KYC = K*** Your Customer: The Coinbase Data Breach
Level 1 - NGMI
Welcome Avatar! The entire purpose of the DeFi Education newsletter is to help you realize all the benefits of the crypto economy without depending on intermediaries or putting your assets at high risk of theft. In today’s post we’ll cover why nobody needs to use Coinbase.
We’ve interrupted our scheduled coverage for today due to major breaking news that Clownbase had such poor internal security that *offshore* customer service agents had full access to the following Coinbase customer data, which has now been leaked to organized crime group(s):
Full legal name
Home address
Government‑ID images (e.g., driver’s license, passport)
Account balance and linked bank account information
and more…
Although the attackers have had access to customer data since at least January 2025 the attack was only made public today.
KYC = Kill Your Customer
This isn’t hyperbole. There’s a fair chance that a Coinbase customer affected by this security breach is actually killed in a botched robbery/kidnapping at some future time.
Personal data of crypto users is highly sought after by criminals. It marks you as owning high-value, easily-transferrable assets that they can steal by torturing you or your family.
Woman escapes botched kidnapping in Paris as gangs target crypto wealth
PARIS, May 14 (Reuters) - French prosecutors are investigating after a masked gang tried to kidnap the daughter of a crypto businessman in Paris in what is at least the third violent attack targeting wealthy crypto players and their families in recent months. (source)
We’ll translate the corporate crisis management from the PR announcement:
Criminals targeted our customer support agents overseas.
Sensitive personal data including copies of ID documents belonging to American customers was sent overseas because corporate America is addicted to cheap labor.
convince[d] a small group of insiders to copy data in our customer support tools
All the most sensitive KYC information, including home addresses and copies of government IDs was just kept “on the system” for most any low level customer service employee to access at will. Printing a hard copy and keeping it in the US, under strong physical security, with access only by the compliance team would have been too much effort. (thanks to Adam Cochran for his notes on securing KYC information properly).
less than 1% of Coinbase monthly transacting users [affected]
The criminals probably just targeted only the rich customers who are worth robbing/extorting/kidnapping in real life. We’re relieved that the majority of our customers probably won’t be affected or care. Saying “less than 1%” makes it sound trivial rather than a major failure by “the most trusted exchange”.
Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto
We’ve no clue what their aims are or what they will do with the data, but we want customers to think “if I’m not stupid enough to send money to hackers pretending to be Coinbase staff then I wasn’t affected”. It’s obvious that the data has been, or will be, sold to groups who are willing to risk in-person attacks to steal cryptocurrency. Our business depends on the average user not realizing this. Even though they tried to ransom the data for $20 million dollars, we’re not going to say that their aims could include selling the data. That would scare customers.
What they didn’t get
They’ve got copies of your ID docs, can impersonate you in KYC processes and financial transactions, they know how much crypto you own and where you live, but don’t worry they don’t have the 2FA code to log into your Coinbase account (if you’re still dumb enough to keep any money with us after this).
If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
Self explanatory.
Extra customer safeguards — Flagged accounts now require additional ID checks on large withdrawals
Some affected customers are capable of making large withdrawals.
How we’re responding to the criminals…$20 million reward fund
Our executive team love Mel Gibson movies and fancy playing hero. The attackers will need to raise the $20 million ransom by selling customer data on the black market.
Closing The Barn Door…
If you’ve had the email from no-reply@info.coinbase.com your KYC info was stolen by criminals who will sell it to other criminals who will try to harm you.
If you didn’t get the email, but you’re getting a bunch of scammy text messages about your Coinbase account to the phone number you signed up with…
The purpose of this post is to make readers aware of the realistic - not movie plot - dangers of KYCing for any crypto transaction. If you’re rich on-chain and you KYC linked wallets then in our opinion it’s only a matter of time before highly organized criminal groups (mafias, cartels) target you for physical robbery/extortion. Anyone who is rich or plans on getting rich should think ahead and avoid this awful scenario.
(no we’re not paranoid, this stuff actually happens, here is an incomplete but actively updated list of real world attacks on crypto owners: https://github.com/jlopp/physical-bitcoin-attacks )
If you are already “outed” as working in crypto or you’ve been affected by a data breach the only sensible solution is to hire private security for yourself and your family for…the rest of your life. We hope you can afford it. The alternative doesn’t bear thinking about.
Although we’re not optimistic about the outcome of suing Coinbase over this incident, we’re pleased to report that at least one class action has been filed over the data breach (US District Court for the Northern District of California). Accountability or even justice? No. But it might impose some minor cost for corporate carelessness.
And yes, we’ve already dumped the stock.
