Today in crypto, Coinbase reportedly refused to pay a $20 million ransom after insiders leaked user data in a phishing scheme — the breach could cost the exchange up to $400 million. The company has since fired a group of contracted customer support agents, allegedly involved in the attacks. Meanwhile, Huione Guarantee — suspected of operating as the world’s largest darknet marketplace — has shut down after a Telegram account purge disrupted its network.
Coinbase fires compromised agents in India — Report
Coinbase has reportedly fired a group of customer support agents following their alleged involvement in social engineering attacks on users. The contracted agents were based in India.
According to a May 15 Fortune interview, Coinbase's chief security officer, Philip Martin, said the company flagged customer support contractors who allowed scammers access to user data, suggesting they could be Indian nationals. The CSO’s comments came after some crypto users reeled from attempted phishing attacks using their Coinbase data, which the exchange estimated could cost them between $180 million and $400 million in remediation and reimbursement.
Qiao Wang, a core contributor to Alliance DAO, said in a May 15 X post that he may have been a victim of one of these attacks. He said a scammer notified him his Coinbase account had been compromised, asked him to verify his personal information, to which the criminals likely had access through the compromised agents, and requested he withdraw all his funds to a “Coinbase self-custodial wallet.”
“I called them out at the end of the call telling them they need to step up their game [...],” said Wang on X. “They told me that had made $7m that day.”
Coinbase faces $400 million bill after insider phishing attack
Coinbase, the world’s third-largest cryptocurrency exchange, was hit by a $20 million extortion attempt after cybercriminals recruited overseas support agents to leak user data, the company said.
According to a May 15 blog post, Coinbase said a group of external actors bribed and coordinated with several customer support contractors to access internal systems and steal limited user account data.
“These insiders abused their access to customer support systems to steal the account data for a small subset of customers,” Coinbase said, adding that no passwords, private keys, funds or Coinbase Prime accounts were affected.
Less than 1% of Coinbase’s monthly transacting users’ data was affected by the attack, the company said.
After stealing the data, the attackers attempted to extort $20 million worth of Bitcoin from Coinbase in exchange for not disclosing the breach. Coinbase refused the demand.
Coinbase said it will reimburse users who were tricked into sending cryptocurrency to phishing scammers, with expected remediation and reimbursement expenses ranging from $180 million to $400 million.
The crypto exchange disclosed the estimate in an 8-K filing with the US Securities and Exchange Commission on May 15, noting the expenses relate to “voluntary customer reimbursements” and other remediation efforts.
Telegram shuts the “largest darknet marketplace to have ever existed”
A major Chinese darknet marketplace suspected of facilitating crypto scams and cybercrime says it is ceasing operations after being targeted in a ban wave by the Telegram messaging service, upon which it operated.
The internet’s largest illicit marketplace, Haowang Guarantee, formerly Huione Guarantee, saw Telegram’s ban thousands of its associated accounts on May 13.
“Since all our NFTs, channels and groups were blocked by Telegram on May 13, 2025, Haowang Guarantee will cease operations from now on,” read the notice on the marketplace website.
A report from Wired said that this involved banning thousands of accounts and usernames that served as the infrastructure for the crypto crime marketplace and its vendors.
Telegram spokesperson Remi Vaughn told the outlet, “communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down,” before adding that “criminal activities like scamming or money laundering are forbidden by Telegram’s terms of service and are always removed whenever discovered.”