exchange received an email from an unknown recipient who reported a massive leak of the exchange’s user data and demanded a $20 million ransom for its return. The company refused to pay the extortionist and three days later publicly disclosed the leak, contacting law enforcement agencies. According to Coinbase’s statement to the Maine attorney general’s office, the attackers obtained the data of 69 461 exchange users.

On May 11, 2025, the Coinbase exchange received an email from an unknown recipient who reported a massive leak of the exchange’s user data and demanded a $20 million ransom for its return. The company refused to pay the extortionist and three days later publicly disclosed the leak, contacting law enforcement agencies. According to Coinbase’s statement to the Maine attorney general’s office, the attackers obtained the data of 69 461 exchange users.

Coinbase’s statement to the Maine attorney general’s office

What data the extortionists obtained:

• Name, home address, contact phone number, and email address;
• Scans of government-issued identity documents (passports, driver’s licenses, etc.);
• The last four digits of the social security number;
• Full information about users’ assets: the amount of cryptocurrency stored on the exchange and transaction history;
• Bank account and card numbers;
• Other corporate data (internal documents and history of support calls).

How the leak happened

A little-known but important fact is that Coinbase, like many other companies, outsources employees from other countries (to save on labor costs). Coinbase’s customer support team employed a large number of Indian residents who were recruited by cybercriminals to collect data on the exchange’s customers. The recruited support agents were rewarded for handing over user information and internal exchange documents to the criminals.

It was known in advance

The fact that Coinbase customers’ user data was somehow massively falling into the hands of cybercriminals was known long before the exchange was ransomed. This was noticed by well-known crypto investigator ZachXBT, who published his own statistics on Coinbase customer losses. According to his data, more than $65 million was stolen from Coinbase users between December 2024 and January 2025. In the calculations, ZachXBT used only the data of those victims who contacted him personally, so the real number may be much higher.

Coinbase customer losses from December 2024 to January 2025. Data: ZachXBT

What’s happening now

After gaining access to residential addresses, contact numbers, and asset information, cybercriminals have begun tracking down Coinbase customers around the world for the purpose of kidnapping and extortion. News of new kidnappings of cryptocurrency owners comes from different parts of the world almost daily.

One of the victims of the kidnappers was the ex-wife of the co-founder of the Russian sub-sanctioned exchange Garantex, Oksana Drugaleva. Two unknown assailants held her and a cohabitant for more than six hours in an apartment in Buenos Aires. The attackers took possession of 43 000 USDT and fled.

There is even a list on GitHub that tracks kidnappings of cryptocurrency holders. In May alone, there were nine such cases, although 32 kidnappings have been reported in all of 2024. Kidnappings have been observed all over the world: in the US, UK, Uganda, South Korea, France, Argentina, Paraguay, Pakistan, Philippines, China, Brazil, and other countries. Against the background of mass kidnappings of cryptocurrency holders, the demand for security services has increased: bodyguards, rental of armored cars, and secure residences.

How to protect yourself

If you have a Coinbase account, we recommend that you take the following steps:

• Withdraw assets from the exchange and suspend your Coinbase account;
• Change your cell phone number, email address, and if possible, your place of residence;
• Report security issues to your bank and reissue cards with different ID numbers;
• Ignore calls from unknown numbers and avoid suspicious offers to meet strangers under any pretext;
• Use secure cold wallets in safe locations with multiple backups to store crypto assets.