zachxbt has previously accused Coinbase of not doing enough to protect customers from hundreds of millions of dollars in scams, and he noted that in these cases, Coinbase had not marked the thief wallets as malicious in various cryptocurrency compliance tools.
Coinbase customer loses $35 million in bitcoin theft
A Coinbase customer reportedly lost 400 BTC (~$35 million) in a scam identified by blockchain sleuth zachxbt. While investigating the massive theft from the single customer, he also observed at least $11 million in thefts from various other Coinbase customers throughout March.
- Telegram post by zachxbt [archive]
Coinbase accused by crypto sleuth zachxbt of allowing more than $300 million per year in social engineering attacks on its customers
Crypto sleuth zachxbt has accused the popular American cryptocurrency exchange Coinbase of "fail[ing] to stop its users losing $300M+ per year to social engineering scams". He identified $65 million in crypto thefts from Coinbase in just the most recent two months, but noted that the "number is likely much lower than the actual amount stolen as our data was limited to my DMs and thefts we discovered on-chain which does not account for Coinbase support tickets and police reports we do not have access to."
zachxbt recounted how scammers routinely spoof phone numbers and use stolen personal information to gain trust with victims on phone calls, where they claim to be Coinbase employees informing users of unauthorized account access. They then walk victims through "securing" their accounts, but in reality they direct people to cloned versions of the Coinbase website where the victims are made to transfer their assets to the scammers.
zachxbt concluded, "Coinbase needs to urgently make changes as more and more users are being scammed for tens of millions every month. ... Coinbase is in a position where they have the power to make these changes and set a good example but they have chosen to do little to nothing ."
SEC files complaint against Coinbase
The SEC has clearly been busy. The agency followed up its complaint against Binance by smacking Coinbase with charges the very next day. This isn't terribly unexpected: in late March the SEC hit Coinbase with a Wells notice, which is a formal notice saying "we're about to file a complaint against you, convince us not to." Coinbase decided that instead of any real attempt at convincing them not to, they would use the incident as a PR opportunity to try to win hearts and minds (of the public but also critically in Congress), convincing people that the SEC was being unfair to them and stifling innovation in the United States and all sorts of other things.
The SEC, apparently unconvinced by Coinbase's usual spiel, filed a complaint with five claims for relief involving operating without registering with the SEC and offering unregistered securities by way of providing a cryptocurrency staking program.
Coinbase has responded with its usual bluster, and vowed to fight the lawsuit. They don't really have much choice, given their business is almost entirely predicated on being able to continue operating in the US. A tweet by Coinbase CEO Brian Armstrong refers to "the US congress... introducing new legislation to fix the situation", suggesting he is hoping that Congress might bail him out of the mess he's in. Given the amount of lobbying Coinbase has been doing, and the apparent bought and paid for crypto advocates who sit in Congress, his hopes are not entirely misplaced, but we shall see. As with the lawsuit against Binance, this is not likely to resolve anytime soon, particularly if the companies both decide to fight in court.
- "SEC Charges Coinbase for Operating as an Unregistered Securities Exchange, Broker, and Clearing Agency", U.S. Securities and Exchange Commission
- SEC v. Coinbase
- Tweet by Brian Armstrong
AT&T customers suffer crypto wallet compromises reportedly totaling $15–$20 million
TechCrunch reported that attackers were able to gain access to AT&T email accounts which they then used to gain access to customers' cryptocurrency accounts. Various customers reported their accounts at exchanges including Coinbase and Gemini had been drained. One individual victim lost $134,000 from their Coinbase account.
An anonymous source corresponding with TechCrunch claims that the total amount of cryptocurrency stolen is somewhere between $15 million and $20 million. The tipster also claimed that the hackers have the ability to gain access to any AT&T account via the AT&T employee portal; AT&T has denied this and instead claimed that "the bad actors used an API access."
SEC sends a Wells notice to Coinbase
The SEC sent Coinbase a Wells notice, which is basically their way of saying "we're about to file a complaint against you, here's your chance to convince us not to."
