In May 2025, Coinbase disclosed one of the most significant insider threat incidents in recent history. Overseas customer support contractors colluded with external attackers, leading to a breach with potential costs estimated at $400 million. The enemy wasn't outside the walls—they were already inside.
$400M
Estimated Damages
Internal
Attack Vector
Overseas
Contractor Involvement
Types of Insider Threats
Malicious Insiders
Employees who intentionally steal data or sabotage systems for financial gain, revenge, or ideology.
Negligent Insiders
Employees who accidentally expose data through carelessness, poor security practices, or falling for phishing.
Compromised Insiders
Employees whose credentials have been stolen, allowing attackers to operate with legitimate access.
The Coinbase Breach: What Happened
Initial Recruitment
Attackers identify and recruit overseas contractors
Insider access established
Data Access
Contractors abuse legitimate system access
Customer data exfiltrated
Escalation
Attackers demand ransom to not release data
$400M potential exposure
Discovery
Coinbase detects unusual access patterns
Investigation launched
Response
Contractors terminated, customers notified
Ongoing legal and financial fallout
Third-Party Risk
Contractors, vendors, and partners often have access to your systems but may not share your security standards. The Coinbase breach highlights the need to monitor and control third-party access.
Defending Against Insider Threats
Implement least-privilege access controls
Monitor for unusual access patterns and data transfers
Screen employees and contractors thoroughly
Monitor employee credentials for breach exposure
Conduct regular access reviews and audits
Create clear data handling policies with consequences
Implement data loss prevention (DLP) tools
Credential Monitoring Connection
Compromised credentials are a major insider threat vector. When an employee's password is exposed in a breach, attackers can impersonate that employee with legitimate access. Regular credential monitoring helps identify and mitigate this risk.