Exclusive: Coinbase victims speak out as breach, brazen hackers and a culture of silence collide
Each victim tells a nearly identical story of loss, heartbreak, and feeling ghosted by a company promising trust.
***A version of this story originally ran in USA Today***
Over the past few weeks, I’ve spoken with dozens of victims of a stunningly sophisticated account-draining scam —exploiting trust, technology, and a massive data breach at Coinbase, the largest crypto exchange in the United States.
Each victim tells a nearly identical story of loss, heartbreak, and feeling ghosted by the company that promises to be "the most trusted place for people and businesses to buy, sell, and use crypto …"
Just reading that statement on the company’s homepage now makes many of them feel physically ill. And the added banner across the top of the homepage warning about social-engineering scams? Far too little, too late for a nearly $63 billion company that recently made the Fortune 500 list and could have — should have — sounded much louder alarms months ago.
Other journalists have done significant work documenting the breach itself—how it happened, who orchestrated it, what Coinbase knew, and when.
This is not a story about the hackers. It’s a story about the people who got hurt.
People often stereotype crypto investors as reckless, young, or greedy. But the people I’ve interviewed are teachers, engineers, business owners, and parents. They are smart, cautious, and aware of how online scams work. They followed the rules. They double-checked URLs. They asked the right questions. And still, they lost everything: down payments for homes, retirement funds, and the belief that anyone was looking out for them.
Many of the people I spoke with asked that we not use their full names due to concerns about reputational harm or possible retargeting. They agreed to be identified by their initials.
‘Why didn’t anyone warn us?’
DR started learning about investing when he was 13 with the goal of building something big. By 32, he had more than $100,000 in his Coinbase account. It was supposed to be his generation’s Apple stock.
Then, in early May, came a flurry of warnings — emails from spoofed Coinbase.com addresses, suspicious activity alerts, and a barrage of phone calls. When he finally picked up, the man on the other end introduced himself as “Jacob Williams,” a security employee at Coinbase. He sounded official. Still, DR said he cautiously “grilled him,” and demanded extensive proof.
“Williams” sent a verification email that appeared to be from a Coinbase.com address to DR’s Coinbase-linked Gmail account (that DR did not give the hacker over the phone). He sent an official-looking email that even fooled anti-scam software.
He also instructed DR to check his Gmail Sent folder. Sure enough, there were emails there to help@coinbase.com that he did not write. DR thought this was the important “proof” that someone had hacked his Coinbase account and maybe even his Gmail account. (How the hackers gained access to DR’s gmail is still unclear.)
“I thought I was being very cautious,” DR told me. “I asked all the right questions. This guy knew every detail of my account, inside and out.”
The caller instructed DR to use a "whitelisted" account to protect his funds. That’s an account that DR set up with additional security features within his Coinbase Wallet app.
“There’s no way anyone could have seen all of that unless they had internal access,” DR said.
The hacker watched and commented on it all in real-time, even though DR claims he never handed over passwords, seed phrases, or any other information that could have given the hackers direct access.
“They had my name, my driver’s license, and the last four digits of my Social Security number. They even mimicked official Coinbase warnings. It was terrifying,” DR added.
When DR finally hung up and called Coinbase support to confirm that he had now locked down his account, a customer service agent told him that he had fallen for a scam and there was nothing they could do. They advised him to file a police report with his local authorities.
‘I’m afraid for my family’
FK, an experienced tech entrepreneur in Silicon Valley, shared a similarly devastating story.
“They knew everything. My transaction history, my recent logins, even which tokens I’d moved and when,” he said over the phone. “The shame is unbearable. I know the industry, the history of scams, and had all the security measures in place.”
One moment from the call still haunts him: “How do I tell my wife that we had hundreds of thousands of dollars stolen over the holidays?”
This isn’t just tech. It’s trauma.
Erin West, a former prosecutor and founder of Operation Shamrock, said the fears about reputational harm or re-targeting are valid. She’s now working with more than 60 victims, including 39 who responded within minutes of an initial outreach to her network late last month.
“People have been plunged into incredibly dark places,” West said. “They’ve lost life savings, identity security, and trust in digital systems. The damage isn’t just financial—it’s emotional and deeply personal.”
