Coinbase Data Breach Leads to $2M Crypto Theft via Phishing Scam

Jimmy Aki
Last Updated:

Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.

On May 17, a report emerged that scammers posing as Coinbase security staff drained 17.5 BTC and 225 ETH, valued at more than $2 million, from Los Angeles artist Ed Suman after exploiting customer data leaked in Coinbase’s recent support-desk breach.

The attack was precise, likely tied to the May 15 breach where bribed support contractors leaked data for under 1% of users. The criminals demanded $20 million to stay quiet. Coinbase refused.

https://twitter.com/blockz_hub/status/192425805571517282

How Was The Coinbase User Breached Despite Using a Cold Wallet?

Suman is a 67-year-old retired artist who turned to cryptocurrency investing, having spent nearly 20 years as a fabricator and working on iconic artworks such as Balloon Dog sculptures.

Prior to the attack, Suman stored his assets in a Trezor Model One hardware wallet due to their safety features.

The former Los Angeles artist explained that he first received a text mimicking Coinbase’s “suspicious activity” alert, which prompted him to call the number provided.

The caller, who introduced himself as “Brett Miller,” already knew Suman’s wallet type and approximate balance. He claimed the cold storage was “at risk” and directed Suman to a fake Coinbase website, tricking him into entering his 24-word recovery phrase.

Nine days later, a second imposter repeated the same ruse. By then, the wallet had been emptied.

Although Coinbase insists no private keys or exchange-held funds were exposed, it now faces an estimated $180 million to $400 million in remediation and reimbursement costs.

While the criminals continue to launch a “social-engineering scam” attack with the personal information they have obtained, Coinbase reveals that it has since fired the support contractor who sold the information and placed a bounty of $20 million on the perpetrators.

Other high-profile victims of related phishing attempts include Sequoia Capital partner Roelof Botha.

Despite the theft, Suman remains committed to crypto. He plans to switch to a multisig wallet for added security. He has filed a claim with Coinbase but has not yet received confirmation of repayment.

Are Exchanges Ready for the Next Wave of Insider Exploits?

Coinbase is not the only major crypto exchange that recently had its support contractors offer bribes.

Binance and Kraken reported that they had stopped social-engineering raids that mirrored the Coinbase approach.

The attackers made financial offerings to customer support contractors. They sent Telegram instructions, but each exchange’s AI filters and strict data-access rules shut the chats down before any account details leaked.

This shows that criminals are trying various approaches, moving from exploiting flaws in computer codes to bribing and fishing for human elements that can be criminally influenced.

Elliptic warns that the Coinbase incident could become the eighth most costly crypto hack when it is over.

Officials also expect the FBI’s 2025 IC3 report to show even higher numbers as fraudsters now automate phishing and ransom campaigns with generative AI.

About Jimmy Aki PRO INVESTOR

Based in the UK, Jimmy is an economic researcher with outstanding hands-on and heads-on experience in Macroeconomic finance analysis, forecasting and planning. He has honed his skills having worked cross-continental as a finance analyst, which gives him inter-cultural experience. He currently has a strong passion for regulation and macroeconomic trends as it allows him peek under the global bonnet to see how the world works.