The Haunting "Mole" and the "Turning a Blind Eye" 5-Month Coinbase

In the recent user data leak incident, Coinbase handled it smartly. Just like its elegant portrayal as a crypto-first, and the first and only crypto company to enter the S&P 500.

Out of courtesy, the author has already expressed the basic respect for Coinbase. Next, it's time to publicly shame this company.

On May 8, crypto detective ZachXBT posted in his personal channel, explicitly stating: another $45 million has been "socially engineered" away from Coinbase users. And in the past few months, similar cases he has tracked have reached amounts in the nine figures. The scammers' usual tactic is to impersonate Coinbase support, call or email users, then gradually guide them to click on a phishing link disguised as the official website, and then transfer funds to the scammer's wallet.

Some may ask, how is it Coinbase's fault if users fall for social engineering? "The platform is not a government regulatory agency, how can it prevent users from clicking on phishing emails?"

Firstly, other major exchanges have not experienced similar large-scale scam issues. Secondly, many victims have consistently reported that the scammers not only accurately stated their account balances and transaction times but could even produce their ID photos, "everything was too real."

Everything points to one thing: Coinbase leaked data.

Let's look at what Coinbase itself said. An 8-K filing document submitted to the SEC on May 14 reveals that Coinbase discovered through its security system in January 2025 that some overseas customer support representatives accessed users' full identity information without a business need.

Furthermore, on May 20, Coinbase submitted a report to the Maine Attorney General's Office, indicating that the data leak incident actually occurred earlier on December 26, 2024.

A Maine report reveals that the incident date of the breach was December 26, 2024, while the discovery date of the vulnerability was May 11, 2025

However, the disclosure of the event occurred on May 15, with their official announcement stating: Criminals targeted Coinbase's overseas customer service staff, purchasing user data with cash from an insider. This data included names, addresses, phone numbers, emails, government identification images (such as driver's licenses, passports), account balance snapshots, and transaction records, among other things.

In other words, the data was stolen back in winter, but now that spring has already passed, Coinbase, at a critical moment of being included in the S&P 500, was forced to confront this "elephant in the room" and issued a notice confirming receipt of a hacker's ransom email to formally disclose the event.

According to Coinbase itself, they terminated the involved personnel and strengthened security monitoring after detecting unusual access. However, in these five months, the only "user communication" Coinbase made was a vague and uninformative email sent at the end of March, stating that an employee "may have inappropriately" viewed some Coinbase customers' account records, including yours:

"We have detected indications that suggest a Coinbase employee may have inappropriately viewed a small number of Coinbase customers' account records, including yours."

The Block co-founder Mike Dudas previously disclosed receiving a troubling email from Coinbase on X

In addition, we have not seen any more official public disclosure of information or further investigation into the incident.

The more "exciting" part is yet to come.

On May 15, the same day the data leak was officially announced, a new Coinbase User Agreement went into effect.

This agreement can be described as Coinbase's "self-defense shield." Aside from other lengthy and distracting content, it contains two key clauses (Sections 9.9 and 9.10): prohibiting any form of class action lawsuit (Class Action Waiver) and mandating that all users must file lawsuits independently in a New York court.

Why choose New York? Because the state of New York has a provision highly favorable to businesses: if a contract specifies that all disputes must be resolved in a New York court and the amount involved exceeds $1 million, the court cannot refuse to hear the case on the grounds of a "more convenient location." Additionally, the Southern District of New York is a hub for financial cases, with experienced judges, and it is where the litigation between Coinbase and the SEC unfolded.

Furthermore, according to public reports, even though Coinbase transitioned to a "remote-first" company starting in 2021, until the opening of the proposed San Francisco office later this year, One Madison in New York was Coinbase's largest office space in the United States, with an 11-year lease signed for space twice the size of its previous location.

In this context, even if you, like thousands of other users, are affected, you must still bear the cost and effort to sue in New York as a lone individual.

The agreement was updated on April 11 and took effect on May 15, almost seamlessly aligning with the data leak disclosure. Such a "precisely timed" contract change can be likened to the Chinese saying "Prepare against what is difficult while it is still easy" — Coinbase's proactive foresight is comparable to that of Zhuge Liang.

