Coinbase sold itself as the “secure and trusted” face of crypto. In reality, it has become something far more dangerous: a fortress that protects itself, not its users.

SAN ANSELMO, CALIFORNIA – FEBRUARY 15: In this photo illustration, the Coinbase logo is displayed on a phone screen on February 15, 2024 in San Anselmo, California. Coinbase stock has risen 5 percent ahead of the company reporting fourth-quarter earnings today on news that Bitcoin has surged above $52,000. (Photo Illustration by Justin Sullivan/Getty Images)

Getty Images

Coinbase isn’t a fringe startup anymore. It is the largest U.S. crypto exchange and uniquely, the only one both regulated and publicly listed on a major U.S. exchange. It holds more than $400 billion in assets under custody, reports billions in quarterly revenue, and serves nearly nine million monthly transacting users. By scale and by reputation, it is crypto’s blue-chip on-ramp — the company regulators, Wall Street, and retail investors alike point to as the “safe” option.

And that is precisely why its failures matter more. When Coinbase stumbles, it doesn’t just expose its own users to risk. It shakes confidence in the entire industry.

Coinbase’s Insider Breach That Shattered Its Narrative

The most glaring stumble came in May 2025, when Coinbase admitted its defenses had been breached — not by shadowy hackers on the outside, but by insiders bribed to hand over access. Employees of TaskUs, a third-party contractor hired to run customer support, allegedly leaked credentials that opened a back door into Coinbase’s systems.

The damage was staggering. Nearly 70,000 customers had their most sensitive data stolen: Social Security numbers, government IDs, bank details, and transaction histories. The attackers allegedly demanded a $20 million ransom, which Coinbase refused, before the scheme unraveled. Coinbase later tried to reframe the optics by offering a $20 million “reward fund” for tips leading to arrests.

What made the breach indefensible wasn’t just the scale, but the timeline. According to court filings, the scheme began in December 2024 — yet Coinbase didn’t disclose it until May 2025. For six months, user data sat in the wild while the company either didn’t know or didn’t tell.

Coinbase insists no private keys or account balances were compromised. But in crypto, identity is currency. Once your SSN or bank details are on the dark web, you don’t just face one hack — you live with a permanent target on your back. You can reset a password; you can’t reset your identity.

By Coinbase’s own estimates, remediation and reimbursements could cost between $180 million and $400 million, with $307 million already booked in Q2 2025. Class actions followed quickly in the Northern District of California, accusing the company of negligence, breach of implied contract, and unjust enrichment. The plaintiffs’ argument is simple: outsourcing privileged access to low-cost contractors wasn’t just a mistake. It was, they allege, structural negligence.

You can reset a password; you can’t reset your identity.

From VC Darling to Public Company — Without the Accountability Shift

Coinbase’s origin story is a classic Silicon Valley tale: well-funded, high-growth, idealistic, and legally flexible. Early-stage startups often lean on arbitration clauses, indemnification, and liability caps because that’s what VC tolerates — as long as growth and user acquisition are spinning fast.

But Coinbase is not early-stage. In Q2 2025, it reported 1.5 billion in revenue and $1.4 billion in net income (boosted by investment gains). It attracts more than 120 million monthly visits, counts 8.7 million monthly transacting users, and in 2024 held $404 billion in assets under custody. Those numbers put it in a different league than a VC-backed startup.

Yet its risk posture hasn’t evolved. The company still clings to the logic of venture capital: protect the company first, even if it leaves customers exposed.

That tension — a public company still clinging to startup-style defensiveness at the expense of customer security — is the weak link in the “secure and trusted” brand.

A Legal Fortress Built on Wall Street’s Rolodex

When legal trouble hits, Coinbase fires back hard. But it does more than fight — it preempts. By hiring most of the elite crypto and fintech boutiques, Coinbase ensures that many top-tier firms are off-limits to plaintiffs. That leaves mid-tier and boutique firms to litigate complex claims against a deep-pocketed behemoth.

This is a strategy only a giant can afford. Smaller exchanges collapse under litigation; Coinbase weaponizes it.

The result is a structural imbalance: even when plaintiffs have strong claims, Coinbase’s legal firepower ensures that cases drag on, costs mount, and settlements come cheap. Its lawyers don’t just defend — they contain.

This is a strategy only a giant can afford. Smaller exchanges collapse under litigation; Coinbase weaponizes it.

The Fine Print: Coinbase’s User Agreement

If Coinbase’s cybersecurity is shaky, its legal scaffolding is rock solid. The company’s User Agreement is less about protecting customers than protecting Coinbase — designed to deflect liability and discourage collective action.

Lose $50,000. Get back a Netflix subscription. That’s Coinbase’s fine print.

• Liability Cap: If your account is hacked or your assets stolen, Coinbase’s maximum responsibility is capped at the greater of (a) the fees you paid in the previous 12 months, or (b) about $100/£100. In practice, that means a customer could lose $50,000 and legally recover less than the cost of a Netflix subscription.
• Arbitration & Class Action Waiver: You can’t band together with other victims. Every dispute must be fought alone, in arbitration, on Coinbase’s terms.
• No Fiduciary Duty: Despite presenting itself as a custodian, Coinbase explicitly disclaims any obligation to act in your best interests.
• Indemnification: In some cases, customers agree to cover Coinbase’s legal costs.
• Force Majeure / Suspension: Coinbase reserves the right to suspend accounts or services for broad reasons, while disclaiming liability for losses that follow.

These aren’t unusual for a scrappy startup. But Coinbase isn’t a startup. It’s the largest U.S. exchange, a publicly traded company worth billions, and a self-styled “secure and trusted” financial gateway. Yet its contract reads like a Silicon Valley software vendor — not like a bank safeguarding deposits.

