A threat actor from a prior hack has resurfaced, demanding ransom in exchange for not diverting merchant funds or releasing secrets.

A threat actor who had previously exploited Coinbase Commerce’s payment infrastructure has resurfaced with new claims and a fresh ransom note, escalating a months‑long dispute over alleged design flaws in the crypto payments service.

The self‑described hacker has reiterated he can still abuse the merchant’s payment flow to misdirect funds, and is demanding payment in exchange for withholding technical details and not targeting major merchants that rely on the platform.

The dispute centers on Commerce’s move to a smart‑contract‑driven system that supports hundreds of tokens across Ethereum, Base and Polygon, and automatically converts customer payments into USDC for merchants at a guaranteed rate. The firm had already drawn criticism from parts of the Bitcoin community after it had removed native Bitcoin and other UTXO support in early 2024, arguing that replicating its new on‑chain feature set on Bitcoin without smart contracts and stablecoins was too difficult. Since that change, the firm has promoted higher conversion rates and less manual effort for merchants on the revamped platform, but some users have complained publicly about confusing network behavior and unresolved payment issues.

Renewed ransom demands
The new ransom push comes less than a year after Coinbase disclosed a separate major cyber incident in which attackers had bribed overseas support staff to siphon sensitive customer data and then demanded a US$20m payout for its deletion. The firm had refused to pay, instead notifying law enforcement and warning investors that remediation and potential customer reimbursements could cost up to US$400m.

Subsequent reporting indicated that nearly 70,000 users were affected and that Coinbase had set up a US$20m reward fund for information leading to the attackers’ arrest, underscoring the exchange’s public stance against yielding to extortion. In March 2025 the firm was in the crosshairs of sophisticated supply‑chain attackers, after security researchers revealed that a compromised GitHub Action initially targeted one of the exchange’s open‑source projects before expanding to hundreds of other repositories. Threat analysts had noted that the attacker showed deep knowledge of CI/CD security, and had attempted to abuse the firm’s agentkit project for likely financial gain, although Coinbase had mitigated the attempt before secrets or packages could be compromised.

The latest Commerce‑focused extortion episode, even if technically distinct, adds to a growing string of incidents testing Coinbase’s security posture and crisis response as it positions Commerce as an on‑chain payments standard for mainstream merchants.