Coinbase’s customer data breach, which the DOJ is investigating, has sparked criticism of the exchange giant.
Prominent voices in crypto have taken to X to call out Coinbase after news broke last week of a data breach that saw customers’ private information stolen. The incident has sparked a broader debate about the risks of centralization and data collection requirements.
Coinbase’s stock, which trades under the ticker COIN, is fairing exceptionally well despite the criticism from within the crypto industry. COIN is the top gainer in the S&P 500 today, May 22, up 3.75%, evidently surging on Bitcoin breaking two new all-time highs in the past two days. In a major symbolic move for the industry, Coinbase was officially included in the index on Monday, May 19.
Also on Monday, news broke that the Department of Justice has opened an investigation into the data breach incident. Coinbase’s chief legal office told Reuters that the top centralized exchange is working with the DOJ “and other US and international law enforcement agencies and welcome law enforcement’s pursuit of criminal charges against these bad actors.”
While no funds, private keys or passwords were stolen, customer contact information, including home addresses, were compromised when hackers bribed some Coinbase customer support staffers and contractors for access. Coinbase said it refused to pay a $20 million ransom for the data and reported the incident to authorities.
The leading U.S. crypto exchange confirmed that the data breach occurred on Dec. 26, 2024 and was “discovered” on May 11, according to a filing with Maine’s Attorney General, which was released yesterday, May 21. The filing also reveals that a total of 69,461 customers’ data were stolen.
The attackers’ “aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto,” Coinbase said in a blog post revealing the breach last week.
The exchange has said that compensating users who have been or could be the victims of targeted phishing attacks could cost as much as $400 million.
A cost in suffering
But the cost could be much, much higher according to Michael Arrington, founder of Arrington Capital, as well as an investor in and self-proclaimed “champion” of Coinbase.
“This hack — which includes home addresses and account balances — will lead to people dying,” Arrington said on X on Monday.
“It probably has already. The human cost, denominated in misery, is much larger than the $400m or so they think it will actually cost the company to reimburse people.”
The data beach news comes as physical attacks targeting people in the crypto industry have ramped up. This year, there have been several kidnappings in France in which crypto executives or family members were held for ransom. In January, Ledger co-founder David Balland was kidnapped with his wife and had a finger cut off.
Earlier this month, three teens kidnapped a Las Vegas man and stole $4 million in crypto.
Arrington went on to say that penalties for executives of companies that don’t adequately protect customer information should include jail time.
“Very disappointed in Coinbase right now,” he continued in the X post. “Using the cheapest option for customer service has its price. And Coinbase’s customers will bear that cost.”
Responding to Arrington’s post on X, BlockTower founder Ari Paul called out Coinbase for past security breaches that hadn’t been revealed, saying: “IMO, the real scandal isn’t their laziness and incompetence around protecting users, but their criminal coverups around their many breaches.”
He continued with an accusation that Coinbase executives had illegally covered up incidents in the past:
“There will be plenty more stories like this one comic [sic] out in the future. They’re happy to cooperate with DoJ on this one since it wasn’t their senior execs explicitly committing the crimes. In other cases…”
Changes to Coinbase’s user agreement
Also earlier this week, Molly White, a prominent crypto researcher and critic, pointed out that Coinbase had changed its user agreement last month, limiting class action lawsuits for disputes that are initiated after May 15. Indeed, The Defiant confirmed that on April 12, Coinbase sent an email to users informing them of the updated user agreement terms. Coinbase revealed the data breach to the public early morning eastern time on May 15.
Armstrong responded to White’s X post, defending the firm by saying that the the class action waiver had already been in Coinbase’s arbitration agreement.However, as White pointed out in response, the April changes to Coinbase’s Terms include new restrictions, including a requirement to file lawsuits in the state of New York.
Taylor Monahan, head of security for MetaMask and founder of early Ethereum wallet MyCrypto, blasted Armstrong’s response regarding the user agreement changes, claiming that the exchange was aware of the data thefts long before they revealed the news to the public last week: “every investigator under the sun has been feeding your various teams evidence of these insane thefts and insiders for over 6 months.”
Monahan, who goes by Tay on social media, said that the Coinbase team “explicitly gaslit us, chasitized us for not being ‘polite’ enough, and called us toxic.” The security expert and on-chain investigator continued:
“We persisted and continued to give a fuck about YOUR USERS even as your teams made it abundantly clear that they didn’t care and would not be working weekends to react to the endless thefts (which take 2-24+ hours to complete and CAN be stopped.)”
Metamask’s head of security included a list of scathing questions directed at Armstrong and Coinbase leadership in the X post, including a clear implication that were multiple active “threat actors” with varying levels of access to Coinbase customer data, who could still have access:
“And, lastly, can you explain why your teams are confident they have this on lock now when you were trolled by a single threat actor on Sunday and there are many threat actors who had (have?) various levels of insider access?”
Blame the government
As details of the incident continue to unfold, a major question remains about the kinds of personal data financial companies, including crypto exchanges, are required to collect in many jurisdictions.
Setting Coinbase’s particular role aside, Arrington also critiqued the need for companies to hold this kind of personal data, saying the know-your-customer (KYC) and anti-money-laundering (AML) requirements are also to blame.
Arrington said in the same X thread that KYC laws and corporate greed, plus lax laws penalizing companies for hacks “means these issues will continue to happen. Both governments and corporations need to step up to stop this. As I said, the cost can only be measured in human suffering.”
Coinbase’s CEO agreed with the point about AML and data collection laws, responding:
“We don’t want to collect it, and our customers hate it. We are being forced to collect it against our will. And it’s not even effective at stopping crime[.]”
Venice.ai founder and early crypto entrepreneur Erik Voorhees defended Coinbase, saying the blame should go to the government for requiring Coinbase to have that information in the first place.
“This is the wrong take,” he told Arrington on X, responding to his first post that held Coinbase execs accountable. “Organizations of all sizes get hacked, including every US government agency from the IRS to State Department. Protecting all data is a Sisyphean task. Coinbase DOES NOT WANT to have most of this kind of data, it’s a huge liability (clearly).”
The reason they have it, he added, was that the government forces them to have it.
“This is just one of the dark consequences of state-enforced financial surveillance,” Voorhees said. “KYC *is* the crime.”
#COIN #Top #Performer #Community #Backlash #Coinbase
