Coinbase handled the recent user data breach very smartly. It was as elegant as it should be, as the first and only cryptocurrency company to enter the S&P 500.

Out of courtesy, the author has already expressed basic respect for Coinbase. Now, it's time to put this company on the "shame column"."

On May 8, crypto detective ZachXBT posted on his channel, clearly stating that another $45 million had been stolen from Coinbase users through "social engineering." In the past few months, he has tracked similar cases totaling nine figures. Scammers usually impersonate Coinbase customer service by calling or emailing users, then guiding them to click on phishing links that mimic the official website, transferring funds to the scammer's wallet.

Some say, if users were scammed through social engineering, what does it have to do with Coinbase? "The platform is not a government regulator, how can it stop users from clicking on phishing emails?"

First, other major trading platforms have not experienced similar fraud problems on such a large scale. Second, many victims have reported that scammers accurately mentioned their account balances and transaction times, even producing their ID photos, saying "everything was too real."

All of this points directly to: Coinbase leaked data.

Let's look at what Coinbase itself said. On May 14, Coinbase submitted an 8-K filing to the SEC, which shows that in January 2025, Coinbase's security system detected that some overseas customer service representatives accessed users' full identity information without any business need.

Looking at the report Coinbase submitted to the Office of the Attorney General of Maine on May 20, the data breach occurred earlier, on December 26, 2024.

The Maine state report shows that the violation date was December 26, 2024, and the date when the vulnerability was discovered was May 11, 2025

But the time when the event was disclosed was May 15, and its official website announcement says: criminals targeted Coinbase's overseas customer service staff, buying user data from internal personnel with cash. This data includes names, addresses, phone numbers, emails, government ID images (such as driver's licenses, passports), account balance snapshots, and transaction records.

In other words, the data was stolen in winter, but now spring has ended, and Coinbase was forced to address this "elephant in the room" at the critical moment of being included in the S&P 500, issuing a statement that they received a ransom email from hackers and officially disclosed the incident.

According to Coinbase itself, after detecting abnormal access, they fired the relevant personnel and strengthened security monitoring. But during these five months, the only "user communication" Coinbase made was a vague, inconclusive email sent in early March, saying that an employee "may have violated" the account records:

"We detected indications that a Coinbase employee may have accessed a small number of Coinbase customer account records in a manner inconsistent with internal policies, including your account."

The Block co-founder Mike Dudas previously disclosed on X that he received an alarming email from Coinbase

Other than that, we have not seen more official public disclosure information or further investigation into the incident.

More "interesting" came next.

On May 15, the same day Coinbase officially announced the data breach, a new Coinbase User Agreement came into effect.

This agreement is known as Coinbase's "self-protection shield." Setting aside other lengthy "distractions," there are two key clauses (9.9 and 9.10) in it: prohibiting any form of class action lawsuit; forcing all users to file lawsuits independently in New York courts.

Why New York? Because New York has a regulation extremely favorable to companies: if the contract states that all disputes must be resolved in New York courts, and the amount involved exceeds $1 million, the court cannot refuse to accept the case on the grounds of "a more convenient location." At the same time, the Southern District of New York is a hub for financial cases, with experienced judges, and Coinbase and SEC litigation also took place here.

Additionally, according to public reports, although Coinbase has been a "remote-first" company since 2021, before the new office in San Francisco was proposed this year, One Madison in New York was Coinbase's largest office in the United States, with an 11-year lease, twice the size of the previous location.

Given this context, even if you, like thousands of other users, were victimized, you would have to "go alone" and travel to New York to sue at your own expense.

The agreement was updated on April 11 and took effect on May 15, almost seamlessly coinciding with the data breach disclosure time. Such "precisely timed" contract changes are truly "preparing for the rain before it falls"—Coinbase's foresight is comparable to Zhuge Liang.

