Crypto Exchange Coinbase Sued in California, New York Courts for Data Breach
On Thursday, May 15, 2025, Law.com reported that Coinbase, a major cryptocurrency exchange, faced nationwide class action lawsuits filed in federal courts in California and New York. The lawsuits were initiated on the same day Coinbase disclosed in a blog post that cybercriminals had orchestrated a data breach by bribing a group of overseas customer support agents to steal sensitive customer information. The breach was intended to enable social engineering attacks targeting Coinbase users.
In the lawsuit filed in the U.S. District Court for the Northern District of California, plaintiff G.B., represented by Anderson Berry of the Arnold Law Firm, alleged that Coinbase Global Inc. failed to promptly notify affected users of the data breach. According to the complaint, Coinbase became aware of the breach on May 11, 2025, but users, including the plaintiff and other class members, only learned of it through media reports on May 15, 2025. The lawsuit claims that this delay left customers vulnerable to potential harm.
A separate class action lawsuit was filed in the U.S. District Court for the Southern District of New York by plaintiffs Zaal Panthaki and Alexander Crous, represented by Israel David of his namesake law firm. The complaint alleges that Coinbase neglected to implement adequate security measures to protect customer data. It further states that the company’s IT practices were insufficient, potentially reckless, and failed to address known risks, exposing plaintiffs and class members to significant harm from the data breach.
In a regulatory filing with U.S. authorities, Coinbase revealed that a hacker informed the company on May 11, 2025, that an individual had accessed customer account details and internal documentation, including materials related to customer service and account management. The company stated that the perpetrators offered cash incentives to a small group of insiders, affecting less than 1% of Coinbase’s monthly transacting users. The stolen data was intended to be used to impersonate Coinbase and deceive customers into surrendering their cryptocurrency.
Coinbase experienced a stock price decline of over 7% on the NASDAQ by the close of trading on May 15, 2025. In response to the breach, the company outlined several measures to address the incident. These include identifying accounts needing additional security protections, establishing a new U.S.-based support hub, enhancing its cybersecurity defenses, and committing to transparency regarding this and future incidents. Coinbase also announced it is collaborating with industry partners and law enforcement to trace stolen funds.
The company terminated the involved insiders immediately and referred them to U.S. and international law enforcement for prosecution. Instead of paying a $20 million ransom demanded by the hackers, Coinbase established a $20 million reward fund for information leading to the arrest and conviction of the attackers.
The lawsuits highlight broader cybersecurity concerns, as noted by Justin Daniels, a faculty member at IANS Research and an equity partner at Baker, Donelson, Bearman, Caldwell & Berkowitz. Daniels, who is not involved in the case, pointed to a pattern where cybercriminals target vulnerable employees through tactics like bribery or social engineering to gain access to sensitive systems, as seen in other high-profile breaches.
Source: Law.com