According to Coinbase, the Wells notice related to "aspects of the company's exchange, our staking service Coinbase Earn, and Coinbase Wallet". It's not terribly surprising that the SEC might have Coinbase Earn in its crosshairs, as it has recently taken action against similar products, such as Kraken's staking service. In the wake of the action against Kraken, Coinbase seemed to try to pre-empt SEC arguments by sending an email to customers emphasizing things like "You earn rewards from the protocol, not Coinbase". It doesn't look like this has shifted the SEC's thoughts much, though.
This should be an interesting saga to watch, partly because Coinbase has expressed willingness in the past to go head to head with the SEC.
USDC loses peg to the dollar
The major stablecoin USDC lost its peg to the US dollar on March 10. Earlier that day, the collapse of the Silicon Valley Bank sent shockwaves through the financial system, and some in crypto were concerned about possible contagion to crypto companies. In particular, it was known that some of Circle's cash reserves backing USDC were stored at SVB, but it wasn't clear quite how much. After some delay, Circle disclosed that $3.3 billion of their roughly $10 billion in cash reserves were stored with SVB.
That evening, Coinbase announced they would be pausing USDC redemptions for dollars until the following Monday, claiming it was only because in times of high volume, they needed to process transfers via the traditional banking system. Despite their stated reason, this deepened fears about the stability of USDC, which is supported in part by Coinbase.
The price of USDC began to wobble on smaller, less liquid exchanges like Gemini and Kraken before the issue was reflected more widely. However, most exchanges were showing USDC trading at prices between $0.90 and $0.98 later that night — a noticeable departure from USDC's normally fairly steady peg.
A sustained de-peg would wreak havoc on the crypto industry, where USDC is the second largest stablecoin and boasted a $43 billion market cap (at least before substantial outflows surrounding the SVB concern). Other stablecoins even have exposure to USDC, with both FRAX and DAI using USDC for significant portions of their collateral.
Coinbase pauses redemptions of USDC for dollars
The collapse of the Silicon Valley Bank on March 10 led to concerns over the stability of the stablecoin USDC, after it was revealed that a portion (later specified at $3.3 billion) of its cash reserves were kept with SVB. This led to somewhat of a run on USDC, which began wobbling from its dollar peg down to as low as $0.95 on some exchanges.
On the evening of the tenth, Coinbase announced that they would be "temporarily pausing USDC:USD conversions over the weekend while banks are closed," stating that "during periods of heightened activity, conversions rely on USD transfers from the banks that clear during normal banking hours".
"Your assets remain safe & available for on-chain sends," they said: cold comfort for those who are afraid their USDC may not be worth $1 come Monday.
Coinbase is one of the firms behind USDC, and its decision to stop processing redemptions is likely to add to the concern over the stablecoin's... stability.
Coinbase fined $3.6 million by Dutch central bank
The Dutch central bank levied a €3.3 million ($3.6 million) fine against Coinbase, who began operating in the Netherlands without properly registering. The fine is reportedly unusually large, because of Coinbase's prominence and because it had accumulated a significant number of Dutch customers without the proper registration. Coinbase had been noncompliant from November 2020 to August 2022.
Coinbase lays off nearly 1,000 people in second round of layoffs over the last year
After laying off 1,100 people in an 18% staffing cut in June 2022, Coinbase CEO Brian Armstrong wrote that "in hindsight, we could have cut further at that time." The company announced that they would be laying off around 950 people, which is approximately 20% of their employees.
Like the first round of layoffs, they were performed via email to employees' personal emails, because access to internal systems had already been cut off. The public blog post acknowledged that the strategy "feels sudden and harsh".
Coinbase settles with New York regulators, set to pay $100 million
Coinbase agreed to a $100 million settlement with the New York State Department of Financial Services over charges that the company violated anti-money laundering laws by performing insufficient background checks. Coinbase will pay a $50 million fine, and has committed to spending another $50 million to strengthen its KYC program.
Early last year, Coinbase was ordered by regulators to hire an outside monitor to oversee compliance. Under the settlement agreement, Coinbase will be required to continue the monitoring for at least another year as it works to improve its compliance.
- "Coinbase Reaches $100 Million Settlement With New York Regulators", The New York Times