This point also raised doubts from technical security researcher Molly White, but Coinbase CEO Brian Armstrong responded it was a "conspiracy theory." However, when Molly White further questioned "why did Coinbase take over a month to disclose this data violation to the SEC? When a listed company discovers a significant cybersecurity incident, it should disclose it within four business days." Brian Armstrong no longer responded to her.

At the same time, Bloomberg cited sources who said that in the past five months, hackers bribed enough Coinbase customer service representatives to achieve "on-demand access" to user information. Even a few days before the announcement, hackers were still accessing this data. However, this claim was refuted by Coinbase's Chief Security Officer Philip Martin.

Coinbase's current statements are roughly: "We found that an employee accessed the data improperly and fired the relevant personnel, but we did not know the data had already been leaked. We only realized the severity of the issue when we received the hacker's ransom email in May."

How much self-exculpation is there in this? Let's see, during the five months since Coinbase modified the agreement and blocked the entry for class-action lawsuits, while "ignoring" the reminders, questions, and warnings from the community and security researchers.

Opening Reddit's Coinbase forum, from January, there have been numerous users reporting account theft and frequent social engineering fraud, with foreign users suffering: "I suspected the customer service was a mole six months ago. Five tickets, all dismissed quickly. No one contacted me, no one explained what happened." "I almost believed it because the amount I just withdrew was close to what they texted me." "They could verify my full name, account balance, last login device, everything was too natural and real..."

Face with countless reminders from the community, Coinbase strictly followed the Three-Body World's message "Do not answer, do not answer, do not answer."

If you want to argue that Coinbase might not check Reddit like Asians, they must be able to see the continuous reminders from big KOLs and security researchers on Twitter, right?

ZachXBT, the strongest crypto detective in the industry, with 860,000 followers on Twitter, pointed out in early February that more than $65 million was stolen due to social engineering attacks from the end of last year to the beginning of this year. He again spoke up in late March, stating that another $46 million was stolen in the past two weeks. He has repeatedly pointed out that Coinbase is inactive.

Also, Taylor Monahan, the head of security at MetaMask and a seasoned on-chain investigator, has been publicly criticizing Coinbase almost every week on Twitter, continuously trying to hand evidence to their security and support teams, while Coinbase's "senior investigative director" had already blocked her as early as the end of 2024.

Taylor Monahan also directly revealed that Coinbase has outsourced a large portion of its customer service work to the third-party service provider TaskUs in India. As early as January 11, 2025, Coinbase conducted a large-scale layoff of over 300 Indian customer service representatives, citing "theft" and "unauthorized operations." Then the office moved to Gurgaon city, but internal data leaks continued to occur frequently, leading to another round of "layoffs" in March and April.

Regarding Coinbase's statement that "we didn't know until May 11," she sarcastically remarked: "This will be a very 'interesting' performance—watch them act completely unaware until the ransom email arrives." "The most likely excuse would be: 'This doesn't count as a major leak, so no disclosure is needed.'"

Ironically, while Coinbase executives denied, evaded, and dealt with it coldly, some Reddit users and victims began organizing themselves into a "Jin Yiwu" to find some clues about the scammers.

A user named Scammer-fight-back and his entire team confronted the scammers, making multiple calls, recording, and saving information. Eventually, they tracked down: most of these scammers came from Manchester, UK, working in the same small office, using local accents to impersonate Coinbase customer service, extracting information and completing the fraud process.

Another user, dyfedavalon, had the same opinion: "This is a large-scale fraud gang from the UK, with a large scale and strong capabilities." "I called back to those scammers, and it was the same group of people. They really knew what they were doing." "I talked to them several times, and they thought I was the victim, but I am British, so I could hear their British accent and mock them. They later directly asked me not to call them anymore."

As mentioned earlier, Taylor Monahan's investigation showed that employees of the third-party Indian service provider TaskUs were contacting hackers on Telegram, charging approximately $10,000 per transaction for selling user email addresses, phone numbers, and 2FA information, with the money directly transferred to personal accounts via PayPal or bank accounts.

