Coinbase, the largest US-based crypto exchange, confirmed that attackers had stolen customer data, including government-issued IDs, of a “small subset” of users. The attackers didn’t exploit code or break into the wallets. They simply bribed insiders.
According to the report(nieuw venster) Coinbase filed with the Securities and Exchange Commission, attackers paid contractors and employees to smuggle user information out of Coinbase’s internal systems.
The stolen data includes:
- Full names, home addresses, phone numbers, and email addresses
- The the last four digits of Social Security numbers (SSNs)
- Masked bank account numbers and some bank account identifiers
- Scans of government-issued IDs(such as photos of driver’s licenses and passports)
- Account data (such as balance snapshots and transaction history)
No BTC or other cryptocurrency was stolen, and Coinbase says no passwords or private keys were compromised. Still, the company anticipates it will have to spend $180 million to $400 million to reimburse customers and generally remediate the incident.
The company only became aware of the breach on May 11, when it received an email from the attackers asking for $20 million or they’d publicly disclose the stolen user information. The US Department of Justice announced it will investigate the incident(nieuw venster).
Why does this matter?
This breach isn’t about financial damage — it’s about the risks of centralization. Even if no BTC was stolen from Coinbase, the leaked personal information exposes the affected users to:
- Identity theft via SSNs and ID scans
- Phishing attacks using BTC transaction history and balance information
- Surveillance and profiling by anyone who buys or leaks this data
When exchanges hold your identity, transaction history, and account metadata, they create a map of your financial behavior. When they fail to secure that map, then attackers can exploit it.
You can’t leak data you don’t collect
This regrettable incident underlines the issues that arise when companies collect unnecessary information on their users: They must then secure it.
Some information must be collected to comply with government regulations, but exchanges do not do enough to secure this data. And there is no reason for support staff to be able to see bank account identifiers, BTC balances, or transaction history.
At Proton, we believe the best way to protect your information is to not collect it in the first place. Compare the list of information that Coinbase support staff had access to with the information the Proton Wallet Support team can see:
- Email address
That’s it.
We don’t ask for or store your government ID. We cannot see your account balance or transaction history because it is securely encrypted.
Crypto exchanges are part of the problem
Coinbase’s breach is symptomatic of the larger issue with custodial crypto exchanges. They are rebuilding the financial surveillance system that Bitcoin was designed to escape.
People turn to Bitcoin to opt out of banks, but how is that different from a centralized crypto exchange holding your BTC?
People choose Bitcoin for pseudonymity and sovereignty, but then must share their ID, transaction history, and other personal information with the exchange.
Choose Proton Wallet to reclaim your sovereignty
This is precisely the issue Proton Wallet is attempting to solve. Not only do we give you control of your BTC, we minimize the data we collect and encrypt as much of it as possible. We do not store your BTC transactions and your notes and messages are all end-to-end encrypted before being sent to our servers, so Proton does not know your transaction history or balances.
And Proton Wallet is open source(nieuw venster), so you can verify it does exactly what we claim.
In an industry built on speculation and surveillance, we’re building something different — an encrypted, decentralized future where you are in control.
