Author: Jaleel Jia Liu, BlockBeats

In the recent user data leak incident, Coinbase handled it quite cleverly. Just as it should, given its status as the first publicly traded cryptocurrency company and the first and only one to enter the S&P 500.

Out of courtesy, the author has expressed basic respect for Coinbase. Next, it’s time to hang this company on the "pillar of shame."

On May 8, crypto detective ZachXBT posted on his personal channel, clearly stating: another $45 million was "socially engineered" from Coinbase users. In the past few months, the similar cases he tracked have reached nine figures. The scammers' usual trick is to impersonate Coinbase customer service, calling or emailing users, then gradually luring them to click on phishing links disguised as the official website, transferring funds to the scammers' wallets.

Some might say, how is it Coinbase's fault that users were scammed through social engineering? "The platform is not a government regulatory body; how can it prevent users from clicking on phishing emails?"

First, other major trading platforms have not seen similar scams on such a large scale. Secondly, many victims have reported that the scammers not only accurately stated their account balances and transaction times but even produced photos of their ID cards, "everything felt too real."

Everything points to: Coinbase leaked data.

Let’s look at what Coinbase itself said. The 8-K filing submitted to the SEC on May 14 shows that Coinbase discovered in January 2025 that some overseas customer service representatives accessed users' complete identity information "without business need."

Furthermore, the report submitted by Coinbase to the Maine Attorney General's Office on May 20 indicates that the data leak incident occurred even earlier, on December 26, 2024.

The Maine report shows that the violation occurred on December 26, 2024, while the vulnerability was discovered on May 11, 2025.

However, the announcement of the incident was made on May 15, and its official announcement stated: criminals targeted Coinbase's overseas customer service personnel and purchased user data from insiders with cash. This data included names, addresses, phone numbers, emails, government ID images (such as driver's licenses, passports), account balance snapshots, and transaction records.

In other words, the data was stolen back in winter, but now that spring has ended, Coinbase was forced to start addressing this "elephant in the room" at a critical moment of being included in the S&P 500, announcing that it received a hacker's extortion email and formally disclosed the incident.

According to Coinbase, they fired the relevant personnel and strengthened security monitoring after discovering abnormal access. However, in the five months since, the only "user communication" Coinbase made was a vague and unhelpful email sent at the end of March, stating that a certain employee "may have violated" policies by viewing account records:

"We detected signs that a Coinbase employee may have accessed a small number of Coinbase customer account records in a manner inconsistent with internal policies, including your account."

Mike Dudas, co-founder of The Block, previously revealed on X that he received a disturbing email from Coinbase.

Aside from that, we have not seen any further official disclosures or deeper investigations into the incident.

The "more exciting" part is coming.

On May 15, the very day the data leak was officially announced, a new Coinbase user agreement came into effect.

This agreement can be seen as Coinbase's "self-protection shield." Aside from other lengthy and convoluted "smoke and mirrors" content, there are two key clauses (9.9 and 9.10): prohibiting any form of class action lawsuits (Class Action Waiver); mandating that all users must file lawsuits independently in New York courts.

Why choose New York? Because New York State has a regulation that is extremely favorable to businesses: if a contract states that all disputes must be resolved in New York courts and the amount in controversy exceeds $1 million, the court cannot refuse to hear the case on the grounds of "finding a more convenient location." Additionally, the Southern District of New York is a hub for financial cases, with rich trial experience; Coinbase's and SEC's lawsuits also started here.

Moreover, according to public reports, although Coinbase transitioned to a "remote-first" company in 2021, before the proposed new office in San Francisco opens this year, New York's One Madison is Coinbase's largest office in the U.S., having signed an 11-year lease and is twice the size of the previous location.

In this context, even if you, like thousands of other users, are a victim, you must "go it alone" to New York to file a lawsuit at your own expense.

The agreement was updated on April 11 and took effect on May 15, which almost seamlessly coincides with the data leak disclosure time. Such a "precise timing" of contract changes can be described as "preparing for rain before the sky darkens"—Coinbase's foresight is comparable to Zhuge Liang.

