Identifying and Preventing Insider Threats: Lessons Learned From the Coinbase Incident

Coinbase today reported that they had experienced a major cybersecurity incident- but not in the way you might have thought. This was not a data breach as most of the incidents in Q1 of 2025 have been, but instead was an internal threat where employees willingly exfiltrated data from Coinbase’s environment.

On May 11, 2025, Coinbase received an email from someone claiming that they were in possession of information detailing Coinbase customer accounts as well as internal documentation regarding customer service and account management operations. This email, which more closely resembled a ransom note, demanded payment in exchange for not releasing this information to the public. Similar to the HipShipper data breach earlier this year, the Coinbase records have been reported to contain the following information:

• Full names
• Phone numbers
• Email addresses
• Physical addresses
• Partially redacted bank account numbers
• Partially redacted social security numbers
• Government identification scans/images
• Coinbase account balances

The primary risk of this leaked information is not that they could immediately be used to access Coinbase accounts with widespread success. Instead, this information is primarily valuable to cyber actors and cybercriminals who are looking to enact targeted social engineering schemes, including phishing campaigns, against those Coinbase customers who have had their information leaked. With account balances known, cyber actors would likely target those account owners with the largest amount of cryptocurrency readily available to steal. With full names, email addresses (or phone numbers), and the last four digits of a social security number, a cybercriminal could boost their supposed credibility when impersonating a Coinbase employee when initiating contact with a target.

The cause of this incident? Cybercriminals bribed Coinbase’s overseas support agents to locate and exfiltrate this data. As of the time of this article’s publication, the cybercriminals are allegedly demanding a $20 million ransom to not distribute this information.

Identification and Remediation of Internal Threats

In 2025, the vast majority of organizations in today’s landscape need large teams to manage their oftentimes massive corpus of IT tools.

The fact is that in many cases, permissions are not properly vetted or audited at an appropriate interval, leading to overprivileged access for a sizable portion of individual users. While we are not here to debate whether or not Coinbase’s overseas support agents should have had access to the more sensitive portions of the data (primarily bank account numbers, social security numbers, government ID scans, and account balances), the fact is that an overwhelming amount of employees across the world have the ability to cause a similar incident if they wanted or were convinced to take these actions. These are called internal threats, and while they are difficult to prevent, such an endeavor is not impossible.

The key to preventing internal threats are appropriate identification and immediate remediation. Especially when sensitive data is involved, losing even a single record is unacceptable, and for even small organizations, a security person is unlikely to catch an insider threat before the damage becomes significant.

DataDefender by Cloud Storage Security has the capability to identify and prevent both internal and external threats before they cause severe monetary and reputational damage. Our activity monitoring system, which utilizes a combination of traditional anomaly detection, machine learning, and heuristic analysis methods, is able to detect exfiltration attempts, even from privileged, internal users, alert on the threat, and remove the user’s permissions (if configured) before the breach has completed.

While it is currently unclear whether or not the Coinbase incident occurred in the cloud, DataDefender has the ability to monitor activities made by internal users to determine whether or not those actions could result in a data breach or other cybersecurity incident. Some examples include

• mass sensitive data exfiltration by an internal administrator or user,
• permission escalation after initial credential compromise,
• unauthorized cryptocurrency mining after credential compromise,
• tampering with or deleting logs or logging services,
  
  

and hundreds of other common (and uncommon) cybersecurity incidents.

About DataDefender and Cloud Storage Security

DataDefender by Cloud Storage Security offers customers complete protection over the entirety of their cloud storage environment. Make sure your organization:

• Knows where its sensitive data resides
• Configures their storage resources in a secure manner
• Prevents the ingestion and distribution of malware, including ransomware

• Identifies and stops internal and external attacks against storage, and the data within

The DataDefender beta program is available now. Sign up today and ensure that your organization’s data is protected according to its sensitivity.

Click Here to Register for the Beta