Original author: Jaleel Jialiu , BlockBeats
Coinbase handled its recent user data leak as smartly as it should as the first crypto stock and the first and only company to be included in the SP 500.
Out of politeness, the author has already expressed his basic respect for Coinbase. Next, it is time to hang this company on the pillar of shame.
On May 8, crypto detective ZachXBT posted a message on his personal channel, clearly stating that another $45 million was defrauded from Coinbase users through social engineering. In the past few months, the amount of similar cases he has tracked has reached nine figures. The scammers usually call or email users pretending to be Coinbase customer service, and then step by step induce users to click on phishing links disguised as official websites, and then transfer funds to the scammers wallets.
Some people say that users were deceived by social engineering, what does this have to do with Coinbase? The platform is not a government regulatory agency, how can it prevent users from clicking on phishing emails?
First, other major trading platforms have not had similar fraud problems on such a large scale. Second, many victims have reported that the fraudsters not only accurately stated their account balances and transaction times, but were even able to produce photos of their ID cards, and everything seemed too real.
It all points to Coinbase leaking data.
Lets look at what Coinbase said. The 8-K document submitted to the SEC on May 14 showed that Coinbase discovered through its security system in January 2025 that some overseas customer service representatives had accessed users complete identity information without business need.
Looking at the report Coinbase submitted to the Maine Attorney Generals Office on May 20, the data breach occurred earlier, on December 26, 2024.
The Maine report shows that the breach occurred on December 26, 2024, and the vulnerability was discovered on May 11, 2025.
However, the incident was announced on May 15, and the announcement on its official website showed that criminals targeted Coinbases overseas customer service staff and bought user data from insiders with cash. The data included name, address, phone number, email, government identification images (such as drivers license, passport), account balance snapshots and transaction records.
In other words, the data was stolen as early as winter, but now that spring is over, Coinbase was forced to start dealing with this elephant in the room head-on at the critical moment of being included in the SP 500, and issued a notice stating that it had received a blackmail email from a hacker to officially disclose the incident.
According to Coinbase itself, they fired the relevant personnel and strengthened security monitoring after discovering the abnormal access. However, in these five months, the only user communication made by Coinbase was a vague and innocuous email sent at the end of March, saying that an employee may have violated the rules to view account records:
“We detected indications that a Coinbase employee may have accessed the account records of a small number of Coinbase customers, including your account, in a manner inconsistent with internal policy.”
The Block co-founder Mike Dudas previously revealed on X that he had received a disturbing email from Coinbase
Apart from this, we have never seen any more official public disclosure of information or further investigation into the incident.
More exciting things are coming.
On May 15, the day the data leak was officially announced, a new Coinbase user agreement came into effect.
This agreement can be called Coinbases self-protection shield. Apart from other lengthy eye-catching contents, there are two key clauses (9.9 and 9.10): prohibiting any form of class action waiver; forcing all users to file lawsuits independently in New York courts.
Why choose New York? Because New York State has a rule that is extremely favorable to businesses: if the contract states that all disputes must be resolved in a New York court, and the amount involved exceeds $1 million, the court cannot refuse to accept the case on the grounds of changing to a more convenient location. At the same time, the Southern District Court of New York is a concentration of financial cases and has rich trial experience. The lawsuit between Coinbase and the SEC was also launched here.
In addition, according to public reports, although Coinbase has transformed into a remote-first company since 2021, before the new proposed office in San Francisco was established this year, One Madison in New York was Coinbases largest office space in the United States, with an 11-year lease signed and an area twice the size of the old site.
In this context, even if you are a victim like thousands of other users, you still have to go to New York alone and file the lawsuit at your own expense.
The agreement was updated on April 11 and took effect on May 15, which was almost seamless with the disclosure of the data leak. Such a precise contract change can be described as waiting for the sky to rain before the rain, clearing the mulberry soil and preparing for the rainy day - Coinbases foresight is comparable to Zhuge Kongming.