This has raised questions from tech security researcher Molly White, but Coinbase CEO Brian Armstrong responded that this is a "conspiracy theory." However, when Molly White further questioned, "Why did Coinbase take more than a month to disclose this data violation to the SEC? Public companies should disclose significant cybersecurity incidents within four business days," Brian Armstrong stopped responding to her.

Meanwhile, Bloomberg cited insiders stating that over the past five months, hackers achieved "on-demand access" to user information by bribing enough Coinbase customer service representatives. Even on the Wednesday just days before the announcement, hackers were still accessing this data. However, this claim was refuted by Coinbase's Chief Security Officer Philip Martin.

Coinbase's current stance is essentially: "We discovered that employees improperly accessed data and fired the relevant personnel, but we did not know that the data had leaked. It wasn't until we received the hacker's extortion email in May that we realized the severity of the problem."

How much of this is self-exculpation? Let’s take a look at how many reminders, questions, and warnings from the community and security researchers Coinbase "turned a blind eye" to during the five months when it modified the agreement and blocked the class action lawsuit entry.

Opening the Coinbase forum on Reddit, since January, a large number of users have reported account theft and frequent social engineering scams, with foreign users suffering greatly: "I suspected customer service was an insider six months ago. Five tickets, all hastily closed. No one contacted me, no one explained what happened," "I almost believed it because the amount I just withdrew was close to what they texted me," "They could verify my full name, account amount, last login device; everything felt too natural and real…"

Faced with countless reminders from the community, Coinbase strictly adhered to the three-body world's letter: "Do not respond, do not respond, do not respond."

If you want to argue that Coinbase might not browse Reddit like Asians and thus miss everything the community experienced, then surely they must have seen the continuous reminders from major KOLs and security researchers on Twitter.

ZachXBT, the strongest detective in the crypto world with 860,000 followers on Twitter, pointed out in early February that over $65 million was stolen due to social engineering attacks from the end of last year to the beginning of this year. At the end of March, he reiterated that another $46 million was stolen in the past two weeks. He has repeatedly pointed out: Coinbase is not taking action.

Additionally, Taylor Monahan, MetaMask's security head and a senior on-chain investigator, has publicly criticized Coinbase almost weekly on Twitter, constantly trying to hand over evidence to their security and support teams, but Coinbase's "senior investigation supervisor" had blocked her as early as the end of 2024.

Taylor Monahan also directly exposed that Coinbase massively outsourced customer service work to the Indian third-party service provider TaskUs. As early as January 11, 2025, Coinbase laid off over 300 Indian customer service representatives, citing "theft" and "violations." The office then moved to Gurugram, but internal data leaks continued to occur frequently, leading to another wave of layoffs in March and April.

Regarding Coinbase's statement, "We only found out on May 11," she sarcastically remarked: "This will be a very 'interesting' performance—watch them pretend to be completely unaware until the extortion email arrived," "The most likely excuse is: 'This is not a significant leak, no need to disclose.'"

Ironically, while Coinbase executives deny, evade, and cold-shoulder the situation, some Reddit users and victims have begun to spontaneously organize a "Jinyiwei" (a historical term for a secret police) to track down clues about the scammers.

A user named Scammer-fight-back and his entire team engaged in "confrontation" with the scammers, repeatedly calling them, recording conversations, and saving information. Ultimately, they traced the scammers to Manchester, UK, where they operated from the same small office, using local accents to impersonate Coinbase customer service while extracting information and completing the scam process.

Another user, dyfedavalon, shared a similar view: "This is a large scam gang from the UK, with a significant scale and capability," he said. "I called back to find those scammers, and it turned out to be the same group of people. They are really good at what they do." He added, "I talked to them many times; they thought I was a victim, but I’m British, so I could hear and mock their British accents. They later directly asked me to stop calling them."

Additionally, the investigation information from MetaMask's security head, Taylor Monahan, revealed that employees of the outsourced Indian service provider TaskUs were connecting with hackers on Telegram, charging about $10,000 for each transaction involving the sale of user emails, phone numbers, and 2FA information, with the money directly deposited into personal accounts via PayPal or bank accounts.

