Coinbase Global doesn’t plan on bending to a $20 million ransom demand from hackers who coaxed customer information out of international support agents, the company said Thursday.

Instead, Coinbase is offering a $20 million reward for information leading to the arrest and conviction of these hackers, who bribed “weak links” found on the cryptocurrency exchange company’s customer support team to access 1% of customers’ information, CEO Brian Armstrong said on social media site X.

“Our support tools have limited access to customer information. There [were] no passwords or private keys or funds accessed as part of this, but customer support agents do have access to personal information like name, date of birth, address, etc.,” Armstrong said. “Attackers still want access to this information because it allows them to conduct social engineering attacks, where they can call our customers, impersonating Coinbase customer support and try to trick them into sending their funds to the attacker.”

The cyber incident comes amid other significant news for Coinbase. The New York Times reported Thursday that the exchange is under investigation by the Securities and Exchange Commission for allegedly misstating verified users. In addition, Coinbase announced Wednesday that it will join the S&P 500 on May 19 – the first crypto exchange to do so.

Social engineering attacks, which bypass technical defenses by manipulating people into giving up private information, account for 70% to 90% of cyberattacks, according to cybersecurity software firm Secureframe. Phishing via emails and fake websites and smishing, a derivation that uses SMS texts, are common types of social engineering attacks.

Through a few “bad apples,” Coinbase’s leaked information included names, addresses, phone numbers and email addresses; masked Social Security numbers; masked bank account numbers; driver’s license and passport photos; and balance and transaction histories, according to a company blog post.

The incident – which Coinbase learned of from an attacker email Sunday demanding ransom – could cost the exchange between $180 million and $400 million, according to a filing by the company Thursday with the Securities and Exchange Commission. That includes costs of remediating security issues and reimbursing customers.

As a result, the company will move some of its customer support operations, including by opening a new support hub in the U.S. Coinbase says it is “remote-first” and doesn’t have a physical headquarters.

Coinbase terminated all personnel involved in the incident and implemented heightened fraud-monitoring protections, according to the filing, and notified customers whose information was potentially accessed.

“For these would-be extortionists or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” Armstrong said in his video on X.

Regarding the SEC probe, Chief Legal Officer Paul Grewal offered this statement to Banking Dive in an email: “This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public.”

“We explained that the verified users metric includes anyone who verified their email address or phone number with us, so it may overstate the number of unique customers,” the statement added.

“We also disclosed – and continue to disclose – the more relevant metric of ‘monthly transacting users’ – the number of people who use our platform in a given month,” Grewal said. “While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close.”

Coinbase’s first-quarter filing indicates the company has 9.7 million MTUs. By that metric, Sunday’s cyber incident affected up to 97,000 people.

In February, the SEC said it had reached an agreement with Coinbase to drop a civil enforcement action against the company after a regulatory shift by the Trump administration. That 2023 lawsuit brought by the federal agency under the Biden administration revolved around registration requirements.