If you had any significant assets on Coinbase at any time prior to this breach, spear phishing is the least of your worries.
Coinbase not only leaked your full name and address, they also gave up your balances, your transaction history, and images of your government identification.
People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom.
"Significant" in this case can be $10k or less.
Until now, your best defense secrecy. Never talk about crypto in public in any way that could be traced to your real-world identity.
Thanks to Coinbase that defense is now gone.
The bad guys can see who has ever had a significant balance on Coinbase (even if they don't right now), whether that balance was sold for cash and how much, or if you've ever transferred tokens off the exchange to a self-custody wallet.
Now the bad guys know who's worth kidnapping for ransom and where you live. For most people, a Google search of your name and home address turns up the names of family members who would would also be lucrative targets for kidnapping and threats of violence.
Coinbase will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company.
Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency
https://www.yahoo.com/news/florida-teens-kidnap-las-vegas-20...
"They Stole a Quarter-Billion in Crypto and Got Caught Within a Month. How luxury cars, $500,000 bar tabs and a mysterious kidnapping attempt helped investigators unravel the heist of a lifetime." https://www.nytimes.com/2025/04/24/magazine/crybercrime-cryp... (gift article)
And this crypto CEO in Toronto was kidnapped for a $1M ransom: https://www.cbc.ca/news/canada/toronto/kidnapping-toronto-bu...
The parent post was someone literally hosting a crpyto conference, and this one was someone who runs a crypto company. A sibling story describes the father of a 'cryptocurrency influencer.' Is there any evidence of real crime happening which was targeted at Coinbase leak data, or is this just vibes
Well you start with the low-hanging fruit. Also I imagine these things take a while to plan.
The point is, it didn't need a coinbase data breach to identify these victims - they're high profile, public users of crypto.
Seems to be a whole thing in France too: https://www.theguardian.com/world/2025/may/04/french-police-....
Why is this such an issue with crypto?
Wealth status is often very well known for public figures and entrepreneurs. People are driving around in $200k cars.
Is it due to the liquidity of cryptocurrencies that $5 wrench attacks work better?
If you're kidnapping a generic very rich person, how are you expecting them to pay the ransom, a big burlap sack of cash? There's a lot that can go wrong there. A bank transfer or other conventional financial instrument? Few criminals would be comfortable with that approach. (John Grisham novels, and 'Archer's beloved bearer bonds, aside, it's virtually impossible to make this untraceable). Magic internet money is presumably far less messy.
Also, a decent proportion of crypto-millionaires came by their riches in... not entirely above-board ways (in particular, securities fraud; all those pump and dump scamcoins are paying off for _someone_), and may be reluctant to involve the authorities. And the crypto industry as a whole is unusually comfortable with extortion; hacked crypto companies paying a kind of bounty to hackers to get the rest of the funds back is a common thing.
They can use their bank account to buy crypto and then pay the ransom. Kidnapping is a thing in latin america before crypto became cool.
> They can use their bank account to buy crypto and then pay the ransom.
This is actually more difficult than it sounds. Most banks and crypto exchanges won't allow a person to make meaningfully large crypto transactions without some account history.
“Hey, cryptocurrency exchange, I, a random rich person, would like to, having never interacted with you before, buy a million dollars of bitcoin and transfer it out. Today, please.”
That is simply not going to happen.
Eh, million dollars would not raise a single eyebrow from an exchange side. Your bank, maybe, will have some questions about the transaction, but the things they can do to prevent you spending your money are thankfully fairly limited.
How long do you think it takes to create an account, get your KYC documents verified, get your trading and withdrawal limits raised to a million or more, transfer funds from your brokerage account, buy tokens and then re-verify when you try to transfer the tokens out of the exchange?
You'd be lucky to complete this in less than a week.
My experience with banks in UK / EU is that they will bother you for much smaller amounts than 1M. I had banks bother me for 10k transfers and other banks completely ignore me for 100k transfers.
Companies do exactly this frequently to get their hacked servers and data decrypted.
