- Coinbase, the world’s largest cryptocurrency exchange, is having a rough week. In the run-up to Coinbase joining the S&P 500 on May 19, the company announced it was hit by a data breach and refused to pay a $20 million ransom demand from the cybercriminals who stole user data. The company is also facing a fresh SEC investigation that’s looking into whether the company misstated its user numbers in past disclosures.
Coinbase will officially join the S&P 500 on Monday, and its stock is roughly back to where it was at the start of the year after taking a tariff-induced hit over the last few months. But not all is good in Coinbase land.
The company disclosed on its blog Thursday a data breach that could cost anywhere from $180 million to $400 million to fix the issues and reimburse customers. In that same disclosure, it said cybercriminals bribed Coinbase’s customer-service agents to steal the user data, and then tried to extort the company out of $20 million.
Coinbase said the data breach only affected “less than 1% of Coinbase monthly transacting users.” In the first quarter of 2024, the company reported 8 million monthly transacting users, so less than 1% of that would be fewer than 80,000 people. The company said it sent an email to all affected customers on Thursday morning.
The company said it refused to pay the $20 million ransom; instead, it’s “establishing a $20 million reward fund for information leading to the arrest and conviction of the attackers,” asking anyone with information to email Coinbase’s security team.
Coinbase’s chief security officer, Philip Martin, told Coins2Day‘s Jeff John Roberts on Thursday that all of the compromised customer-service agents worked in India and were immediately fired. Coinbase is currently working with industry partners and law enforcement to recover assets, while pressing criminal charges against the “small group of insiders” who allowed this to happen.
“It sucks but when we see a problem like this, we want to own it and make it right, and that’s what we’re doing,” Martin told Coins2Day.
As Coinbase works to pursue cybercriminals and make customers whole on the data-breach front, it’s also facing a fresh probe from the Securities and Exchange Commission, according to The New York Times. While the SEC dropped a lawsuit against the company earlier this year regarding the company’s marketing of digital currencies to the public, federal investigators are now looking into past disclosures, including its S-1 filing to go public in 2021 that claimed the company had more than 100 million “verified users.”
Coinbase Chief Legal Officer Paul Grewal told Coins2Day in a statement that the SEC probe is just “a holdover investigation from the prior administration about a metric we stopped reporting two and a half years ago,” adding the company is committed to working with the SEC “to bring this matter to a close.”
As Grewal said, Coinbase stopped reporting on “verified users,” which was based on the number of accounts with confirmed email addresses or phone numbers, in 2023. It now focuses on other metrics like monthly transacting users, of which there are about 8 million on Coinbase.
It’s notable that while the SEC has dropped more than a dozen different investigations and lawsuits taking aim at crypto companies since President Donald Trump took office in January, this inquiry that began under the Biden administration has continued under his successor, who is involved with several crypto projects of his own.
Brian Armstrong, who founded Coinbase in 2012, has been an outspoken critic of the SEC for years. In 2021, when the SEC said it would investigate Coinbase’s plans to offer a lending program, Armstrong called the SEC’s actions “sketchy” and “intimidation tactics behind closed doors” in a series of tweets. And in a 2023 interview with Decrypt, Armstrong said Coinbase met with the SEC 30 times over an 18-month period, but said the agency refused to provide clear guidance on which digital assets are considered securities.
“We asked the SEC for feedback; all we got was a lawsuit,” he said, adding the government agency operates by a “regulation by enforcement” environment.
While Armstrong didn’t donate to either of Trump’s campaigns via direct donations, Coinbase has made an effort to back politicians who support crypto. Last year, the company donated $25 million to Fairshake, a super PAC that supports pro-crypto candidates. Armstrong personally donated $1 million to the organization.
Despite these run-ins with cybercriminals and regulators, Coinbase is having a pretty good year. The company reported $2.03 billion in first-quarter revenue, up 24% year over year. While that missed analysts’ expectations, the company attributed it to “an uncertain macro environment” around global trade policy.
The company has also been working to strengthen its platform, particularly through the $2.9 billion acquisition of crypto options exchange Deribit earlier this month.