Alternatives To Centralized Exchanges
Nobody needs Coinbase. Decentralized Finance provides alternatives for all products:
1. Investing in Major Coins (BTC/ETH/SOL) - Self Custody
Self custody is the answer. Simply set up a wallet you control. Everyday transactions and small investments can be done using a “hot” wallet in your browser or mobile phone, paired with a hardware wallet for added security. Significant assets are secured in cold storage. This can be done with state of the art security even for private individuals. Simply use a diverse range of hardware wallets and battle tested, cryptographically secure multi signature accounts. There is no reason to trust a third party with your crypto, this defeats the entire purpose: not your keys, not your coins.
2. Investing in Major Coins (BTC/ETH) - Crypto ETFs
Self custody isn’t for everyone. Maybe you need to keep your assets in a tax-sheltered account or have other good reasons for preferring secure third party custody where your rights are protected by laws, not private keys which you need to secure. The spot ETFs for Bitcoin and Ethereum give you all the benefits of institutional custody with none of the KYC risk of holding a Coinbase account. Whether you invest in Bitcoin through BTC held on Coinbase or BTC held in trust by custodians for the IBIT ETF you don’t really own crypto, just a paper IOU. But you can benefit from exposure to the sector.
3. Staking
Centralized exchanges offer yield on staked crypto via operating Proof of Stake validators. But. You can stake your own crypto this way by either renting a server and installing some software, or by delegating your stake to another organization. This can all be done from self-custody without intermediaries.
4. Yield
Centralized exchanges like Coinbase offer yield on dollar/stablecoin deposits. But did you know you can achieve the same (or even better) yields by depositing your cryptoassets in battle tested Decentralized Finance protocols like Aave? When you use DeFi you keep control of your assets in your personal wallet, not exposed to any custody risks, and you don’t need to share your personal information, home address, or government ID to earn interest. You can lend out (and borrow) a range of cryptocurrencies through DeFi money markets.
5. Altcoin Investing
Thanks to Automated Market Maker technology and CEX-DEX arbitrageurs you can swap almost any crypto asset for almost any other crypto asset entirely “on-chain”, without the assets ever leaving your custody. This makes trading spot altcoins through centralized services like Coinbase obsolete. In many cases you’ll save money due to the high fees charged by CEX companies to “retail” users, which can be as high as 1% of the transaction value.
6. Futures Trading
To achieve capital efficient / leveraged exposure to a long-short portfolio of coins, or simply to magnify gains (and losses!) of a portfolio, decentralized finance provides best in class futures trading solutions which are on par with or better than trading services offered by Coinbase and other Tier 1 CEX competitors.
While Coinbase was boasting about adding 4 hour bar intervals to the retail charting package and failing to secure customer data, a professional high frequency trading team turned startup founders created Hyperliquid, a completely anonymous and transparent peer to peer decentralized spot and perpetual futures exchange.
This product settles multiple billion dollars of trade value every single day, every day of the year, securely using it’s own blockchain secured by the native token HYPE (valued at $25 billion, just under half of Coinbase equity value).
7. Fiat to Crypto Ramps
DeFi solutions are catching up. Bisq is a fully peer to peer platform for buying and selling Bitcoin using any of the major / G8 fiat currencies. We’ve a full guide on using it for paid subscribers here.
How To Stay Safe When Using Crypto
Our #1 long standing recommendation has been to never, ever KYC.
Stay anonymous. It’s why we’re all cartoon avatars. If you’re going to get rich in crypto it’s a very bad idea to have your real name out there, let alone copies of your government ID, SSN, and home address.
This means using anonymous on and off ramps, exchanging crypto by trading goods or services, or getting free crypto by being an early user of various crypto projects (airdrop farming).
Instead of trading on a centralized exchange like Coinbase, you can manage your assets in various battle tested high value DeFi protocols which are much more secure and don’t require your personal information. Hyperliquid, Aave, and Uniswap are blue chip examples but there are many more protocols we use and recommend.
Our second recommendation is not to link your wallets to your social media profiles, as these companies already know too much about you and are trivial for hackers to access. Create anon profiles if you need to talk about crypto online.
Third, use a VPN (full guide to do this correctly) to obscure your physical location from crypto related service providers (and the people who advertise on their websites), and to hide from your ISP and anyone on your network that you are accessing cryptocurrencies.
We go deep into the weeds on security, from reviewing different hardware wallets and multi signature wallet strategies to customizing software and operating systems specifically for crypto. We answer security questions twice a month in our Q&As for paid subscribers.
Our advice has kept our readers and their financial assets safe for four years.
If you’re serious about crypto and want to dig into the details become a paid subscriber today.
Disclaimer: None of this is to be deemed legal or financial advice of any kind. These are opinions from an anonymous group of cartoon animals with Wall Street and Software backgrounds.
We now have a full course on crypto that will get you up to speed (Click Here)
Security: Our official views on how to store Crypto correctly (Click Here)
I work in FinTech and the amount of data customer service agents have is extensive. Full name, address, email(s), phone(s), masked social, DL numbers. A lot of it is to validate customer info when they call in, for example. But having full picture IDs available for agents? That's insane.
How do we cash out in the USA without going through KYC