Coinbase Data Breach: Outsourced Customer Service Was Bribed, Former Employee in India Arrested by Police

Breakthrough in Coinbase data breach case: Indian police arrest the first former employee involved, confirming that outsourced personnel became a security vulnerability, also bringing social engineering risks to the forefront.

First Arrest Unveiled: Indian Police Focus on Internal Personnel

A key development has occurred in the Coinbase data breach incident. Indian police recently arrested a former employee who previously worked within Coinbase’s customer support system, becoming the first suspect detained in this major cybersecurity case. Coinbase CEO Brian Armstrong confirmed the news publicly and expressed gratitude for the proactive assistance from Hyderabad police in the cross-border investigation.

Image source: X/@brian_armstrong Coinbase CEO Brian Armstrong confirms the former Indian employee involved in the previous data leak has been detained by police

Armstrong stated that Coinbase maintains a zero-tolerance policy toward any internal misconduct and will continue collaborating with law enforcement agencies worldwide to hold all involved parties accountable. It is understood that this arrest is not an isolated action but the beginning of a broader investigation, with more suspects potentially identified in the future.

Tracing Back to 2025 Security Incident: Outsourced Customer Support as a Breach Point

This case originates from a large-scale data breach at Coinbase revealed in 2025. At that time, Coinbase explained that hackers did not exploit system vulnerabilities but instead used bribery to buy off outsourced customer support and support staff located in India, thereby illegally obtaining user data.

The leaked data included names, emails, addresses, and other personal information. While passwords and private keys were not compromised, the information was sufficient to facilitate subsequent social engineering scams. Coinbase noted that as early as January 2025, their internal security team detected abnormal activity and launched an investigation, ultimately confirming an organized internal infiltration in May.

Coinbase’s Chief Security Officer Philip Martin explained that the attackers’ main strategy was to precisely target personnel involved in customer service and business process outsourcing (BPO), using monetary incentives to gain access to internal systems, highlighting that “personnel risk” has become one of the most vulnerable links in the cybersecurity defense of the crypto industry.

Further Reading
Coinbase data leak! Customer service phones contain thousands of user records, each sold to hackers for 200 dollars

Ransom Attempt Fails and High Losses, International Jurisdiction Involved

According to investigation data, after successfully obtaining the data, hackers demanded a ransom of 20 million USD from Coinbase, threatening to continue abusing the leaked information if not paid. Coinbase ultimately refused to pay the ransom and instead announced a reward of an equivalent amount, seeking key clues to help solve the case.

The company estimates that the total direct and indirect losses from the incident, including user compensation, cybersecurity upgrades, and legal expenses, could range from 180 million to 400 million USD. The arrest by Indian authorities is one of the results of Coinbase’s cooperation with law enforcement agencies across multiple countries.

It is noteworthy that this investigation also intersects with Coinbase’s recent efforts to re-enter the Indian market. After about two years of regulatory uncertainty, Coinbase has readjusted its operations and compliance strategies in India. This case is also seen as an important step in demonstrating its commitment to cybersecurity governance to regulators and the market.

Social Engineering Becomes a Mainstream Threat, Industry Risks Continue to Rise

In addition to the Indian case, the U.S. Department of Justice recently uncovered multiple scams in New York involving impersonation of Coinbase customer service. A 23-year-old suspect allegedly pretended to be an official representative, tricking users into revealing account access, resulting in approximately 16 million USD in losses and nearly 100 victims.

These cases indicate that the primary threats facing the crypto industry in 2025 are gradually shifting from traditional technical vulnerabilities to social engineering and identity impersonation combined with data leaks. For trading platforms, strengthening outsourced management, internal controls, and real-time risk detection has become as crucial as system security.

With the first suspect in custody, the Coinbase data breach case enters a new judicial phase. However, the overall incident also serves as a wake-up call for the global crypto industry: in environments heavily reliant on human support and cross-border operations, the weakest link in cybersecurity is often not in code but in human nature.