Coinbase, the largest cryptocurrency exchange based in the U.S., said Thursday that criminals had improperly obtained personal data on the exchange’s customers for use in crypto-stealing scams and were demanding a $20 million payment not to publicly release the info.

Coinbase CEO Brian Armstrong said in a social media post that criminals had bribed some of the company’s customer service agents who live outside the U.S. to hand over personal data on customers, like names, dates of birth and partial Social Security numbers.

“(The stolen data) allows them to conduct social engineering attacks where they can call our customers impersonating Coinbase customer support and try to trick them into sending their funds to the attackers,” Armstrong said.

Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Many large companies have suffered hacks and data breaches as a result of such scams in recent years.

Coinbase did not specify how many customers saw their data stolen or fell prey to social engineering scams. But the company did pledge to reimburse any who did.

A filing with the Securities and Exchange Commission said that the company had, “in previous months,” detected some of its customer service agents “accessing data without business need.” Those employees had been fired, and the company said it stepped up its fraud prevention efforts.

Armstrong said the company was refusing to pay the ransom demand it received in an email and would instead offer a $20 million bounty for anyone who provided information that led to the attackers’ arrest.