It happens with cash sometimes but people are limited to the amount they can get out of an ATM where with crypto you can force someone to hand over all their wealth with a few keystrokes.
> will never be forced to reimburse all the damage they've done because the true cost would bankrupt the company
This story keeps repeating. Maybe we should try it and see if it works as a deterrent.
It's worked before; Arthur Andersen ceased to exist after the Enron accounting scandal.
So you’re saying that one year of complementary credit monitoring by Experian isn’t enough??? /s
But hey, at least by being forced to give crypto exchanges all our personal details we're all super protected from the four horsemen: money laundering, drugs, terrorism and pornography.
I think that the right lesson to learn here is not "I should store my money with a company I can't trust not to advertise where I live, but without telling them where I live ".
No one is forced to use a "crypto exchange" in the first place.
How can I check if I am affected by this?
If you were affected, you should have gotten an email yesterday.
I checked my email to see if I received anything and, interestingly, I received an email from Coinbase on April 14 that they're updating the User Agreement. The new terms only apply to disputes initiated by me or Coinbase after May 15, 2025. Timing seems suspect.
Companies should seriously consider implementing GDPR even in the US, it certainly made taking data dumps of customer data a lot harder and certainly private images like Government IDs were encrypted on disk. I’m surprised at the lack of security if I’m honest, at Yahoo! almost nobody had access to prod user data.
Essentially you cannot trust Coinbase IMO, might move the few hundred dollars of BTC out of there :-)
> I'm surprised at the lack of security if I’m honest
This is the crypto industry, who make the discrepancy between Theranos' claims and practice look conservative.
> How does Coinbase protect data in transit and data at rest?
> Coinbase employs a range of technical and organizational measures to defeat efforts to intercept, surveil, or otherwise access without authorization data in transit. For instance, Coinbase encrypts all confidential data transfers to prevent interception or tampering of that data by unauthorized third parties.
Coinbase does business in the EU and thus, already has to comply with the GDPR. Moreover, the US also requires safeguards for sensitive customer information by financial services companies.
> Companies should seriously consider implementing GDPR even in the US
... and save the data in US cloud where everybody can access it.
It is really funny how FAANG can get away with data colkection in spite of GDPR.
Yeah this is really frustrating, especially the way the EU commission keep coming up with workarounds that the court will almost certainly strike down.
And yet, Coinbase goes Scott free
Someone, someone at that company should be going to prison for negligence
Can you point to a specific law that was broken where prosecutors have a chance at jail time, or is this a fantasy of yours?
The comment said "should be" which you glibly interpret as "should be going to jail based on the law" but could very easily be "the law should be such that this kind of negligence results in jail time".
I assume they mean that someone from the company going to prison for this would be a just outcome, not that a path to such an outcome exists today (it likely does not).
> Someone, someone at that company should be going to prison for negligence
That's not how capitalism works. /s
"decentralized currency"
Bitcoin is plenty decentralized. Coinbase deals with dollars, that's the non-decentralized part.
so, the part that makes bitcoin useful to 99% of the people is the non-decentralized part.
Sounds like an appendix.
Only because of US law. It didn't have to be this way; the US wanted to destroy Bitcoin as a currency because it threatened their surveillance state, and they effectively have.
No entity is obligated to enforce contracts in BTC. The real reason what makes a currency valuable.
Btc whales want to destroy the dollar because it benefits them.
Neither the dollar or crypto are anything but social illusions, neither have an inherent right to exist.
It’s just people manipulating people. Such an intellectually dishonest forum to sit here and discuss meaningless layers of obfuscation.
The most important thing to any individual is enough other humans around their own life isn’t so hard. Specific humans, like those on this forum, are not essential.
You all can bleat on as hard as you want about the existence of crypto but it’s not an evenly distributed belief. And your individual value is non existent to the majority on the planet. No reason to prop up your hallucinations
Why do you see this as the fault of Coinbase? Do other companies somehow have employees that are immune to bribes and blackmail?
