Hacked Coinbase Wallets

🔴 High Risk

The hacked Coinbase wallets case reveals a critical vulnerability in the crypto exchange ecosystem, where insider bribery and sophisticated social engineering enabled the theft and laundering of over $300 million in digital assets. The hackers employed advanced laundering tactics including converting stolen funds between Ethereum, stablecoins, and other tokens across decentralized networks to obscure their trail. Despite Coinbase’s public refusal to pay ransom and commitment to customer reimbursements, the incident underscores recurring security lapses and the urgent need for robust AML enforcement. This case highlights how intertwined cybercrime and money laundering have become, signaling a formidable challenge for regulators and crypto platforms in safeguarding user assets and financial integrity.

In one of the largest cyber incidents impacting cryptocurrency exchanges, the Coinbase hack exploited insider bribery to compromise sensitive data of over 69,000 users starting late 2024 and uncovered by May 2025. The breach facilitated unprecedented theft and laundering of digital assets valued up to $400 million, using Ethereum and stablecoins to mask stolen funds via decentralized platforms and mixing services. Despite a $20 million ransom demand, Coinbase refused payment, opting to reimburse customers and bolster security. The case illustrates the vulnerabilities in exchange internal controls and the sophisticated laundering tactics criminal hackers employ, posing significant challenges to US AML and cyber enforcement authorities tasked with tracking illicit flows in the broadening crypto ecosystem. This incident has intensified regulatory focus on crypto money laundering risks tied to internal threats and cross-border laundering schemes in the United States.

Countries Involved

United States primarily as the jurisdiction of Coinbase and affected customers, alongside involvement of foreign countries where compromised overseas Coinbase contractors and employees were bribed. The illicit laundering transactions reach global decentralized exchange platforms, potentially involving multiple jurisdictions through cross-border cryptocurrency flows due to the inherent nature of crypto assets transcending borders and anonymizing trails.

Reported publicly in May 2025, but the hacking campaign is traced back to as early as December 2024. The breach was disclosed after Coinbase’s filing on May 14, 2025, revealing the incident involving data access and ransom demands, with subsequent reporting by security researchers and law enforcement agencies throughout 2025.

Ethereum (ETH), DAI (stablecoin), Bitcoin (BTC)

The case involves multiple criminal activities including data breach, cyber fraud, theft of sensitive personal data and cryptocurrency funds, extortion attempts, and notably money laundering through cryptocurrency conversion and layering strategies. This is a hybrid crime combining cyber intrusion with traditional money laundering.

  • Coinbase (cryptocurrency exchange and victim)

  • Rogue overseas Coinbase employees/support agents who were bribed and facilitated the leak

  • Individual(s) or groups identified as the hackers behind the breach

  • Blockchain researchers and security firms like PeckShield tracking illicit movements

  • Law enforcement agencies in the US addressing investigations into money laundering and cybercrimes

No publicly available evidence currently links politically exposed persons (PEPs) to this hacking or laundering operation. The case primarily hinges on criminal actors exploiting employee access and blockchain mechanisms.

The main laundering methods included:

  • Bribery of internal staff to gain sensitive data, enabling social engineering against Coinbase users to illicitly withdraw or transfer crypto funds.

  • Conversion of stolen assets to Ethereum (ETH) given its liquidity and anonymity features.

  • Use of decentralized exchanges (DEXs) and mixers/tumblers to obscure fund origins and transfer through multiple wallets.

  • Transition from ETH to stablecoins like DAI to stabilize the value and further complicate tracking efforts.

  • On-chain techniques to create confusion, including taunting blockchain analysts with transaction message fields (e.g., meme insults).
    These layered methods illustrate a sophisticated interplay of insider threat and crypto laundering tools challenging law enforcement traceability.

The total value stolen from Coinbase users is reported between $180 million and $400 million. Recent laundering activity isolated from this breach exceeds $40 million, including a reported $18.9 million additional laundered sum converted into 3,976 ETH, with further conversions to about $45 million in stablecoins documented by blockchain analysts. These represent confirmed illicit funds passed through laundering networks post-theft.

Blockchain analytics revealed sequential swapping of stolen tokens from compromised wallets involving immediate conversions from ETH to DAI on-chain, often via anonymous decentralized platforms like THORChain. The attacker smartly split large sums into multiple transactions to evade detection, mixing with legitimate transactions, and employed public taunts to blockchain sleuths to distract investigators. The tracing revealed layered transfers across multiple wallets designed to sever direct linkages to the original theft source, characteristic of laundering attempts aiming for fund withdrawal in fiat or usable crypto.

Coinbase publicly refused to pay the $20 million ransom demanded by hackers, opted for customer reimbursements, and initiated internal probes leading to termination of involved personnel. US regulatory filings disclosed the incident to the SEC and cooperation with federal law enforcement continues. Coinbase also committed to enhanced internal controls and launched bounty programs to identify perpetrators. Government agencies strengthened cybercrime investigation units focusing on crypto laundering from this breach, underscoring rising regulatory scrutiny over crypto exchange security and AML compliance in the US financial ecosystem.

  1. BBC News – Crypto exchange Coinbase faces up to $400m hit from security breach

  2. Coinbase Official Blog – Protecting Our Customers – Standing Up to Extortionists (May 2025)

  3. PureWL – Coinbase Hacked? $20 Million Ransom Demand (May 2025)

  4. McAfee Blog – How to Protect Your Crypto After the Coinbase Breach (June 2025)

Hacked Coinbase Wallets
Case Title / Operation Name:
Hacked Coinbase Wallets Money Laundering Case
Country(s) Involved:
India, United States
Platform / Exchange Used:
Coinbase, THORChain (for token swaps), decentralized exchanges (DEXs)
Cryptocurrency Involved:

Ethereum (ETH), DAI (stablecoin), Bitcoin (BTC)

Volume Laundered (USD est.):
$180 million to $400 million estimated stolen; recent laundering of $40+ million confirmed including $18.9 million ETH
Wallet Addresses / TxIDs :
Multiple wallets involved in layered transfers; specific TxIDs not publicly disclosed
Method of Laundering:

Insider data theft, social engineering, phishing, conversion of stolen funds into ETH and stablecoins, use of mixers and decentralized swaps

Source of Funds:

Customer account data compromised via insider bribery, facilitating theft and social engineering to illicitly withdraw funds

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

No PEPs reported; involvement of bribed Coinbase overseas staff and unidentified hacker group

Law Enforcement / Regulatory Action:
Coinbase cooperating with US law enforcement, terminated involved staff, refused ransom, offered $20M bounty, reimbursed victims, and enhanced security
Year of Occurrence:
December 2024 (breach start), publicly reported May 2025
Ongoing Case:
Ongoing
AML Network Risk Rating:
🔴 High Risk
Quick Links:
Popular Pages:
Disclaimer & Legal:
Facebook-f Twitter Youtube
© 2025 AML Network. – All Rights Reserved.