Last week’s highly organized breach of cryptocurrency exchange Coinbase (COIN) left behind more questions than answers. While some hailed Coinbase’s response as a ‘really great example’ in dealing with a crisis, the breach has now caused a potentially massive privacy issue that mirrors the Ledger data breach in 2021 — which led to a spate of real-world robberies as criminals were able to get a hold of names and addresses of crypto holders. Coinbase has already acknowledged that its customers may have lost close to half a billion U.S. dollars as a result of its breach.
Cybercriminals accessed Coinbase user data by bribing and convincing Coinbase support employees to share that data, but this was entirely preventable, according to numerous experts that spoke to CoinDesk.
“A failsafe system would make stealing data technically impossible, but Coinbase clearly didn’t prioritize these measures, leaving the door wide open,” said Andy Zhou, co-founder of blockchain security firm BlockSec. This breach has raised significant concerns regarding user privacy and trust, particularly as it affects an exchange that facilitates billions of dollars’ worth of transactions every day. How could Coinbase, a publicly traded company, allow attackers to steal personal information and money so effortlessly? And could preventive measures have been implemented?
Although Hackett Communications CEO Heather Dale commended Coinbase’s response as a “masterclass in communication,” the company’s method of addressing the issue seemed to revolve around financial compensation, throwing as much money at the situation as possible. The exchange offered a $20 million bug bounty for information leading to an arrest or prosecution and pledged to reimburse impacted users with up to $400 million.
What happened?
In order to understand the fallout of this breach, we must first grasp how it transpired at a company investing millions in security infrastructure. A notable report by on-chain sleuth ZachXBT in February indicated a rise in thefts involving Coinbase users, attributed to aggressive risk models and the company’s inability to combat social engineering scams that cost users approximately $300 million annually.
The nightmare of cybercriminals stealing information turned into reality when Coinbase revealed in a blog post that account balances, government ID images, phone numbers, addresses, and masked bank account details had been stolen.
In contrast to previous breaches typically involving back-end hacks, these attackers infiltrated Coinbase through social engineering tactics. They communicated directly with employees and purchased access to sensitive information from rogue insiders. Coinbase asserted that they fired all responsible employees immediately, yet did not disclose how they identified those culpable parties in their blog post.
This problem extends beyond the realm of cryptocurrency. In 2022, digital bank Revolut confirmed the theft of data from 50,000 customers, while trading platform Robinhood revealed up to 5 million email addresses had been leaked. The consequences of such breaches were severe, as exemplified by the SEC imposing a $45 million fine on Robinhood after some customers suffered devastating losses due to account wipe-outs.
Competitors of Coinbase, such as Binance and Kraken, claimed to have successfully thwarted similar social engineering attacks in recent weeks, further emphasizing the ongoing vulnerabilities in the industry.
Coinbase CEO Brian Armstrong shared that he received a “ransom note” for $20 million in bitcoin, blackmailing him with threats of releasing additional customer information. It was reported that the attackers began laundering the stolen funds, swapping BTC for ETH on Thorchain, a platform frequently associated with infamous North Korean hackers, the Lazarus Group.
‘Major wake-up call’
Experts like Andy Zhou have proposed that Coinbase conduct stricter background checks on employees handling sensitive data and set up alarms for unusual activities, such as mass downloads of customer profiles.
Zhou reiterated the need for the implementation of several technical solutions, including strict role-based access and privacy tools that permit tasks without compromising sensitive information (i.e., blurring ID images).
Nick Tausek, a lead security automation architect at Swimlane, described the breach as a “major wake-up call” for more robust insider threat detection measures. He remarked that a single insider with the right access could compromise even the most fortified security posture, emphasizing that even a minimal percentage of breached customers can yield headlines that impact the organization profoundly.
Despite the criticism, some industry experts maintain that the blame lies not solely with Coinbase. Michal Pospieszalk, CEO of MatterFi, suggested that this is a systemic vulnerability prevalent in cryptocurrency since its inception. He argued that without intermediaries, platforms are perpetually at risk of catastrophic failures stemming from user missteps during transactions.
What happens next?
Coinbase has promised to reimburse customers affected by the breach and promised to collaborate with law enforcement in apprehending those responsible. However, the implications for users might be significantly more troubling.
According to a regulatory filing made public, the breach impacted 69,461 customers, and it was disclosed that the incident occurred in December 2024 but went unnoticed until May 15, 2025.
The leaked information is now circulating on the internet and may be available for sale on the dark web, as seen in the Ledger breach. The aftermath is likely to prompt phishing attempts targeting affected users.
Coinbase, unable to prevent the sharing of this sensitive information, places the burden on users to implement their protective measures — such as changing wallets, deposit addresses, and even personal addresses to mitigate the risk of real-world theft. Users whose Social Security numbers were leaked must take steps to secure their credit records against identity theft.
This situation brings forth pressing questions concerning liability: Should Coinbase be held accountable if customers are harmed due to the breach? Ledger had faced a class-action lawsuit earlier in the year over accusations of violating its privacy policy and negligence in preventing the breach.
Additionally, research conducted by crypto analyst Molly White revealed that Coinbase adjusted its user agreement in April, adding clauses that limit class-action lawsuits and requiring legal actions to be filed in New York — changes that took effect on May 15, coinciding with the breach’s announcement.
When questioned about whether the breach was preventable or how they will safeguard future customers from real-world threats, Coinbase provided no comment but reiterated they had notified users ahead of time regarding the user agreement change.
Read more: Market Reaction to Coinbase Hack ‘Overblown,’ Say Analysts as SEC Probe Sinks Stock
