Security Theatre at Coinbase: After the Breach, PR Spin Replaces Accountability

OPINION: I’m sure the PR team at Coinbase are high-fiving each other for a job well done with their recent self aggrandizing ‘Protecting Our Customers – Standing Up to Extortionists’ blog post. They shouldn’t be.

Coinbase wants credit for cleaning up a mess it created. In a blog post published this week, the company detailed a serious data breach involving the theft of customer information — but the real story is how easily the breach occurred, and how hard Coinbase is now trying to spin the incident into a PR win.

The facts are these: Coinbase customer support agents were bribed by cybercriminals to hand over sensitive customer data — names, addresses, contact details, masked social security numbers, bank information, and even government ID images. Armed with this, the attackers carried out social engineering scams targeting Coinbase users and demanded a $20 million ransom from Coinbase to cover it up. Coinbase says it refused to pay — instead setting up a $20 million “bounty” for information leading to the attackers’ arrest. Heroes right?

But let’s be clear: this wasn’t a clever external hack. It was an inside job enabled by weak internal controls, poor operational oversight, and an overreliance on offshore support staff. Coinbase goes out of its way to blame “rogue overseas support agents,” as if geographic distance from ‘America’ somehow implies moral deficiency.  I’m sure these rogues were all highly valued employees… before they weren’t. That’s not just lazy — it’s deflection.

If Coinbase outsourced support roles to cut costs or to scale globally (as every crypto exchange that wants to go global as bad as they do must), it also bears the responsibility for vetting, training, and securing those very staff. Don’t blame the agents for being overseas. Blame the company for leaving the gate open.

Now, in the aftermath, Coinbase is rolling out a laundry list of security measures — opening a U.S. support hub, strengthening monitoring tools, implementing “scam-awareness prompts,” and adding withdrawal ID checks. All of which begs the obvious question: Why weren’t these protections in place years ago?

Coinbase has been around since 2012. Let me say that again – 2012. The company has been around for every kind of crypto scam, hack, rug pull, and phishing campaign imaginable. The idea that only now — in 2025 — it’s building institutional-grade internal threat defenses is stunning. These are not “enhancements.” These are belated repairs to a roof that was obviously leaking. The barn door isn’t just open — the horses are halfway around the world.

And then there’s the sleight-of-hand: the chest-thumping pronoucement that Coinbase Prime wasn’t affected, as though that proves something about its superior architecture. Maybe it is better. Or maybe it just got lucky. Either way, the implication is clear: if you’re a whale, you’re fine. If you’re a retail user, sorry — but we will reimburse you and expect a thank-you note.

And of course, don’t forget the number fudgering and minimization. Coinbase says data from only “a small subset of customers” was compromised. They say it was “less than 1% of Coinbase monthly transacting users”. Oh, well that’s basically nobody right? Except if you have over 100 million customers (which Coinbase does) – 1% is a million people. Mmmm – quite the “small subset”. Hopefully they weren’t all “transacting” – whatever that means.

Yes, Coinbase says it will reimburse affected customers. That is not heroic. That is minimum accountability. When your own support agents hand over customer information to criminals, paying back lost funds is the least you can do. Don’t act like that’s a bold act of consumer advocacy.

Let’s also not ignore another chilling part of the disclosure: the attackers got hold of government ID images – from passports and driver’s licenses. That’s probably enough to open accounts, commit fraud, or harass victims. Coinbase glosses over this with corporate brevity — but for the “small subset”, that data is now permanently out there.

Coinbase wants praise for refusing to pay the ransom and instead creating a $20 million bounty. Hey guys – you’re a public company – of course you couldn’t cover it up. But this isn’t a Hollywood movie. The real issue isn’t whether they paid the bad guys — it’s that they let this happen in the first place.

In the crypto world, trust is currency. Coinbase has long marketed itself as the safe, compliant, institutional-grade exchange – and to be fair, most of the time they’re better than most at that. But this breach reveals something deeper: even after 13 years in the crypto business, with billions in custody and a public listing, Coinbase still wasn’t secure enough.

So no, this is not a victory lap. It’s a cautionary tale — not just for users, but for every crypto company that has grown faster than it has secured itself. Coinbase was breached by its own choices, it certainly doesn’t deserve a round of applause.