The hacking group ShinyHunters has posted screenshots on Telegram allegedly showing internal data from the crypto exchange Coinbase, resurfacing a major breach the company disclosed in 2025. Researchers believe the activity does not indicate a new leak but rather a deliberate show of access to previously stolen information.
According to analysts and journalists, members of the ShinyHunters group shared short-lived Telegram posts containing screenshots that appear to depict Coinbase’s internal tools and customer-related data. This so-called “flash posting” technique involves briefly publishing content and deleting it shortly after, often to signal possession of data or apply pressure without releasing full datasets.
Coinbase previously confirmed the breach and refused to pay a $20 million ransom, instead announcing a reward fund for information leading to the attackers’ arrest. The company stated that the compromise was facilitated by a customer support employee in India who assisted the attackers in accessing sensitive user information.
According to Coinbase, the stolen data included customer names, Social Security numbers, bank details, and transaction histories. The company said the attackers’ primary objective was social engineering — contacting users while impersonating Coinbase to trick them into transferring cryptocurrency.
The incident had significant financial and legal consequences. Coinbase reported approximately $307 million in breach-related costs and is currently facing a shareholder class action lawsuit alleging delayed disclosure of the incident.
ShinyHunters’ recent actions appear to be a form of psychological or reputational pressure rather than evidence of a fresh breach. The case highlights how stolen data can continue to be weaponized long after an incident becomes public, remaining a persistent threat to both companies and their users.
