Coinbase doesn’t plan on bending to a $20 million ransom demand from hackers who coaxed customer information out of international support agents, the company said Thursday.

Instead, Coinbase is offering a $20 million reward for information leading to the arrest and conviction of these hackers, who bribed “weak links” found on the cryptocurrency exchange company’s customer support team to access 1% of customers’ information, CEO Brian Armstrong said on social media site X.

“Our support tools have limited access to customer information. There [were] no passwords or private keys or funds accessed as part of this, but customer support agents do have access to personal information like name, date of birth, address, etc.,” Armstrong said. “Attackers still want access to this information because it allows them to conduct social engineering attacks, where they can call our customers, impersonating Coinbase customer support and try to trick them into sending their funds to the attacker.”

Social engineering attacks, which bypass technical defenses by manipulating people into giving up private information, account for 70% to 90% of cyberattacks, according to cybersecurity software firm Secureframe. Phishing and smishing – phishing’s SMS cousin – are common instances of social engineering attacks.

Through a few “bad apples,” Coinbase’s leaked information included names, addresses, phone numbers and email addresses; masked Social Security numbers; masked bank account numbers; driver’s license and passport photos; and balance and transaction histories, according to a company blog post.

The incident – which Coinbase learned of from an attacker email Sunday demanding ransom – could cost the exchange up to $400 million, according to a securities filing, between remediating security issues and reimbursing customers.

As a result, the company will move some of its customer support operations, including by opening a new support hub in the U.S. 

Coinbase terminated all personnel involved and implemented heightened fraud-monitoring protections, according to the filing, and notified customers whose information was potentially accessed.

“For these would-be extortionists or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” Armstrong said in his video on X.

The cyber incident comes in what is otherwise a big week for Coinbase. It announced Wednesday that it will be joining the S&P 500 on May 19 – the first crypto exchange to do so – and The New York Times reported Thursday that the exchange is under investigation by the Securities and Exchange Commission for allegedly misstating verified users.

“This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public,” Chief Legal Officer Paul Grewal said in an emailed statement to Banking Dive. “We explained that the verified users metric includes anyone who verified their email address or phone number with us, so it may overstate the number of unique customers.”

“We also disclosed – and continue to disclose – the more relevant metric of ‘monthly transacting users’ – the number of people who use our platform in a given month. While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close,” Grewal said.

Coinbase’s first-quarter filing indicates the company has 9.7 million MTUs. By that metric, Sunday’s cyber incident affected up to 97,000 people.