Coinbase COIN on Thursday disclosed a material cybersecurity incident involving insider abuse and data theft, leading to a $20 million Bitcoin BTC/USD ransom demand from a threat actor.

The company has refused to pay, instead placing a $20 million bounty for information leading to the arrest and conviction of the perpetrators.

In a Form 8-K filed with the U.S. Securities and Exchange Commission on May 15, Coinbase revealed that attackers had bribed overseas support contractors to exfiltrate internal documentation and personal user data, including names, contact details, masked bank and SSN data and government IDs.

The breach affected less than 1% of monthly transacting users, according to the company.

Coinbase CEO Brian Armstrong addressed the incident publicly, saying, "We are not going to pay your ransom… Instead, we're putting out a $20 million award for any information leading to the arrest and conviction of these attackers."

Armstrong explained that the attackers sought out weak links by targeting third-party customer support agents overseas.

While no passwords, private keys, or funds were accessed, he acknowledged the real threat of social engineering attempts using leaked personal data.

"Unfortunately, they were able to find a few bad apples… this is still unacceptable," Armstrong said.

Coinbase’s security systems had previously flagged and terminated some of the compromised contractors.

Since receiving the ransom email on May 11, the company has launched a full investigation and is working with law enforcement.

Affected customers were notified, and Coinbase will reimburse any user who lost funds as a direct result of the breach, Armstrong confirmed.

Additional measures include relocating parts of the customer support operation to the U.S. and tightening internal access controls.

The company has not experienced any material operational disruption, but said it expects to incur between $180 million and $400 million in expenses related to remediation and reimbursements.