Banks vs. Coinbase

Here the asymmetry becomes stark:

• At a bank: If a hacker drains your checking account, Regulation E and FDIC insurance guarantee reimbursement. In the U.K. and Europe, FSCS and similar schemes provide the same protections.
• At Coinbase: If your wallet is drained or your identity stolen, your recourse is minimal. Losses are capped, often unrecoverable. There’s no FDIC, no FSCS, no mandate to reimburse.

Coinbase is treated like a bank when it comes to surveillance — but not when it comes to safeguarding users.

This isn’t hypothetical. The internet is littered with horror stories of users locked out of their accounts or drained of life savings with no recourse. Just last week, a viral Substack post — “I Was Scammed Out of $130,000 and Google Won’t Do a Thing” — hit #1 on Hacker News. Different platform, same story: users assume the company will act like a bank when disaster strikes, only to discover it has no such obligations. Coinbase’s fine print makes that asymmetry explicit.

That’s the crux: Coinbase is surveilled like a bank, but not safeguarded like one. Burdened with obligations, absolved of liabilities.

Not an Anomaly, But a Pattern of Security Breaches

The 2025 breach wasn’t a one-off failure; it exposed a deeper pattern of promises made, risks ignored, and vulnerabilities normalized.

Consider the history. In 2022, nearly 100 customers filed suit after $21 million vanished in a wallet exploit, accusing Coinbase of overstating the safety of its accounts. That same year, in Donovan v. Coinbase, investors alleged negligence when the supposedly “stable” GYEN token lost its peg within days of being listed on the exchange.

Regulators have been no kinder. In 2023, the New York Department of Financial Services fined Coinbase $100 million for anti–money laundering failures so severe that alerts were months behind. European watchdogs piled on: the Dutch central bank fined the exchange €3.3 million for operating without proper registration, and the UK Financial Conduct Authority issued a £3.5 million penalty for onboarding high-risk clients.

And now, the lawsuits keep coming. The Milberg data breach class action, still ongoing, has been expanded to include TaskUs — Coinbase’s outsourced support vendor — on claims of negligent vendor oversight. If plaintiffs succeed, Coinbase could face hundreds of millions in damages and a precedent-setting requirement for bank-level contractor controls.

At the same time, Coinbase faces a different kind of pressure from the Supreme Court’s refusal to hear Harper v. IRS. That decision forces Coinbase to hand over customer transaction data, cementing the principle that exchange users have no expectation of privacy. Regulators cheered it as a green light for surveillance. Privacy advocates condemned it as a devastating blow to digital rights. The paradox could not be clearer: Coinbase is treated like a bank when it comes to surveillance, but not when it comes to safeguarding users.

This isn’t a series of isolated missteps. It is, plaintiffs and regulators argue, a recurring operating model: expose customers, protect the company, and normalize the risk.

Coinbase’s Counterarguments — and Why They Don’t Hold

When pressed, Coinbase has a predictable script:

• “No funds were lost.” Reality: identity data is as valuable as money — and harder to replace. That’s why the class action lawsuit calls Coinbase’s safeguards inadequate.
• “We follow best practices.” Reality: according to court filings, the insider breach lasted roughly six months before disclosure. Plaintiffs argue that such a gap is the definition of negligence.
• “We reimburse customers.” Reality: liability caps mean most victims can’t recover anywhere close to their actual losses.
• “We’re regulated.” Reality: yes — but not like a bank. Regulators demand surveillance, not customer protection, and Coinbase has leaned on that loophole.

And Coinbase’s own forecast of $307 million in breach-related expenses is a more honest admission of liability than any press release.

Why It Matters More for Coinbase Than Anyone Else

Other public crypto firms are miners (Riot, Marathon) or proxy holders (MicroStrategy). Coinbase is the end-user interface — the on-ramp. It holds the “blue-chip” mantle.

This isn’t a fringe exchange or a speculative mining outfit. It is the regulated, publicly traded face of crypto in the United States, with billions in revenue, nearly nine million monthly transacting users, and more than $400 billion in assets under custody. Its reach extends from retail investors buying their first Bitcoin to institutions moving billions through its custody arm.

That scale gives Coinbase symbolic heft — but it also means its failures ripple far beyond its own customer base. When Coinbase overstates security, millions of users are misled. When it fails, trust in crypto itself cracks. And when it hides behind contracts and legal firepower, it signals that the industry’s leaders still see themselves as startups, not custodians of public wealth.

If the so-called blue chip can’t meet bank-level standards, what chance does the rest of the industry have?

Surveillance Without Safeguards

Coinbase is no longer a venture-backed moonshot. It is a multibillion-dollar public company that sits at the center of global crypto flows. Yet its greatest defenses remain legal, not technological.

The Supreme Court has made clear: Coinbase can be surveilled like a bank. But when customers lose their assets or their identities, Coinbase insists it is not responsible like one. That paradox — surveillance without safeguards — is crypto’s Achilles’ heel.

And this isn’t confined to crypto. Just last week, a viral Substack post titled “I Was Scammed Out of $130,000 and Google Won’t Do a Thing” hit #1 on Hacker News. Different platform, same story: users discover too late that the companies they trust with their savings are not bound by the obligations of banks. Coinbase has simply imported that platform trap into finance — marketing trust while disclaiming responsibility.

Until Coinbase is held to bank-level standards of accountability, it will remain what it is today: a company whose strongest protections are for itself, not its customers. And that is crypto’s Achilles’ heel.