In a recent example of why managing insider risk is critical, cryptocurrency exchange Coinbase announced that it was the target of an extortion scheme enabled by insiders. Coinbase published a blog indicating that malicious actors recruited overseas contractors who were support agents for the firm to gain access. The cybercriminals then attempted to extort the company for $20 million to cover up the data breach.
Earlier this year in Forrester’s The Top Cybersecurity Threats In 2025 report, Forrester called out a higher risk of insider threats due to disgruntlement, financial distress, and geopolitical conflict.
According to a video from Coinbase CEO Brian Armstrong, cybercriminals were able to access personal information on less than 1% of the company’s monthly transacting users (MTUs). An 8-K filing indicates that cybercriminals accessed company and customer data, including:
Name, address, phone, and email
Masked Social Security numbers (last 4 digits only)
Masked bank account numbers and some bank account identifiers
Government‑ID images (e.g., driver’s license, passport)
Account data (balance snapshots and transaction history)
Limited corporate data (including documents, training material, and communications available to support)
The company said that the attackers weren’t able to access any user passwords, private keys, or funds. Instead, the cybercriminals used the data accessed to socially engineer Coinbase clients. Coinbase dismissed the insiders involved in the incident and is pursuing criminal charges against them through international law enforcement entities.
Estimating The Impact
Coinbase provided a preliminary estimate of expenses related to the incident that range from $180–$400 million, including remediation costs, customer reimbursements, and other potential costs. The actual total could be lower based on insurance claims. Breaches, however, do have a long tail, so once litigation begins, the number could just as easily increase in the years ahead.
Flipping The Coin (Script) On The Extortionists
In a bold and unexpected move, Coinbase has opted to throw the ransom request back in the face of the attackers — instead of paying up for the ransom demand, they are putting the $20 million toward a bounty for information leading to the arrest and conviction of the attackers. This seems to be a first — governments, such as the FBI and the US State Department through Rewards For Justice, have offered bounties before, but no private-sector companies seem to have taken this approach previously.
Rebuilding Customer Trust
The old adage “It’s not the crime; it’s the cover-up” applies to breaches. In this scenario, Coinbase provided remarkably clear, specific, and transparent details about the incident and its impact. This ranges from its public statements and the video from its CEO to the bounty leading to the arrest of the individuals/groups involved and its required 8-K filing.
The response was human and helpful. Coinbase directly addressed customer concerns (such as reimbursements for those tricked into sending funds to attackers), highlighted how customers can stay safe, and outlined actions that Coinbase is taking next.
In the blog post, Coinbase points out that “crypto adoption depends on trust.” The seven levers of trust in Forrester’s trust imperative research include accountability, competence, transparency, and empathy. Coinbase touched on each of these in its announcements and communications about the incident so far. Its behavior, in the short term, demonstrates its commitment to rebuilding customer trust.
Beware Of Low-Cost International Expansion
Coinbase’s announcement includes a warning of which every business needs to take note. Economic volatility puts pressure on businesses to cut costs in various ways, including offshoring. But international expansion brings with it cultural challenges, law enforcement differences, and stark contrasts in employee-to-employer loyalty. Coinbase experienced this firsthand. For those thinking that a combination of guardrails, agentic AI, and AI agents will solve this problem … well … generative AI is not immune to bribes either.
Thwarting Future Social Engineering Attempts
The Coinbase breach was a combination of multiple human-element breach types that resulted in the social engineering of its customers. In addition to the transparency around the breach itself, Coinbase provided all customers with best practices for keeping data and funds safe.
Coinbase clearly states that it will never ask for passwords or two-factor authentication codes and won’t call or text customers to provide information. It states, “If you receive this call, hang up the phone.” Encouraging customers, partners, and employees to pause and ask questions in the face of novelty, authority, and/or urgency is critical to disrupting social engineering attempts. It’s equally important to communicate exactly how you will and will not communicate with them — from the CEO to the HR department to the help desk. If you haven’t already, develop and socialize these messages throughout your organization and ecosystem.
Managing Insider Risk
Forrester data shows that approximately 23% of data breaches were the result of insider incidents. Half of those incidents were the result of malicious insiders. Cybercriminals and other malicious actors are also targeting insiders (like what happened in the Coinbase incident) to gain access to sensitive data and systems.
Managing insider risk requires dedicated focus that starts with the insiders themselves (employees, contractors, and partners) in addition to defined processes and technology. Part of managing insider risk is understanding insider motivations, which include financial distress, disgruntlement, outside influence (again, see the Coinbase example), and others.
Our report, Best Practices: Insider Risk Management, provides best practices for managing insider risk and 10 steps for establishing an insider risk management program.
Let’s Connect
Forrester clients can schedule an inquiry or guidance session with me to do a deeper dive on insider risk and learn how to start their own insider risk management program.