Image source: Taylor Monahan

As for why some are willing to take such risks to leak information, Taylor shared more internal content leaked from these "Indian workers," pointing directly to the real working conditions at TaskUs: no access to restrooms, meal times fought over, and if delivery volumes were insufficient, they would be collectively ignored by management; the pressure was outrageous, and sick leave would be marked as "absenteeism," with direct salary deductions; those who fell behind in training would be fired on the spot.

"This was the worst decision of my career. HR is not on your side at all; even if you cry and complain, no one cares. In the end, you can't even get proof of your experience because they demand compensation for 'training costs,'" wrote one employee.

Complaints from former employees of Coinbase's outsourcing company TaskUs, image source: Taylor Monahan

According to data from multiple platforms like Glassdoor and Indeed, local customer service representatives at Coinbase earn an annual salary of $60,000 to $70,000, while outsourced Indian customer service representatives earn only $3,600 to $4,800 per year. This means that one American customer service representative's salary could hire at least 15 Indian outsourced representatives.

Calculating for 300 outsourced positions, Coinbase could save $18 million a year. This does not include savings from office space, social security, overtime pay, technical support, and other hidden costs.

It is also worth mentioning that, according to investigations by Bloomberg reporters, Coinbase pays CEO Brian Armstrong $6.2 million a year for personal security. Coinbase's Chief Legal Officer Paul Grewal, who is responsible for handling the $400 million hacking incident and the SEC's user data investigation, had a total compensation exceeding $8.2 million last year.

Just the CEO's annual security costs and the Chief Legal Officer's salary could potentially exceed the security costs for all users on the Coinbase platform.

Currently, the affected users include some well-known individuals. According to a Bloomberg report, sources revealed that Sequoia Capital managing partner Roelof Botha is one of the victims, with stolen data including phone numbers, addresses, and other sensitive account information related to his Coinbase profile.

There is also 67-year-old Ed Suman, a well-known artist who has worked in the art world for nearly twenty years and participated in the production of artworks like Jeff Koons' "Balloon Dog." He fell victim to a fake Coinbase customer service scam earlier this year, losing over $2 million in cryptocurrency.

Coinbase is currently facing multiple lawsuits, with users accusing the company of mishandling their personal data. Additionally, Coinbase's actions have drawn the attention of regulatory agencies. For example, the Oregon Attorney General's Office has filed a lawsuit against Coinbase, accusing it of violating state securities laws and questioning the legality of the arbitration and class action waiver clauses in its user agreement.

According to Elliptic data, the compensation and handling costs of this incident amount to $400 million, making it the eighth largest security incident in crypto history. This attack did not involve dramatic scenes like "hot wallets being hacked" or complex technical issues like "contract vulnerabilities," but rather occurred in the most basic, everyday, and overlooked aspect: KYC data.

However, the reality is that Coinbase is unlikely to face severe substantive penalties.

There seems to be no precedent in U.S. law for severe penalties due to accidental data leaks. The most famous lawsuit related to data misuse is against Facebook for violating its promise not to share user data with third parties without user consent, but this situation is somewhat different from what Coinbase is facing.

Coinbase's incident is more akin to "data being leaked by internal personnel to external hackers," which falls under the misuse of data access rights and poor outsourcing management. It likely does not rise to the level of systemic privacy fraud, and the losses are limited, with Coinbase stating it will compensate.

More importantly, Coinbase is a company with a market value exceeding $60 billion and is the only trading platform in the crypto industry to enter the S&P 500 index, possessing rich policy relationships and deep capital resources.

In this U.S. election cycle, Coinbase and its executives have provided tens of millions of dollars in donations to Republican candidates and are believed to have played a significant role in several legislative lobbying efforts. The SEC's withdrawal of its lawsuit against Coinbase was also once thought to be related to Coinbase's political donations.

Everything points to Coinbase weathering this storm unscathed. In the future, Coinbase is likely to continue thriving, and may even do better.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。