One of the highest-profile victims is 67-year-old Los Angeles artist Ed Suman, who told Bloomberg he lost more than $2 million in crypto after a fake Coinbase support call. The attackers convinced him that even his “cold wallet” was compromised.
“The most effective thing Coinbase could have done was email customers and say, 'There are scammers impersonating us,'” Suman said. “Instead, they were woefully remiss.”
A Coinbase spokesperson told me they have warned customers, most notably in blog posts on the company website under the topic “Consumer Protection Tuesday.” There have been 20 of those articles posted since December 2024. He also pointed to warnings shared from its Coinbase Support account on X and YouTube accounts and said that anytime Coinbase learns of a breach, it files “in accordance with all state and federal laws, and all are publicly available.”
In addition, the spokesperson said that the company contacts anyone affected by the breach immediately.
The breach that broke the trust and set the stage for more sophisticated scams
On May 15, Coinbase filed a notice with the Maine Attorney General: nearly 70,000 customers had been affected by a breach. Using stolen data, such as government IDs, phone numbers, emails, and account histories, criminals launched targeted social engineering attacks.
A class-action lawsuit in the Southern District of New York filed late last month shows a breach with vendor TaskUs in India and claims Coinbase executives knew about it as early as January.
That suit is one of at least 13 class actions now pending.
One investor alleges Coinbase delayed the breach disclosure to avoid a stock drop. Other litigation encompasses a wide range of issues, including biometric privacy violations, pig-butchering scams, and account lockouts.
Bloomberg Law confirmed that even high-profile industry figures, like Sequoia Capital’s Roelof Botha, had their data compromised.
Coinbase told us they cannot comment on any pending litigation.
TaskUs later confirmed it had terminated at least two employees for illegal access and disclosed the activity to Coinbase.
A TaskUs spokesperson said the company believes the employees were recruited as part of a larger criminal campaign.
“We immediately reported this activity to the client [Coinbase], terminated the individuals involved, and are coordinating with law enforcement. Out of an abundance of caution, TaskUs ceased all Coinbase operations in Indore, India, in early January 2025, impacting 226 teammates. Following the investigation, all teammates excluding the two bad actors, were offered a generous severance package, including six months of pay,” the spokesperson said.
“We place the highest priority on safeguarding the data of our clients and their customers and continue to strengthen our global security protocols and training programs, including by investing millions of additional dollars in physical and information security.”
What Coinbase knew — and when
Erin West is blunt: “This didn’t start in May. I had victims calling me last August.” She said Coinbase ignored numerous warning signs. “Instead of alerting customers or locking down systems, they waited. They updated their terms of service — quietly — limiting customers’ rights to participate in class-action lawsuits. And people, to this day, keep getting hit.”
FK’s attack happened in late December. Ed Suman’s came in March. DR’s hit in early May.
When FK lost almost $400,000, he reported it immediately to Coinbase, the FBI, and local police. He followed up dozens of times. All he heard back was, “all transactions confirmed on the blockchain are final.”
Then, in late May, after he saw the news of the breach, he reached back out to Coinbase again. He said this time, a Coinbase customer service representative told him, “more than a million accounts have possibly been affected going back to November 1 of 2024.”
FK said the same support agent told him to “be patient, that it might take a while for the company to alert all of the people possibly involved.” In the meantime, his crypto holdings would be worth nearly $625,000 today.
Who decides who gets paid back?
A Coinbase spokesperson wrote to me in an email that “all impacted customers have already received an email fromno-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.”
When I asked for further clarification and explained that none of the victims I spoke with received emails from Coinbase on May 15, he offered to escalate their cases to the support teams. Then he added,
“But important to note we will reimburse anyone who sent their funds to the attacker as a result of this incident. If a customer was not part of this incident and was socially engineered to send funds to a scammer, that would not fall into the refund.”
On June 3, both DR and FK received notice that Coinbase will not reimburse them because their personal information “was not exposed in the recent incident.”
Neither victim understands how the scammers could have accessed their personal information without insider access. They followed security protocol. They didn’t share private keys. But hackers still emptied their wallets.
“The hackers sucked the funds out of my wallet without my consent to Roobet, a crypto gambling site in Curaçao,” FK explained. “I did not initiate that. They did. Because I never shared my private key or seed phrase with them. They had backdoor access to my actual Coinbase Wallet.”