This has also raised doubts from security researcher Molly White, but Coinbase CEO Brian Armstrong dismissed this as a "conspiracy theory." However, when Molly White further inquired, "Why did Coinbase take over a month to disclose this data breach to the SEC? A public company should disclose a significant cyber incident within four business days of discovery," Brian Armstrong no longer responded to her.

Meanwhile, Bloomberg cited sources saying that over the past five months, hackers have gained "on-demand access" to user information by bribing a sufficient number of Coinbase customer service representatives. Even as recently as the Wednesday a few days before the announcement, hackers were still accessing this data. However, this claim was refuted by Coinbase Chief Security Officer Philip Martin.

Coinbase's current stance is essentially: "We found that some employees inappropriately accessed data and have since terminated those individuals, but at that time we were unaware that the data had been leaked. It wasn't until we received a ransom email in May that we realized the seriousness of the issue."

How much of this is self-exoneration? Let's take a look at how much warning, questioning, and alerting from the community and security researchers Coinbase chose to "see no evil" during the five-plus months between modifying its terms and locking out the class-action lawsuit's door.

Open Reddit's Coinbase forum, and you'll find numerous user reports of hacked accounts and frequent social engineering scams since January, with non-English-speaking users particularly affected: "I suspected the customer service was corrupt six months ago. Five support tickets, all closed hastily. No one contacted me, no one explained what happened," "I almost believed it because the amount I just withdrew was close to the amount they texted me about," "They were able to verify my full name, account balance, last login device; everything was too natural and real..."

Faced with countless reminders from the community, Coinbase strictly adhered to the "do not respond, do not respond, do not respond" doctrine straight out of a Three-Body Problem world.

If you were to argue in Coinbase's defense that maybe they don't browse Reddit like Asians do and thus missed the community's experiences, those continuous reminders from big Twitter KOLs and security researchers must surely have been visible to them.

Crypto's top detective with 860K followers on Twitter, ZachXBT, pointed out in early February that between the end of last year and the beginning of this year alone, over $65 million was stolen in social engineering attacks. By the end of March, he once again stated that in the past two weeks, another $46 million had been stolen. He has repeatedly emphasized: Coinbase inaction.

There's also Taylor Monahan, the Security Lead at MetaMask and a veteran on-chain investigator, who almost weekly publicly criticizes Coinbase on Twitter, continuously trying to hand over evidence to their security and support teams, yet Coinbase's "Senior Investigator" blocked her by the end of 2024.

Taylor Monahan also exposed directly: Coinbase outsourced its customer service work on a large scale to the Indian third-party service provider TaskUs. As early as January 11, 2025, Coinbase laid off more than 300 Indian customer service representatives on a large scale, citing "theft" and "malpractice" as reasons. The office later moved to the city of Gulbarga, but internal data breaches continued to occur frequently, leading to new rounds of "layoffs" in March and April.

Regarding Coinbase's statement that "we only found out on May 11," she ruthlessly mocked, saying, "This will be a very 'interesting' show—watch them pretend they had no idea until the ransom email arrived" and "The most likely excuse will be: 'This doesn't constitute a major breach, no need to disclose.'"

An irony is that while Coinbase executives deny, deflect, and downplay, some Reddit users and victims are spontaneously organizing a "Guardians" group, tracing some scammers' traces.

A user named Scammer-fight-back and their entire team engaged in a "confrontation" with the scammers, calling them multiple times, recording the calls, and saving information. In the end, they traced that most of these scammers were from Manchester, UK, operating in the same small office, impersonating Coinbase customer service with a local accent, extracting information on one side and completing the fraud process on the other.

Another netizen dyfedavalon also shares a similar view: "This is a large-scale fraud syndicate from the UK, with a large scale, wide scope, and strong capabilities," "I called back to those scammers, and it turned out to be the same group of people. They are really good at what they do," "I chatted with them many times; they thought I was a victim, but I'm British, so I could tell from their British accents and teased them. They later directly asked me not to call and harass them anymore."