This also triggered questions from technical security researcher Molly White , but Coinbase CEO Brian Armstrong responded that this was a conspiracy theory. But when Molly White further asked, Why did Coinbase take more than a month to disclose this data breach to the SEC? When a listed company discovers a major cybersecurity incident, it should disclose it within four working days. Brian Armstrong stopped responding to her.
At the same time, Bloomberg quoted people familiar with the matter as saying that in the past five months, hackers have achieved on-demand access to user information by bribing enough Coinbase customer service representatives. Even on Wednesday, a few days before the announcement, hackers were still accessing the data. But this statement was refuted by Coinbase Chief Security Officer Philip Martin.
Coinbase’s current statement is: “We found that some employees had improperly accessed the data and fired the relevant personnel, but we did not know that the data had been leaked at the time. It was not until we received a ransom email from the hacker in May that we realized the seriousness of the problem.”
How much of this is self-exculpation? Let’s take a look at how many reminders, questions and warnings from the community and security researchers were “turned a blind eye” to during the five months since Coinbase modified the agreement and blocked the entrance to the class action lawsuit.
Opening the Coinbase forum on Reddit, a large number of users have reported account theft and frequent social engineering fraud since January, and foreign users have suffered: I suspected that the customer service was a ghost six months ago. Five work tickets were all hastily closed. No one contacted me, and no one explained what happened, I almost believed it because the amount I just withdrew was close to the amount they texted me, They were able to verify my full name, account balance, and last login device. Everything was too natural and real...
Faced with numerous reminders from the community, Coinbase strictly adhered to the letter from the Three-Body World: Dont answer, dont answer, dont answer.
If you want to defend it by saying that Coinbase may not visit Reddit like Asians and cannot see what the community is going through, then they must be able to see the constant reminders from big KOLs and security researchers on Twitter.
ZachXBT, the most powerful detective in the cryptocurrency world with 860,000 followers on Twitter, pointed out in early February that more than $65 million was stolen from social engineering attacks between the end of last year and the beginning of this year. In late March, he said again that another $46 million was stolen in the past two weeks. He pointed out more than once that Coinbase did nothing.
There is also Taylor Monahan, head of security at MetaMask and a senior on-chain investigator, who publicly criticizes Coinbase on Twitter almost every week and constantly tries to hand over evidence to their security and support teams, while Coinbase’s “Senior Director of Investigations” blocked her as early as the end of 2024.
Taylor Monahan also directly revealed that Coinbase outsourced customer service work to TaskUs, a third-party service provider in India. As early as January 11, 2025, Coinbase laid off more than 300 Indian customer service staff on a large scale, citing theft and illegal operations. The office was then moved to Gurgaon, but internal data leaks still occurred frequently, so a new wave of layoffs occurred in March and April.
Regarding Coinbases statement that we didnt know until May 11, she mercilessly sarcastically said: This will be a very interesting show - see how they pretend to know nothing until the ransom email comes, The most likely excuse is: This is not a major leak and does not need to be disclosed.
It is somewhat ironic that while Coinbase executives were denying, shirking responsibility, and giving the cold shoulder, some Reddit users and victims began to spontaneously organize themselves into Jinyiwei and found some clues about the scammers.
A user named Scammer-fight-back and his entire team fought against the scammers, calling them many times, recording and saving messages. Eventually they tracked down the scammers, who were mostly from Manchester, England, working in the same small office, using local accents to impersonate Coinbase customer service, extracting information while completing the fraud process.
Another netizen, dyfedavalon, shared the same view: This is a large fraud gang from the UK, with a large scale and scope, and strong capabilities, I called back to find those scammers, and it turned out to be the same group of people. They are really good at this business, I talked to them many times, and they thought I was a victim, but I am British, so I can hear and tease their British accents. They later directly asked me to stop calling and harassing them.
In addition, the investigation information of Taylor Monahan, the security director of MetaMask mentioned above, shows that internal employees of TaskUs, a third-party Indian service provider outsourced by Coinbase, contacted hackers on Telegram. Each transaction of selling user email addresses, mobile phone numbers, and 2FA information was charged a fee of about US$10,000, and the money was directly deposited into the individuals name through PayPal or bank accounts.
