The breach further pressures the leading U.S crypto exchange as the SEC alleges it misstated verified user figures.
A recent data breach at Coinbase has sparked a broader debate about the security tradeoffs between centralized exchanges (CEXs) and decentralized finance (DeFi) protocols.
In a blog post shared on May 15 titled “Protecting Our Customers – Standing Up to Extortionists,” Coinbase revealed that it had refused to pay a $20 million ransom after attackers, with support from bribed “insiders,” accessed private customer data. However, instead of complying, Coinbase promised to fully reimburse users who lost funds due to the phishing attacks that followed the breach.
The stolen information included names, addresses, ID documents, and the last four digits of Social Security numbers. Coinbase claims that no passwords, private keys or customer funds were accessed, and also that only 1% of Coinbase’s users were affected by the breach.
Earlier this year, blockchain sleuth ZachXBT reported that Coinbase users lose over $300 million annually to social engineering scams, emphasizing just how damaging such data leaks have been to Coinbase users in the past.
While the CEX has taken active steps to address the breach, such as firing those it believes were involved and offering a $20 million reward for information leading to arrests, the incident has put a spotlight on the differences in security between centralized and decentralized infrastructure.
Single Points of Failure
“The Coinbase incident, yet again, emphasizes how vulnerable centralized systems and single points of failure are to attacks,” David Carvalho, founder and CEO of Naoris Protocol, told The Defiant. “Cybercriminals know this and are becoming more and more adept at exploiting these weaknesses.
Carvalho emphasized that this problem is only going to get worse, with the only solution being decentralized security that removes single points of failure. “The bottom line is that any sensitive information or data should be protected by a decentralized system, rather than human gatekeepers,” he added.
Phil Mataras, founder of Arweave-based permanent cloud network AR.IO, echoed Carvalho’s sentiment, noting that breaches like this are not just unfortunate – they’re structural.
“They reveal how much of the infrastructure in crypto still depends on centralized, opaque systems that replicate the vulnerabilities of Web2,” he explained. “When access and trust concentrate in one organization, a single error or insider threat can compromise millions.”
According to Mataras, security at large isn’t just about vetting or taking quicker action – it’s about the underlying architecture. “Systems need to minimize trust by default – distribute control, make operations transparent, and ensure critical data can’t be silently altered or lost,” he said.
DeFi Risks
DeFi platforms carry their own security risks, Carvalho explained. “Most ‘decentralized’ exchanges still depend heavily on centralized components, like frontend interfaces hosted on traditional servers, APIs running on corporate infrastructure, oracles pulling data from centralized sources, and cross-chain bridges managed by small groups of developers.”
He added that when these elements fail – which they often do due to bridge hacks and oracle manipulations – the decentralization facade quickly fades.
“Even if the blockchain layer is distributed, the surrounding infrastructure stack is centralized, and this creates vulnerabilities that sophisticated attackers can and will exploit,” Carvalho said.
Patrick Young, head of Galxe, also told The Defiant that while decentralized exchanges (DEXs) do offer users more control, they sometimes lack comprehensive identity protections, which leaves them vulnerable to bots, sybil attacks, and front-running.
“What’s needed is an evolution in how we approach identity and verification across both models – solutions that don’t just collect data, but protect it and enable platforms to verify legitimacy while maintaining privacy,” Young said. “This isn’t about choosing DEX over CEX, but ensuring both routes are secure, compliant, and built to foster user trust.”
SEC Investigation
Coinbase on Thursday also confirmed that the U.S. Securities and Exchange Commission (SEC) was investigating whether it misstated its user numbers. Specifically, the SEC is looking into the number of “verified users,” which Coinbase has claimed is more than 100 million.
According to data from Dune Analytics, Coinbase hosts around 167 million unique addresses. However, in a recent SEC filing, the platform had around 9.7 million monthly transacting users in Q1 2025.
“This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public,” Coinbase’s chief legal officer, Paul Grewal, said in a statement. “We explained that the verified users metric includes anyone who verified their email address or phone number with us, so it may overstate the number of unique customers.”
He added that while he doesn’t believe the investigation should continue, Coinbase is fully complying with the SEC.
Earlier this week, news broke that Coinbase will soon be included in the S&P 500. Shortly afterwards, its stock surged despite the negative news. Currently, COIN is trading at $264, up roughly 8% on the day.
#Coinbase #Data #Breach #Reignites #Debate #Crypto #Security #Models
