Coinbase’s buyer information breach, which the DOJ is investigating, has sparked criticism of the alternate large.
Outstanding voices in crypto have taken to X to name out Coinbase after information broke final week of an information breach that noticed clients’ non-public info stolen. The incident has sparked a broader debate concerning the dangers of centralization and information assortment necessities.
Coinbase’s inventory, which trades underneath the ticker COIN, is fairing exceptionally effectively regardless of the criticism from throughout the crypto trade. COIN is the prime gainer within the S&P 500 right this moment, Might 22, up 3.75%, evidently surging on Bitcoin breaking two new all-time highs previously two days. In a serious symbolic transfer for the trade, Coinbase was formally included within the index on Monday, Might 19.
Additionally on Monday, information broke that the Division of Justice has opened an investigation into the info breach incident. Coinbase’s chief authorized workplace informed Reuters that the highest centralized alternate is working with the DOJ “and other US and international law enforcement agencies and welcome law enforcement’s pursuit of criminal charges against these bad actors.”
While no funds, private keys or passwords were stolen, customer contact information, including home addresses, were compromised when hackers bribed some Coinbase customer support staffers and contractors for access. Coinbase said it refused to pay a $20 million ransom for the data and reported the incident to authorities.
The leading U.S. crypto exchange confirmed that the data breach occurred on Dec. 26, 2024 and was “discovered” on Might 11, in keeping with a filing with Maine’s Attorney General, which was released yesterday, May 21. The filing also reveals that a total of 69,461 customers’ data were stolen.
The attackers’ “aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto,” Coinbase said in a blog post revealing the breach last week.
The exchange has said that compensating users who have been or could be the victims of targeted phishing attacks could cost as much as $400 million.
A cost in suffering
But the cost could be much, much higher according to Michael Arrington, founder of Arrington Capital, as well as an investor in and self-proclaimed “champion” of Coinbase.
“This hack — which includes home addresses and account balances — will lead to people dying,” Arrington said on X on Monday.
“It probably has already. The human cost, denominated in misery, is much larger than the $400m or so they think it will actually cost the company to reimburse people.”
The data beach news comes as bodily assaults focusing on folks within the crypto trade have ramped up. This yr, there have been a number of kidnappings in France by which crypto executives or relations had been held for ransom. In January, Ledger co-founder David Balland was kidnapped together with his spouse and had a finger minimize off.
Earlier this month, three teenagers kidnapped a Las Vegas man and stole $4 million in crypto.
Arrington went on to say that penalties for executives of companies that don’t adequately protect customer information should include jail time.
“Very disappointed in Coinbase right now,” he continued in the X post. “Using the cheapest option for customer service has its price. And Coinbase’s customers will bear that cost.”
Responding to Arrington’s post on X, BlockTower founder Ari Paul called out Coinbase for past security breaches that hadn’t been revealed, saying: “IMO, the real scandal isn’t their laziness and incompetence around protecting users, but their criminal coverups around their many breaches.”
He continued with an accusation that Coinbase executives had illegally covered up incidents in the past:
“There will be plenty more stories like this one comic [sic] out in the future. They’re happy to cooperate with DoJ on this one since it wasn’t their senior execs explicitly committing the crimes. In other cases…”
Changes to Coinbase’s user agreement
Also earlier this week, Molly White, a prominent crypto researcher and critic, pointed out that Coinbase had changed its user agreement last month, limiting class action lawsuits for disputes that are initiated after May 15. Indeed, The Defiant confirmed that on April 12, Coinbase sent an email to users informing them of the updated user agreement terms. Coinbase revealed the data breach to the public early morning eastern time on May 15.
Armstrong responded to White’s X post, defending the firm by saying that the class action waiver had already been in Coinbase’s arbitration agreement. However, as White pointed out in response, the April changes to Coinbase’s Terms introduce new restrictions, including a requirement to file lawsuits exclusively in the state of New York.
Taylor Monahan, head of security for MetaMask and founder of early Ethereum wallet MyCrypto, blasted Armstrong’s response regarding the user agreement changes, claiming that the exchange was aware of the data thefts long before they revealed the news to the public last week: “every investigator under the sun has been feeding your various teams evidence of these insane thefts and insiders for over 6 months.”
Monahan, who goes by Tay on social media, said that the Coinbase team “explicitly gaslit us, chasitized us for not being ‘polite’ enough, and called us toxic.” The security expert and on-chain investigator continued:
“We persisted and continued to give a fuck about YOUR USERS even as your teams made it abundantly clear that they didn’t care and would not be working weekends to react to the endless thefts (which take 2-24+ hours to complete and CAN be stopped.)”
Metamask’s head of security included a list of scathing questions directed at Armstrong and Coinbase leadership in the X post, including a clear implication that were multiple active “threat actors” with varying levels of access to Coinbase customer data, who could still have access:
“And, lastly, can you explain why your teams are confident they have this on lock now when you were trolled by a single threat actor on Sunday and there are many threat actors who had (have?) various levels of insider access?”
Blame the government
As details of the incident continue to unfold, a major question remains about the kinds of personal data financial companies, including crypto exchanges, are required to collect in many jurisdictions.
Setting Coinbase’s particular role aside, Arrington also critiqued the need for companies to hold this kind of personal data, saying the know-your-customer (KYC) and anti-money-laundering (AML) requirements are also to blame.
Arrington said in the same X thread that KYC laws and corporate greed, plus lax laws penalizing companies for hacks “means these issues will continue to happen. Both governments and corporations need to step up to stop this. As I said, the cost can only be measured in human suffering.”
Coinbase’s CEO agreed with the purpose about AML and information assortment legal guidelines, responding:
“We don’t want to collect it, and our customers hate it. We are being forced to collect it against our will. And it’s not even effective at stopping crime[.]”
Venice.ai founder and early crypto entrepreneur Erik Voorhees defended Coinbase, saying the blame needs to be positioned on the federal government for requiring Coinbase to have that info within the first place.
“This is the wrong take,” he informed Arrington on X, responding to his first submit that held Coinbase execs accountable. “Organizations of all sizes get hacked, including every US government agency from the IRS to State Department. Protecting all data is a Sisyphean task. Coinbase DOES NOT WANT to have most of this kind of data, it’s a huge liability (clearly).”
The explanation they’ve it, he added, was that the federal government forces them to have it.
“This is just one of the dark consequences of state-enforced financial surveillance,” Voorhees stated. “KYC *is* the crime.”
