Cryptocurrency trading platform Coinbase said it could pay up to $400 million (£300m) in charges after criminals obtained personal data on customers and used it to swindle them out of funds.

The attackers bribed overseas Coinbase staff and contractors to obtain company documents and information on “less than 1 percent” of customers, then used the data to trick users into handing over cryptocurrency holdings, Coinbase said.

The “unknown threat actor” then contacted Coinbase on 11 May and demanded a $20m ransom to keep the matter quiet.

Ransom demand

Instead of paying, Coinbase said it would offer a $20m reward fund for information leading to the arrest and conviction of the criminals involved.

“We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received,” the company stated.

It said it would reimburse customers who were tricked into sending funds to the attackers.

The attackers gained access to some customer information, including names, addresses and emails, but not login credentials or passwords.

The company estimated its costs at between $179m and $400m in a filing with the Securities and Exchange Commission.

The costs relate to remediation and voluntary customer reimbursements, but could rise as a result of “potential losses, indemnification claims, and potential recoveries”, the company said.

It said it had immediately fired the insiders involved.

It advised customers to remain vigilant for future scam attempts.

“Coinbase will never ask for your password, 2FA codes, or for you to transfer assets to a specific or new address, account, vault or wallet,” the company said.

The disclosure came days before Coinbase is set to join the S&P 500 index, in what is considered a significant moment for the crypto industry.

Lucrative target

It highlights how as the industry has risen to increasing prominence, it has also become a major target for criminals seeking valuable and difficult-to-trace crypto funds.

In February crypto firm Bybit said $1.5bn of digital tokens had been stolen, widely considered the biggest crypto heist to date.

Funds stolen from crypto platforms totalled $2.2bn last year, Chainalysis said.

In France, kidnappers have targeted a number of people connected with figures in the country’s crypto industry and demanded ransoms paid in digital coins.

Last week a woman identified as the daughter of Pierre Noizat, the chief executive and co-founder of French cryptocurrency firm Paymium, narrowly escaped being kidnapped from a Paris street along with her child.