Cryptocurrency exchange Coinbase has publicly confirmed a fresh insider security breach tied to leaked screenshots from one of its internal support tools, underscoring growing concerns around insider threat risks in the crypto industry.
According to Coinbase, the incident occurred in December 2025 and involved a third-party contractor who improperly accessed sensitive customer information. While the overall scope of the breach was limited—affecting roughly 30 users—the nature of the data accessed raises important questions about internal controls and third-party access.
A spokesperson for Coinbase confirmed to BleepingComputer that the contractor “improperly accessed customer information,” impacting a *very small number of users (approximately 30).” The individual in question has since been terminated and no longer provides services for Coinbase.
Leaked Screenshots Stir Alarm
The breach was brought to wider attention after threat actors identifying themselves as the group “Scattered Lapsus Hunters (SLH)” briefly posted screenshots of an internal Coinbase support interface on Telegram before quickly deleting the content.
These screenshots allegedly showed a support dashboard with access to a range of sensitive customer details, including:
- Customer email addresses and names
- Dates of birth and phone numbers
- Know Your Customer (KYC) documentation
- Cryptocurrency wallet balances and transaction histories
While it’s not clear whether SLH was directly responsible for leaking the screenshots, the activity highlights how internal access data can rapidly circulate among threat actors even when individuals or groups aren’t officially linked.
Not the First Coinbase Insider Incident
Coinbase clarified that this newly disclosed breach is distinct from an earlier insider-related incident tied to its outsourcing partner, TaskUs, which was reported in January 2025. That earlier breach involved overseas support representatives and affected a broader set of users.
In that 2025 incident, threat actors allegedly bribed contract support agents to steal customer data, which then led to a failed $20 million extortion demand. Although less than 1 % of Coinbase’s monthly users were implicated, the event drew sharp scrutiny from regulators and security observers worldwide. Coinbase responded by terminating employees involved and strengthening internal controls.
What This Means for Internal Security
Cybersecurity analysts view the Coinbase events as emblematic of a broader industry trend: insider threats and compromise of Business Process Outsourcing (BPO) employees are increasingly front-line attack vectors for sophisticated actors.
BPO firms—commonly used to perform customer support, identity verification, and other operational tasks—often grant peripheral systems access that attackers find highly valuable. Because these employees aren’t full-time internal staff, some experts argue that access privileges, monitoring, and insider threat detection need tightening to prevent misuse or compromise.
Coinbase’s Response and Regulatory Actions
Coinbase says it notified impacted users last year, offering them identity theft protection services and other guidance. The company also disclosed the incident to relevant regulators, aligning with standard reporting practices for security incidents involving customer data.
While the December breach was relatively contained, it reinforces the critical cybersecurity challenge facing major digital asset platforms: even robust perimeter defenses can be undermined by improper internal access, particularly when third-party contractors are involved.
