Coinbase Ordered to Pay $618,000 After Cyberattack Linked to Data Breach
In a detailed final award issued in December 2025, an arbitrator ordered Coinbase to pay more than $618,000 to an investor whose account was taken over and drained following a sophisticated cyberattack. The ruling is notable not only for the size of the award, but for the arbitrator’s blunt assessment of Coinbase’s conduct, credibility, and failure to protect customer data.
The case provides a rare, inside look at how crypto exchanges actually respond when customers report fraud — and why arbitration panels are increasingly unwilling to accept boilerplate defenses blaming customers for account takeovers.
Coinbase Losses AAA Arbitration
The Cyberattack and Account Takeover at Coinbase
The dispute arose after an investor’s Coinbase account was compromised over several days in January 2024. During that time, unauthorized actors gained access to the account and liquidated nearly all of the investor’s cryptocurrency holdings. The stolen assets included Bitcoin, Ethereum, and other digital tokens, with total losses exceeding $328,000.
The attack was not random. According to the arbitrator’s findings, the perpetrators possessed detailed, confidential information about the account — including balances, transaction history, and personal identifiers — which allowed them to convincingly impersonate Coinbase representatives and carry out a social-engineering scheme. The investor testified that the criminals used this information to gain his trust and facilitate the takeover.
Critically, the arbitrator found no evidence that the investor himself disclosed his private account information, acted recklessly, or contributed to the breach.
Understanding Lawsuits Against Coinbase
Coinbase’s Outsourcing and the May 2025 Data Breach
A central issue in the case was Coinbase’s decision to outsource customer support to an overseas contractor. Evidence showed that personnel associated with that contractor had access to highly sensitive customer information, including account balances and identifiers.
The arbitrator concluded that this outsourcing decision — and the breadth of information shared — created the conditions that allowed customer data to be leaked, sold, and ultimately weaponized by cybercriminals. In the arbitrator’s words, Coinbase’s conduct “set in motion the causal link that resulted in the account takeover and ensuing losses.”
When Coinbase later issued a notice acknowledging that customer information had been accessed and shared by individuals performing services for the company, the arbitrator found that the notice confirmed what the evidence already showed: the attackers had insider-level information that could not have been obtained through ordinary phishing alone.
Failure to Investigate and Evasive Testimony by Coinbase
Perhaps the most damaging aspect of the decision was the arbitrator’s assessment of Coinbase’s response after the theft occurred. The arbitrator found that Coinbase “did not lift a finger to investigate” the root cause of the account takeover. Despite being the custodian of the investor’s assets, Coinbase failed to conduct a meaningful inquiry into how the breach occurred, whether internal systems were bypassed, or whether contractor personnel were involved.
Testimony from Coinbase’s Head of Investigations drew especially sharp criticism. The arbitrator described the testimony as “noticeably evasive,” “neither forthcoming nor credible,” and marked by an inability to answer basic questions about the incident. The arbitrator noted that Coinbase could not even confirm whether the investor’s confidential information had been compromised and sold — despite later acknowledging that customer data had, in fact, been accessed and shared.
This lack of investigation weighed heavily against Coinbase. As the arbitrator explained, a custodian entrusted with customer assets has a duty to investigate suspicious losses, not ignore them.
Coinbase’s Gross Negligence and Custodial Duties
On the claim of gross negligence, the arbitrator ruled decisively in favor of the investor. Under California law, gross negligence requires a “want of even scant care” or an “extreme departure from the ordinary standard of conduct.” The arbitrator found that Coinbase met that standard.
The decision emphasized that Coinbase acted as a custodian of fungible digital assets and therefore owed a duty to take reasonable precautions to protect them. By sharing highly confidential account information with outsourced personnel — including account balances — and failing to safeguard that data, Coinbase deviated from the basic standards expected of an asset custodian.
The arbitrator went further, concluding that Coinbase’s decisions effectively spawned an illicit marketplace for customer data, allowing insiders to identify and target high-value accounts. According to the award, Coinbase “utterly failed in its duty to protect and maintain as private” its customers’ confidential information.
The arbitrator also found Coinbase liable for breach of contract and breach of the implied covenant of good faith. Coinbase’s own privacy policy represented that it would process personal information to prevent fraud, enhance security, and store customer data securely. The arbitrator concluded that these representations were violated when customer data was freely accessible to individuals who sold it to criminals.
In addition, the arbitrator found that Coinbase owed fiduciary duties to the investor as a custodial agent. Those duties were breached when Coinbase failed to act with reasonable care, allowed unauthorized trades to proceed despite warning signs, and continued to rely on email alerts even though it knew that email compromise is the primary driver of account takeovers.
The arbitrator noted that Coinbase never attempted to contact the investor by phone or text — methods far less likely to be compromised — even while large, anomalous transactions were occurring.
On misrepresentation claims, the arbitrator concluded that Coinbase knowingly or recklessly misrepresented its security practices, its role as a careful custodian, and its public promise to reimburse victims of social-engineering attacks. These misrepresentations, the arbitrator found, directly caused the investor’s losses.
The Award Calculation
The final award required Coinbase to pay:
- The full value of the stolen cryptocurrency
- An additional $150,000 for loss of use of funds
- Attorney’s fees
- Costs
In total, the award exceeded $618,000.
The arbitrator made clear that this additional compensation was warranted because Coinbase’s actions left the investor exposed to ongoing risk, including future attacks using the same compromised information.
Why This Decision Matters
This arbitration is significant because it rejects a defense strategy frequently used by crypto exchanges: blaming customers for credential compromise while ignoring institutional failures. The decision underscores several critical principles:
- Crypto exchanges acting as custodians owe real legal duties
- Outsourcing does not excuse data-security failures
- Failure to investigate fraud can itself constitute negligence
- Public promises to reimburse victims carry legal consequences
As cryptocurrency platforms continue to market themselves as secure, trustworthy alternatives to traditional financial institutions, arbitrators and courts are increasingly holding them to similar standards.
Do you want to sue Coinbase?
If you or a loved one lost cryptocurrency due to hacking, phishing, SIM-swap fraud, or an account takeover, do not assume Coinbase is immune from liability. Arbitration clauses, user agreements, and corporate denials do not eliminate your rights — especially when evidence shows failures in security, monitoring, or data protection.
Our firm represents victims of crypto fraud and financial exploitation nationwide. We understand how exchanges operate, how these attacks occur, and how to hold custodians accountable when they fail to protect customer assets.
If your crypto was stolen, time matters. Contact us today for a confidential consultation to evaluate your claims and protect your rights.