Milberg Files Coinbase Data Breach Class Action Lawsuit Affecting 70,000 Users

Cryptocurrency may be the currency of the future, but security breaches remain a major barrier to widespread adoption—particularly for exchanges that store large amounts of customer data and funds.

Fears about crypto hacks were raised yet again in the recent Coinbase data breach, which affects nearly 70,000 customers and resulted in a Milberg Coinbase data breach class action lawsuit. Here’s what to know about the breach, the case, and what affected Coinbase customers can expect moving forward.

• Coinbase disclosed a major data breach in May 2025 involving rogue overseas contractors who stole sensitive customer data for cybercriminals.
• The stolen information includes names, Social Security numbers, bank details, and transaction histories.
• Coinbase estimates its losses from the incident will range between $180 and $400 million.
• Milberg’s class action lawsuit claims Coinbase failed to adequately protect user data, exposing nearly 70,000 customers to fraud and identity theft.
• Crypto-related hacks are rising, with over $1 billion stolen in 2023 alone—many targeting centralized exchanges like Coinbase.
• The breach wasn’t a technical exploit, but rather an old-school bribery scheme that compromised internal personnel.

Coinbase Suffers Security Incident

Coinbase, one of the world’s largest cryptocurrency exchanges and the largest U.S. based exchange, suffered a security breach in May 2024 that exposed sensitive customer information and led to unauthorized fund transfers, the company revealed in a blog post.

According to Coinbase, cybercriminals “bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks.” The goal of the scheme was to “gather a customer list that they could contact while pretending to be Coinbase—tricking people into handing over their crypto.”

We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.

The criminals reportedly tried to extort Coinbase for $20 million by threatening to leak the data, and Coinbase declined, instead establishing a $20 million reward fund for information “leading to the arrest and conviction of the criminals responsible for this attack.”

Coinbase is also offering to reimburse customers who fell prey to the scheme and were tricked into sending money to the criminals, in addition to one year of free credit monitoring and identity protection services.

What Information Was Stolen

A data breach filing with the Maine Attorney General’s office indicates that the breach occurred on December 26, 2024 but wasn’t detected until nearly six months later, on May 11, 2025. The filing describes the breach as “insider wrongdoing” and indicates that 69,461 Coinbase customers are affected.

An SEC filing about the cybersecurity incident states that the following information was compromised:

• Names, addresses, phone numbers, and emails
• Masked Social Security numbers (last 4 digits only)
• Masked bank‑account numbers and some bank account identifiers
• Government‑ID images (e.g., driver’s licenses and passports)
• Account data (balance snapshots and transaction history)
• Limited corporate data (including documents, training material, and communications available to support agents)

The stolen information did not include information, such as users’ login credentials, 2FA codes, or private keys, that would allow them to directly access accounts, funds, or Coinbase Prime, the company told customers in an individual notification letter and on its website.

Milberg’s Coinbase Data Breach Class Action Lawsuit

While Coinbase has yet to disclose how many customers were tricked into sending funds to cybercriminals, the company estimates  in the SEC filing that remediation and reimbursements could total between $180 and $400 million.

This amount, however, does not take into account potential legal costs to the crypto exchange company, which faces a flurry of lawsuits over the data breach.

Coinbase’s failures to ensure that its servers and systems were adequately secure fell far short of its obligations and Plaintiff’s and Class members’ reasonable expectations for data privacy, jeopardized the security of Plaintiff’s and Class member’s Personal Information, and exposed Plaintiff and Class members to fraud and identity theft or the serious risk of fraud and identity theft.

On the same day that Coinbase disclosed the breach, Milberg filed a class action complaint in U.S. District Court for the Northern District of California. The Coinbase data breach class action lawsuit seeks statutory, punitive, and monetary damages based on claims that the platform inadequately protected customers’ personal information and has not done enough in the wake of the breach to protect those affected.

“Though Coinbase continues to claim that ‘security and transparency are core to Coinbase,’ it provides a paltry amount of information concerning the Data Breach on its website, and does not position impacted individuals to protect themselves against fraud and identity theft,” the complaint states. “Indeed, it is clear that Coinbase customers (and perhaps others) have already experienced the fallout of the Data Breach.”

Who Can Join the Class Action Lawsuit and What They Could Recover

Plaintiff Allen Shakib, a Coinbase customer and victim of the data breach, brings claims of negligence, breach of implied contract, and unjust enrichment over alleged security flaws that “run afoul of industry best practices and standards” on behalf of himself and the following putative nationwide class:

• All residents of the United States who were impacted by the Data Breach, including all persons who were sent notice by Coinbase that their Personal Information was compromised as a result of the Data Breach.

The Coinbase data breach class action lawsuit seeks actual and statutory damages, punitive damages, and monetary damages “to the maximum extent possible.”

Eligible class members may be able to recover money for losses such as stolen cryptocurrency funds; costs incurred due to identity theft (e.g., account recovery and unauthorized transactions); lost access to assets, including situations where users were locked out of accounts; and time and expense spent mitigating harm (like credit monitoring, securing new accounts, and lost work hours).

Milberg Senior Partner Gary Klinger is representing the plaintiff and the class. Mr. Klinger, one of the most well-known and respected data privacy attorneys in the country, has settled more than thirty class actions involving privacy violations as lead or co-lead counsel.

Over a recent 3-year period, Milberg privacy attorneys have settled more than 50 class actions in state and federal courts across the country as lead or co-lead counsel—more than any other plaintiffs’ class action firm.

Crypto Theft and Data Breaches on the Rise

Cryptocurrency has become increasingly mainstream, moving beyond its early adopter phase and gaining traction with both retail and institutional investors.

Proponents argue that the blockchain on which crypto operates is secure. But high-profile thefts on crypto exchanges and platforms in recent years have raised security concerns and slowed crypto payment adoption. And the attack on Coinbase is a reminder that the weakest link in exchange security is often humans.

More than 37% of investors identified security risks as the main barrier to using cryptocurrency for payments, according to a March 2025 survey from Bitget Wallet.

Centralized exchanges like Coinbase have become prime targets for cybercriminals. In 2024, the cryptocurrency industry witnessed a significant surge in hacking incidents.

Chainalysis reports that funds stolen through crypto hacks increased by approximately 21% year-over-year, reaching $2.2 billion. The number of individual hacking incidents also rose from 282 in 2023 to 303 in 2024. Major 2024 incidents included a a $305 million theft at Japan’s DMM Bitcoin exchange and a $235 million loss at India’s WazirX.

• The largest crypto hack to date took place in 2022, when approximately $625 million worth of Ether and USDC was stolen in the Ronin Network breach linked to Axie Infinity.
• In August 2021, a vulnerability in the Poly Network decentralized finance platform was exploited, leading to the theft of over $600 million.
• A hack of the Binance crypto exchange in October 2022, linked to an exploit of the BSC Token Hub cross-chain bridge, produced estimated losses of $570 million.

Sources say that Binance and Kraken, two major cryptocurrency exchanges, were recently targeted by social engineering hacks similar to the one on Coinbase. Such attacks have increased in the crypto sector over the past two years and represent a “notable evolution in cryptocurrency hacking strategies from direct technical exploits to targeting human vulnerabilities,” writes Tech in Asia.

As hackers evolve from codebreakers to con artists, even the most advanced platforms can be compromised—not by flaws in the blockchain, but by human vulnerabilities. And as this case shows, the real price of crypto theft often falls not on the exchange, but on the users.