But here’s something I just learned: Every transaction you make on public blockchains like Bitcoin or Ethereum is completely transparent, and anyone can look it up. If someone gains access to your wallet address, they can see what you’ve sent and received, when those transactions happened, and which platforms or smart contracts you’ve interacted with. They can’t always see exact dollar amounts or what you “bought” in the traditional sense — but they can trace your balance and behavior.
In crypto, your wallet address is like your phone number, bank routing number, and purchase history — all rolled into one. And if it’s ever linked to your real identity, your entire transaction history becomes searchable.
DR and FK still maintain the only way anyone could have gotten their wallet addresses is through a Coinbase breach, but most people investing in crypto right now have no idea how exposed they really are.
All of this comes at the same time the current administration is easing restrictions on cryptocurrency trading in the United States.
“This is their chance to do the right thing in a very public way,” DR said. “It’s like crisis communications 101. I’ve heard that they want people to sign NDA’s and drop any future legal action in order to get reimbursed. I would do that in a heartbeat,” he added. FK agreed. “That’s all I want, for Coinbase to do the right thing.”
‘Coinbase should have sounded the alarm immediately’
“Coinbase should have sounded the alarm immediately,” cybersecurity expert Richard Blech told me over the phone. He said other major crypto exchanges, like Binance and Kraken, faced the same kind of social-engineering attacks but blocked them before hackers could steal any customer data.
“That’s the difference a real zero-trust system makes,” Blech said. “In a setup like that, this kind of breach either doesn’t happen — or it gets shut down fast.”
He called Coinbase’s failure a collapse of digital architecture. “This wasn’t just a breach,” he added. “It was a betrayal of trust. And in crypto, trust is the product. Lose that, and you lose everything.”
Everyone’s asking the same questions now: Why didn’t Coinbase send out a warning months ago? “The only emails I have from them are promotions,” FK said.
Why didn’t they take out full-page ads on popular investor channels during the bull run, send in-app alerts, email mass notifications urging customers to be cautious, or go one step further than posting their own warnings on social media and engage with influencers on platforms like YouTube, X, and TikTok to get the word out?
Coinbase estimates the most recent breach will cost up to $400 million in reimbursements, legal costs, and security upgrades. But no one knows how they’re deciding who to “make whole” again.
The bigger problem: 'It’s the wild west all over again'
Crypto scams aren’t new. However, the scale and precision of this latest spate sets a new standard — and serves as a warning to everyone who banks online.
The breach didn’t unlock Coinbase’s crypto vaults. It didn’t have to. With enough stolen data, scammers created the illusion of safety and authority.
They sounded American. They used Coinbase’s scripts. They shared scam tactics over Discord and Telegram. They were organized and, at times, bragged about their exploits.
And just as the breach became public, the Department of Justice shut down its National Cryptocurrency Enforcement Team — the only federal group built to stop scams like this.
“It’s the Wild West all over again,” West said. “And good people are paying the price.”
What you can do now
Victims want answers. They want Coinbase to:
Make the reimbursement process transparent
Follow through and do what they claim on their website to harden security and track stolen funds
Be much more vocal and prolific with scam warnings
Reverse the Terms of Service updates that limit consumer rights
And most of all, they want people in charge at Coinbase to realize they’re just like them, not nameless, faceless “users."
What you can do
Join a class action: Law firms like Milberg are pursuing cases.
File a complaint: With the SEC, FTC, or your state attorney general.
Talk to a tax professional: Some losses may qualify for deductions.
ContactOperation Shamrock: For advocacy and support.
To protect yourself
Use app-based or hardware 2FA
Don’t give your wallet address to anyone, ever. This is critical.
Never move funds based on a call or email
Set withdrawal allowlists on exchange accounts
Use a hardware wallet like Ledger or Trezor for long-term holdings
Don’t download remote-access apps unless absolutely necessary
And finally: demand accountability.
This story isn’t over. But hopefully the people who refuse to slink away and remain silent will get a chance to rewrite it—for good.
Jennifer Jolly is an Emmy Award-winning consumer tech columnist and on-air contributor for "The Today Show.” The views and opinions expressed in this column are the author's and do not necessarily reflect those of USA TODAY. Contact her via Techish.com or @JennJolly on Instagram.
This story has been updated to correct a key point at the top of the article and correct and add information from a TaskUs spokesperson.