Image source: Taylor Monahan
As for why someone is willing to take such a big risk to leak information? Taylor shared more content leaked from these Indian slaves, pointing directly to the real working conditions of TaskUs: they are not allowed to go to the toilet, they have to fight for meal time, and if they dont deliver enough, they will be collectively ignored by the management; the pressure is ridiculous, sick leave will be recorded as absenteeism and wages will be directly deducted; because they didnt keep up with the training, they were fired on the spot.
This is the worst decision Ive ever made in my career. HR doesnt stand on your side at all, and no one cares even if you cry and complain. In the end, I couldnt even get a certificate of experience because they asked me to compensate for training costs, wrote one employee.
Complaints from former employees of Coinbase outsourcing company TaskUs, source: Taylor Monahan
According to data from Glassdoor, Indeed and other platforms: Coinbase local customer service staff earns $60,000 to $70,000 per year, while Indian outsourced customer service staff only earn $3,600 to $4,800 per year. In other words, the salary of one American customer service representative can earn at least 15 Indian outsourced customer service representatives.
Based on 300 outsourced positions, Coinbase can save $18 million a year here, and this does not include hidden cost savings such as office space, social security, overtime pay, and technical support.
It is worth mentioning that according to an investigation by Bloomberg reporters, Coinbase paid $6.2 million for CEO Brian Armstrongs personal security for one year. Coinbase Chief Legal Officer Paul Grewal, who is also the person in charge of responding to the $400 million hacking incident and the SECs user data investigation, had a total salary of more than $8.2 million last year.
The annual security costs of the CEO and the salary of the chief legal officer alone may be more than the security costs of Coinbases entire platform users.
There are many well-known users affected by the incident. According to Bloomberg, people familiar with the matter said that Roelof Botha, managing partner of Sequoia Capital, was one of the victims, and the data stolen from him included phone numbers, addresses, and other sensitive account information related to his Coinbase profile.
There is also 67-year-old Ed Suman, a well-known artist who has been working in the art world for nearly two decades and has participated in the production of artworks such as Jeff Koons Balloon Dog sculpture. He fell into a fake Coinbase customer service scam earlier this year and lost more than $2 million in cryptocurrency.
Coinbase has also received multiple lawsuits, with users accusing the company of mishandling their personal data. In addition, Coinbases practice has also attracted the attention of regulators. For example, the Oregon Attorney Generals Office has filed a lawsuit against Coinbase, accusing it of violating state securities laws and questioning the legality of the arbitration and class action waiver clauses in its user agreement.
According to Elliptic data, the compensation and disposal costs of this incident reached $400 million, ranking it as the eighth largest security incident in the history of cryptocurrencies. This attack did not involve dramatic scenes such as hot wallet hacking or technical complexities such as contract vulnerabilities, but occurred in the most basic, daily, and most neglected link: KYC data.
But the reality is that Coinbase is unlikely to be penalized too severely.
There seems to be no precedent in US law for severe penalties for accidental data leaks. The most famous lawsuit related to data abuse is Facebook, because they violated their signed promise not to share user data with third parties without user consent, but this is slightly different from the situation faced by Coinbase.
The Coinbase incident is closer to data leaked by insiders to external hackers, which is the abuse of data access rights and improper outsourcing management. It should not be considered as systemic privacy fraud, and the losses are limited. Coinbase also stated that it will pay compensation.
More importantly, Coinbase is a company with a market value of more than $60 billion. It is also the only trading platform in the crypto industry that has been included in the SP 500 index. It has rich policy relationships and deep capital resources.
In this US election, Coinbase and its executives donated tens of millions of dollars to Republican candidates and were believed to have played an important role in lobbying for multiple pieces of legislation. The SECs withdrawal of the lawsuit against Coinbase was also once believed to be related to Coinbases political donations.
Everything points to Coinbase weathering this storm. And going forward, Coinbase will be alive and well, and may even get better.