Furthermore, the investigation information from Taylor Monahan, the security lead of MetaMask mentioned earlier, shows that TaskUs, the third-party Indian service provider outsourced by Coinbase, had internal employees coordinating with hackers on Telegram, charging approximately $10,000 per transaction selling user emails, phone numbers, and 2FA information. This money was directly transferred into personal accounts via PayPal or bank accounts.

Image Source: Taylor Monahan

As for why someone would be willing to take such a huge risk to leak information, Taylor shared more insights from the leaked content of these 'Indian Coolies,' directly pointing out the true working conditions at TaskUs: not allowed to use the restroom, meal times turn into a competition, not meeting delivery quotas results in collective cold treatment by management; the stress levels are absurdly high, even taking sick leave is marked as 'absent without leave' and results in direct wage deductions; if falling behind in training, employees are immediately fired on the spot.

One employee even wrote: "This is the worst decision I have ever made in my career. HR does not support you at all, not even if you cry and complain. In the end, I couldn't even get my experience certificate because they asked me to reimburse the 'training cost'."

Complaints from former TaskUs employees, an outsourcing company for Coinbase, Image Source: Taylor Monahan

According to data from various platforms such as Glassdoor and Indeed: Coinbase's local customer support staff earn an annual salary of $60,000–70,000, while outsourced customer support in India is only $3,600–4,800 per year. In other words, the salary of one American customer support staff can hire at least 15 outsourced customer support staff in India.

Calculating based on 300 outsourcing positions, Coinbase could save $18 million per year here alone. This does not include savings on office space, social security, overtime pay, technical support, and other hidden costs.

It is worth mentioning that, according to Bloomberg's investigation, Coinbase pays $6.2 million annually for CEO Brian Armstrong's personal security expenses. Coinbase's Chief Legal Officer, Paul Grewal, who is responsible for handling the $4 billion hack incident and SEC user data investigation, had a total compensation of over $8.2 million last year.

Just the annual security expenses for the CEO and the CLO could possibly exceed the entire platform's user security expenses at Coinbase.

Currently, some prominent figures have been affected by the incident. According to Bloomberg, sources revealed that Sequoia Capital partner Roelof Botha is one of the victims, and the data stolen from him includes his phone number, address, and other sensitive account information related to his Coinbase profile.

There is also 67-year-old Ed Suman, who has been in the art world for nearly twenty years and has been a prominent artist involved in the creation of artworks such as Jeff Koons' "Balloon Dog." Earlier this year, he fell victim to a fake Coinbase customer support scam, losing over $2 million worth of cryptocurrency.

Coinbase has also faced multiple lawsuits, with users accusing the company of mishandling their personal data. Additionally, Coinbase's practices have drawn regulatory scrutiny. For instance, the Oregon Attorney General's office has filed a lawsuit against Coinbase, alleging violations of state securities laws and questioning the legality of its arbitration and class action waiver clauses in its user agreement.

According to Elliptic data, the compensation and remediation costs of this incident amount to $400 million, making it the eighth-largest security incident in crypto history. This attack did not involve any dramatic scenes of a "hot wallet hack" or technical complexities like a "smart contract vulnerability." Instead, it occurred at the most basic, routine, and overlooked level: KYC data.

However, the reality is that Coinbase is unlikely to face substantial substantive penalties.

There does not seem to be a precedent in US law for severe punishment due to accidental data breaches. The most famous lawsuit related to data misuse is the Facebook case, where they breached their own commitment not to share user data with third parties without user consent, but this differs slightly from Coinbase's situation.

The Coinbase incident is more akin to "data leaked by internal personnel to external hackers," involving abuse of data access privileges and inadequate outsourcing management. It may not amount to systematic privacy fraud, and the losses are limited, with Coinbase indicating it will provide compensation.

More importantly, Coinbase is a company with a market value exceeding $60 billion and is the only cryptocurrency exchange platform listed on the S&P 500 index, with rich policy relations and deep capital resources.

In the recent US election, Coinbase and its executives donated tens of millions of dollars to Republican candidates and were seen as playing a significant role in various legislative lobbying efforts. The SEC's withdrawal of litigation against Coinbase was also once thought to be related to Coinbase's political donations.

Everything points to Coinbase weathering this storm safely. And in the future, they will not only survive but may even thrive.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia