Skip to main content
Sign in

Coinbase

avoid.net/coinbase45/100·82% conf.
[AI-DRAFTED · AWAITING VERIFICATION][src:zachxbt][src:defillama]

Summary

Coinbase is the largest publicly traded cryptocurrency exchange in the United States (NASDAQ: COIN), operating since 2012 with approximately 9.7 million monthly transacting users as of 2025. The platform has experienced a pattern of serious security incidents, including a 2021 MFA bypass affecting 6,000 accounts, an ongoing crisis of social engineering attacks that on-chain analyst ZachXBT estimated cost users over $300 million annually as of 2025, and a May 2025 insider-assisted data breach affecting approximately 69,461 customers with an estimated $180–400 million remediation cost. Coinbase was also sued by the SEC in June 2023 for operating an unregistered securities exchange, though that case was dismissed without penalty in February 2025.

Have evidence about Coinbase?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

2025 Insider-Assisted Data Breach and Extortion Attempt

In May 2025, Coinbase disclosed a significant data breach that began on or around December 26, 2024 and went undetected until May 11, 2025. Threat actors bribed overseas customer support contractors, primarily based in India, to exfiltrate sensitive customer data from internal support systems. Affected data included customer names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers, government-issued ID images (driver's licenses and passports), account balances, and transaction histories. The breach was confirmed to have affected approximately 69,461 individuals per state data breach filings, while Coinbase's public disclosures characterized it as impacting less than 1% of its roughly 9.7 million monthly transacting users — a figure some sources placed as high as 1 million individuals given the discrepancy. On May 11, 2025, Coinbase received an extortion demand of $20 million in Bitcoin, which the company publicly refused to pay. Instead, Coinbase announced a $20 million reward fund for information leading to the arrest and conviction of the perpetrators. In an SEC Form 8-K filed May 14, 2025, Coinbase estimated total remediation and voluntary reimbursement costs at between $180 million and $400 million. Multiple class action lawsuits were subsequently filed and consolidated under multidistrict litigation captioned 'In re Coinbase Customer Data Security Breach Litigation,' docket number 25-md-3153. No passwords, private keys, or Coinbase Prime account data were alleged to have been compromised.

Sources

Social Engineering Attacks Targeting Coinbase Users ($300M+ Annual Losses)

On-chain analyst ZachXBT published findings in February 2025 estimating that Coinbase users lose more than $300 million annually to social engineering scams. In a widely cited report, ZachXBT documented at least $65 million in user losses between December 2024 and January 2025 alone, noting that the figure excludes cases reported directly to Coinbase support or law enforcement and thus likely understates total losses. In March 2025, ZachXBT reported an additional $46 million in documented losses for that month, including a single theft of approximately 400.099 BTC (valued at roughly $34.9 million at the time) from one victim on March 27, plus additional thefts of 20.028 BTC on March 16, 46.147 BTC on March 25, and 60.164 BTC on March 26. The attack methodology documented by ZachXBT follows a consistent pattern: scammers acquire personal data from private databases, place spoofed phone calls impersonating Coinbase support, send spoofed phishing emails with fake case IDs, and instruct victims to transfer funds to attacker-controlled wallets framed as 'secure' Coinbase Wallets. Scammers were also documented cloning the Coinbase website nearly identically and operating via Telegram channels where phishing kits are advertised and sold. After stealing funds, attackers reportedly bridged Bitcoin to Ethereum via Thorchain or Chainflip, then converted assets to DAI stablecoin. ZachXBT publicly criticized Coinbase for failing to report scammer addresses to blacklists in a timely manner, for advising users to stop using VPNs (while scam operators themselves block VPN traffic from phishing sites), and for not implementing basic mitigations such as optional phone number entry fields and restricted account modes for new users. Coinbase's Chief Information Security Officer publicly acknowledged the $300 million annual estimate in subsequent commentary.

Sources

2021 SMS Multi-Factor Authentication Bypass (6,000+ Accounts)

Between March and May 2021, at least 6,000 Coinbase customers had funds stolen from their accounts via a vulnerability in Coinbase's SMS-based account recovery process. Attackers, who had already obtained victim email addresses, passwords, and phone numbers via phishing campaigns, exploited a flaw in Coinbase's SMS Account Recovery protocols to receive authentication tokens and gain unauthorized account access. Coinbase noted in its letter to the California Attorney General that it did not find evidence the credentials originated from a Coinbase system breach, and attributed the theft to external phishing campaigns. Coinbase subsequently patched the vulnerability, promised to reimburse all affected customers 'the full value of currency improperly removed,' and offered complimentary credit monitoring. The method of reimbursement — whether in crypto or fiat equivalent — was not explicitly clarified in Coinbase's public statements at the time.

