Insider Threat Fintech / Cryptocurrency · Global · February 2026

Coinbase

Analysis of the Coinbase insider threat exposing 30 individuals' KYC data and crypto wallet balances.

Records Affected

30 individuals (initial); up to 70,000 customers in broader incident

Attack Type

Insider Threat

Location

Global

Data types exposed

Names email addresses phone numbers dates of birth government-issued IDs (KYC) cryptocurrency wallet balances and transactions

What Happened

In February 2026, Coinbase disclosed an insider incident affecting approximately 30 individuals. An employee accessed customer data without authorisation.
Despite the small number affected, the compromised data includes names, emails, phone numbers, KYC details, and wallet balances. Crypto wallet balances and KYC data could enable physical threats or extortion against high-value targets.

Timeline

  • 2024 — Overseas customer support agents at an external vendor are bribed to access customer data
  • December 2024 — Insider access identified by Coinbase
  • February 2026 — ShinyHunters leak support tool screenshots; Coinbase publicly discloses the incident
  • February 2026 — Coinbase refuses $20M ransom demand and establishes $20M reward fund for information leading to attacker identification

Threat Actor Profile

The initial compromise involved bribery and social engineering of overseas customer support agents at an external vendor, rather than traditional hacking.
ShinyHunters later leaked screenshots from Coinbase's support tools, connecting the insider breach to the broader cybercrime ecosystem.

Impact and Risk Assessment

For Individuals

KYC data combined with cryptocurrency wallet balances creates physical safety risks. Knowledge that an individual holds significant cryptocurrency, combined with their home address from KYC records, can enable physical robbery or extortion.
Up to 70,000 customers were affected in the broader incident. Coinbase has established a reimbursement policy for customers who were tricked into sending funds to attackers.

For Organisations

Coinbase refused a $20 million ransom and instead established a $20 million reward fund for information leading to the identification of the attackers.
The incident highlights the risk of outsourced customer support operations, particularly for companies holding high-value financial data.

Regulatory Context

As a publicly traded company, Coinbase faces SEC disclosure requirements. Financial services and money transmission regulations in multiple jurisdictions apply.
KYC data protection is a regulatory requirement under anti-money laundering laws in most jurisdictions.

What Should You Do?

For Individuals

  • If you are a Coinbase customer, be particularly cautious of unsolicited communications that reference your account or holdings.
  • Review your account security settings and enable all available security features including hardware security keys.
  • Be aware that knowledge of cryptocurrency holdings combined with personal address information creates physical safety risk.

For Security Professionals

  • Organisations outsourcing customer support for high-value accounts should implement enhanced monitoring, access controls, and background screening for support agents.
  • Consider the unique physical safety risks that cryptocurrency holder data creates and apply proportionate security controls.
  • Insider threat programmes should explicitly address the risk of bribery and recruitment of support staff, particularly at external vendors.

Learnings and Recommendations

In cryptocurrency, even a small number of compromised accounts can represent enormous financial exposure. Wallet balance data combined with personal addresses creates physical safety risks.
Insider threat programmes should include enhanced monitoring for access to high-value customer accounts.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories