Coinbase launched a $20 million bounty for information that leads to the identification and conviction of attackers who tried to extort the crypto exchange for the same amount by threatening to leak stolen customer data.

Hackers allegedly bribed offshore support staff to access personal user data — affecting roughly 1% of monthly transacting Coinbase users.

Coinbase said the rogue employees behind the breach were immediately fired upon discovery. However, the company did not disclose when the leak occurred or how many staffers were involved.

The attackers then demanded $20 million in bitcoin, threatening to leak names, addresses, and government IDs of customers online, which they potentially also used to trick Coinbase clients in rampant social engineering campaigns.

However, "no passwords, private keys, or funds were exposed, and Coinbase Prime accounts are untouched," the crypto exchange confirmed.

Coinbase refused to pay the ransom, reported the incident to law enforcement, turned the tables on the hackers by offering the bounty, and pledged to reimburse impacted users.

In a subsequent filing with the SEC on Thursday, Coinbase estimated the breach could cost between $180 million and $400 million in remediation and voluntary reimbursements.

The breach confirmation sparked mixed reactions in the crypto community, with some praising Coinbase's transparency and others criticizing its delayed disclosure.

Meanwhile, the SEC has been investigating whether Coinbase misstated its user numbers in past disclosures, The New York Times reported on Thursday