Brinztech Alert: Alleged Database of Coinbase (370k Records) is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the alleged sale of a database containing over 370,000 records of Coinbase users, specifically targeting the USA demographic. The seller is offering this data for sale or “collaboration.”

Brinztech Analysis:

• The “Combo” Portfolio: The actor claims to possess additional datasets from Volkswagen (Germany) and Northwell Health (New York). This grouping provides critical context:
  • Volkswagen: Likely relates to the known 8Base ransomware leak or the Cariad (VW subsidiary) breach reported earlier in 2025, which exposed customer and vehicle telemetry data.
  • Northwell Health: Likely a subset or re-sale of the massive Perry Johnson & Associates (PJ&A) breach that impacted Northwell in late 2023/2024.
  • Coinbase: The 370k figure doesn’t match a massive corporate breach, but likely represents a “combolist”—a curated list of high-value users scraped from other breaches who have been verified as Coinbase account holders.

The offer of “collaboration” suggests the actor is looking for a partner to execute Sim Swapping, Phishing, or extortion campaigns using this data, rather than just a one-off sale.

Key Cybersecurity Insights

This alleged data sale presents a multifaceted threat:

• High-Value Target Exploitation: Cryptocurrency exchanges like Coinbase are prime targets. A list of 370,000 verified US crypto users is a “kill list” for spear-phishing. Attackers can send fake “withdrawal confirmation” emails to harvest 2FA codes.
• Recycled but Dangerous Data: While the Volkswagen and Northwell data may be from known, older breaches, their re-emergence in a “filtered” format means criminals have refined the raw data into actionable targets (e.g., “Northwell patients with high credit scores” or “VW owners with expensive models”).
• Multi-Vector Threat Actor: The seller’s diverse portfolio (Automotive, Healthcare, Crypto) indicates a versatile data broker. They are likely aggregating data from multiple sources to create high-value profiles for identity theft.
• Ongoing Threat to User Trust: Public allegations of data breaches, even unconfirmed or recycled ones, can severely impact customer trust and confidence in the security of financial platforms.

Mitigation Strategies

In response to this claim, Coinbase users and organizations in the named sectors must take action:

• Enforce Phishing-Resistant MFA: Mandate the use of Hardware Security Keys (YubiKey) or passkeys for all Coinbase and financial accounts. SMS-based 2FA is insufficient against the sophisticated threat actors buying this data.
• Proactive Dark Web Monitoring: Continuously monitor dark web forums for mentions of your organization. If you are a Northwell or VW customer, check if your data has resurfaced in these new “filtered” lists.
• Regular User Awareness: Conduct periodic training for employees and customers on recognizing phishing attempts. Specifically, warn users that Coinbase support will never call them to ask for passwords or 2FA codes—a common tactic used with leaked phone numbers.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com