Image source: Taylor Monahan

As for why someone would risk so much to leak data? Taylor shared more content from these "Indian slaves" internally, pointing directly to TaskUs's real working conditions: no access to toilets, eating time was fought over, and if delivery volume was insufficient, they were collectively ignored by management; the pressure was extreme, and taking sick leave would be recorded as "absenteeism," and wages would be directly deducted; because training wasn't keeping up, they were immediately fired on the spot.

"This was the worst decision I've ever made in my career. HR never stood on your side, even if you cried and complained, no one would listen. Finally, I couldn't even get proof of experience, because they required me to compensate for 'training costs,'" wrote an employee.

Complaints from former TaskUs employees of Coinbase, image source: Taylor Monahan

According to data from multiple platforms such as Glassdoor and Indeed: the annual salary of a local customer service representative at Coinbase is $60,000 to $70,000, while Indian outsourcing customer service representatives earn only $3,600–$4,800 per year. That means, the salary of one American customer service representative can hire at least 15 Indian outsourcing customer service representatives.

With 300 outsourcing positions, Coinbase can save $18 million annually. This does not include additional cost savings such as office space, social insurance, overtime pay, and technical support.

Notably, according to a Bloomberg reporter's investigation, Coinbase pays an annual personal security fee of $6.2 million for CEO Brian Armstrong. Paul Grewal, Coinbase's Chief Legal Officer, who is responsible for dealing with the $400 million hacker incident and the SEC user data investigation, had a total compensation exceeding $8.2 million last year.

Just the security fee for the CEO for one year and the salary of the Chief Legal Officer could be more than the security fees for all the users on the entire Coinbase platform.

Currently affected users include some well-known individuals. According to Bloomberg's report, a source said that Roelof Botha, a partner at Sequoia Capital, was one of the victims, and the stolen data included his phone number, address, and other sensitive account information related to his Coinbase profile.

There was also Ed Suman, a 67-year-old artist who has been involved in the art world for nearly twenty years and participated in the creation of artworks such as Jeff Koons' "Balloon Dog" sculpture, who was scammed in early this year by a fake Coinbase customer service scam, losing over $2 million in cryptocurrency.

Coinbase has also received multiple lawsuits, with users accusing the company of improper handling of their personal data. In addition, Coinbase's actions have attracted the attention of regulatory authorities. For example, the Oregon Attorney General's Office has filed a lawsuit against Coinbase, accusing it of violating state securities laws and questioning the legality of the arbitration and class-action waiver clauses in its user agreement.

According to Elliptic data, the compensation and disposal costs of this incident reached $4 billion, ranking as the eighth-largest security incident in cryptocurrency history. This attack did not involve dramatic scenes like "hot wallets being hacked" or technical complexities like "smart contract vulnerabilities," but rather occurred in the most basic, daily, and overlooked part: KYC data.

But the reality is, Coinbase may not face serious substantive punishment.

It seems there is no precedent in U.S. law for severe penalties due to accidental data breaches. The most famous litigation related to data abuse is Facebook, as they violated their commitment to "not share user data with third parties without user consent," but this is somewhat different from the situation Coinbase faces.

Coinbase's incident is closer to "data being leaked by internal personnel to external hackers," which belongs to the misuse of data access rights and poor outsourcing management, and should not be considered systemic privacy fraud, with limited losses, and Coinbase has stated that it will compensate.

More importantly, Coinbase is a company with a market value of over $60 billion, and the only exchange in the crypto industry to enter the S&P 500 index, with rich policy relationships and deep capital resources.

In this U.S. election, Coinbase and its executives have donated tens of millions of dollars to Republican candidates and are believed to have played a significant role in various legislative lobbying efforts. And the SEC's withdrawal of its lawsuit against Coinbase was once thought to be related to Coinbase's political donations.

All of this indicates that Coinbase will sail through this storm safely. In the future, Coinbase will continue to thrive, and may even do better.