This is due to US Government KYC laws that forced Coinbase to associate government identification with all accounts. No crypto company required ID until they were forced to.
The US Government didn't provide high-volume, bulk access to this extremely sensitive information to contractors in foreign countries with no controls over their ability to mass-exfiltrate the data.
Coinbase is the entity that set up this dangerous system.
Coinbase did it because it was cheap for them, not because they were being trustworthy custodians of information that put their customers at risk.
Sure, yes, obviously every company's employees and contractors are vulnerable to bribes and blackmail. That's why a trustworthy, competent custodian would establish systems and controls to prevent bribed and blackmailed insiders from mass-exfiltrating information that could get their customers killed.
The fact that other companies manage to be trustworthy, competent custodians while Coinbase doesn't is not the fault of KYC.
Fair enough, and it does sound like they had limits given that not all customer data was exfiltrated but those limits were probably far too high at tens of thousands affected.
Generally, staff do not have unfettered access to all customer data in most financial companies.
You don't think Coinbase is responsible for restricting access to member data for support agents?
There is no valid reason why Coinbase or any other financial services company should ever be excepted from AML/KYC laws. If anything the laws ought to be even tighter to slow down financial flows to criminals and sanctioned entities.
> People with "significant" crypto balances are being assaulted on the street and in their own homes, and family members are being kidnapped for ransom. "Significant" in this case can be $10k or less.
I wonder why, select a person completely at random and by median you'll get just as much from what they have sitting in their checking account. Select a nicer area for an order of magnitude more. That's not encouragement to go assault people in their homes or kidnap families... just confusion.
Yeah, but banks and the normie monetary system has a lot more safeguards in it when it comes to account transfers. Or at least, they appear to have them.
Crypto? It's wild, and people think it's wild.
I tried to use Coinbase a few months ago to pay for something, and I couldn't even make a transaction because it was deemed suspicious, and my account got locked or something.
Someone with a lot of cryptocurrency in Coinbase is also quite likely (at least relative to the average person) to have lots of on-chain cryptocurrency, too, though.
of course, you need to point out that Crypto has ended up being indistinguishable from the banking system in all the important parts.
The distinguishing parts are things you don't want: easily corrupted, grifted, cheated and otherwise duped.
The median person does not have $10k sitting in a checking account that they can easily withdraw. My gut feeling is that the threat of kidnapping is a lot more serious in some countries. The US maybe not so much.
> The median person does not have $10k sitting in a checking account that they can easily withdraw.
That's true, finding someone with 10k is not as easy as picking a person at random, but it is as easy as driving to the right parking lot and picking a person at random.
Pulling $10k out of the global banking system by physical coercion in a way that isn't reversible and won't get you caught is hard problem, you might as well attempt to rob the bank instead. That's why most of the "successful" criminals in that space use social engineering and scamming where the victim is a unwitting participant rather than kidnapping someone.
With crypto, no bank or other middleman involved, it's like stealing physical cash/gold/diamonds from someone, if you know they have it in their possession, so violence can be a lot more successful at coercing a change of possession.
Good point, perhaps the lower $ examples are about other countries where that may be a lot more than median transactional account holdings and maybe that concern is part of why folks were using crypto holdings.
Bank transactions are reversible, crypto transactions are not.
Also, people do point guns in people’s faces and force them to pay them via Venmo or Cashapp. Google ‘Venmo robbery’ or ‘cashapp robbery’ for plenty of examples. Pointing a gun in someone’s face for $4M in crypto is a lot more lucrative.
The average American can't deal with a $1000 emergency.
Maybe they wouldn't be able to cover other planned expenses with said loss or something but the median (I intentionally avoid referring to "average" for reasons also mentioned in this article) amount American have access to in their transactional bank accounts is $8,000 according to the Federal Reserve: https://www.fool.com/money/research/average-savings-account-...
Someone else made a great mention though: Coinbase didn't just serve the US. For the vast majority of countries these amounts are more than the yearly disposable income of a typical household. From that angle the numbers in the stories make a bit more sense.