Sources

SEC Enforcement Action (2023–2025)

On June 6, 2023, the U.S. Securities and Exchange Commission filed charges against Coinbase, Inc. and Coinbase Global, Inc., alleging that Coinbase operated as an unregistered national securities exchange, broker, and clearing agency, and failed to register the offer and sale of its crypto asset staking program. The SEC alleged that Coinbase had made billions of dollars by unlawfully facilitating the buying and selling of crypto asset securities since at least 2019, citing 13 specific crypto assets offered on its platform. On March 27, 2024, U.S. District Judge Katherine Failla of the Southern District of New York denied substantially all of Coinbase's motion for judgment on the pleadings, finding the SEC adequately alleged the tokens at issue and Coinbase's staking services were securities, and that Coinbase operated as an unregistered broker, exchange, and clearing agency. On February 27, 2025, the SEC filed a joint stipulation with Coinbase to dismiss the civil enforcement action with prejudice. The SEC stated that dismissal would facilitate its 'ongoing efforts to reform and renew its regulatory approach to the crypto industry' following the formation of its Crypto Task Force on January 21, 2025. Coinbase CEO Brian Armstrong confirmed the company paid no fine as part of the dismissal.

Sources

Historical Security Incidents (2019)

In 2019, Coinbase reported two security incidents. First, a credential-stuffing breach compromised login credentials for approximately 3,420 customers who had reused login details across multiple services, with Coinbase attributing the exposure to external data breaches rather than a flaw in its own systems. Second, a password storage vulnerability discovered in August 2019 resulted in approximately 3,500 customer passwords being stored in plain text on an internal server log. Coinbase stated that no outside parties had exploited the vulnerability before it was remediated.

Sources

Post-Breach Phishing and User Risk Amplification

Security researchers and legal commentators noted that the May 2025 data breach substantially elevated phishing risk for affected Coinbase users, as the leaked data — including government ID images and account balance information — provided threat actors with highly credible materials for impersonation attacks. Following the breach disclosure, security firm Halborn documented a pattern of threat actors posing as Coinbase support agents who used real customer information obtained from the breach to solicit private keys and seed phrases. Estimated losses attributed to post-breach social engineering were reported to exceed $100 million in some analyses. The combination of the pre-existing social engineering ecosystem documented by ZachXBT and the incremental legitimacy provided by the breach-derived data was identified by analysts as a compounding risk factor for users of the platform.

Sources

Timeline

2019-08-01

Coinbase discovers approximately 3,500 customer passwords were stored in plain text on an internal server log; no external exploitation confirmed.

Silver Miller Law

2021-03-01

Attackers begin exploiting a flaw in Coinbase's SMS Account Recovery process to bypass two-factor authentication on at least 6,000 customer accounts, stealing funds.

CoinDesk

2021-10-01

Coinbase publicly discloses the spring 2021 MFA hack affecting 6,000+ accounts and commits to reimbursing affected customers in full.

BleepingComputer

2023-06-06

SEC files civil enforcement action against Coinbase alleging operation of an unregistered securities exchange, broker, and clearing agency, and unregistered offer of staking services.

SEC Press Release

2024-03-27

Judge Katherine Failla (SDNY) denies substantially all of Coinbase's motion for judgment on the pleadings in the SEC case, allowing the enforcement action to proceed.

Mintz Law

2024-12-26

Initial data exfiltration by bribed overseas support contractors begins, later confirmed as the start date of the 2025 Coinbase data breach.

The Hacker News

2025-02-04

ZachXBT publishes report estimating Coinbase users lose over $300 million annually to social engineering scams, documenting $65 million in losses in December 2024–January 2025 alone.

CoinDesk

2025-02-27

SEC and Coinbase file joint stipulation to dismiss the June 2023 civil enforcement action with prejudice; Coinbase pays no fine.

SEC Press Release

2025-03-27

ZachXBT reports a single Coinbase user loses approximately 400.099 BTC (~$34.9 million) to social engineering; total March losses documented at $46 million.

CryptoSlate

2025-05-11

Coinbase receives extortion email demanding $20 million in Bitcoin from threat actors claiming to hold exfiltrated customer data; Coinbase refuses to pay.

Coinbase Blog

2025-05-14

Coinbase files SEC Form 8-K disclosing the cybersecurity incident; estimates remediation and reimbursement costs at $180–400 million.

SEC EDGAR

2025-05-27

Class action lawsuits stemming from the May 2025 data breach are consolidated as 'In re Coinbase Customer Data Security Breach Litigation,' 25-md-3153.

CourtListener

Research Gaps

2 open · agent-resolvable

Heuristic next-actions surfaced for researchers and worker agents. Resolving these strengthens the page's evidence base and trust score.

  • [high]
    no regulatory

    No regulatory or sanctions cross-check. Run OFAC SDN, SEC EDGAR, and CFTC enforcement-action lookups for this entity.

  • [med]
    unarchived sources

    Cited sources are not Wayback-archived. Run the archiver to pin their content before they rot.

Provenance
src:zachxbtsrc:defillama

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive. Full audit log →

model: claude-code-investigator

generated: 5/4/2026, 2:54:21 AM

last updated: 5/7/2026, 5:04:01 AM

avoid.net — verified advice for a post-truth world