Hacked: Why Coinbase and Other Crypto Brokers Should be Subject to SEC Rules
By Amanda Fischer, Policy Director & COO
Coinbase Data Breach
On May 15, Coinbase disclosed in an SEC filing that it had been compromised in “previous months” when threat actors bribed customer support employees to gain access to customer data as well as corporate information on how Coinbase manages customer service and accounts.
Though Coinbase detected the breach back in January, they only made public this news after a May 11 communication from the hackers demanded a $20 million ransom: pay up, or else customer data such as users’ names, addresses, account balances and transaction histories would be made public. Coinbase declined to pay the ransom, and the SEC filing indicated that remediating the breach will cost $180 to $400 million, comprised of money needed to reimburse customers and fix underlying issues.
Coinbase – An Unregistered Broker
It seems that consumers can’t go a week without hearing about another data breach. So why is this one significant?
Well, news reports of the breach colloquially referred to Coinbase as a “crypto exchange.” And that’s true – the company does maintain a marketplace of prices and volumes in crypto tokens and allows buyers and sellers to use their interface to transact. But Coinbase also custodies customer funds – something that NASDAQ and the New York Stock Exchange don’t do.
Because the firm holds customer funds and effects transactions on their behalf, in a traditional securities market, Coinbase would be considered a broker. The SEC, in fact, sued Coinbase, alleging that they were not properly registered as such for a number of crypto tokens that were allegedly securities offerings.[1] A district court judge agreed with the SEC during the early phase of the lawsuit, and that litigation was pending….before the Trump Administration dismissed it.
Why Broker Registration Matters in Data Breaches
Because the Trump Administration gave Coinbase a free pass on registering as a broker, Coinbase was then only subject to a patchwork of state laws governing customer notifications in data breaches and reports to the Financial Crimes Enforcement Network (Fincen) regarding Suspicious Activity Reports, or filings to law enforcement required when a cyber intrusion is suspected.
What Coinbase was not subject to is broker rules updated by the SEC in 2024 to require that firms implement written policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access involving customer information. The rules also require that firms develop strategies for mitigating a cyber incident after it happens, including how to reach and remediate customers. Importantly, the rule requires that brokers notify customers of a data breach within 30 days, which is important because many states do not have any specific deadline for sending notices (or they provide deadlines exceeding 30 days). The SEC also conducts routine exams of its registrants to ensure compliance with the rules. Finally, under a separate rule, in cases where firms know or should have known about written customer complaints alleging theft or misappropriation, the broker is required to contact FINRA, a self-regulatory agency for brokers, within 30 days.
Customers Pay the Price
Though Coinbase’s regulatory filing from May 15 was non-specific, reporting around the incident said that the firm knew about the breach, which affected approximately 97,000 customers, since January. So why is the firm only announcing a $180 to $400 million remediation plan in May? This struck even crypto insiders as suspicious, with one crypto company General Counsel noting last week on X.com, “anyone recall that Coinbase was freezing accounts and requiring re-onboarding back in January? But only discovered the data breach three days ago and now will introduce remedial measures. Odd.” What’s more, affected customers reportedly still don’t know when they’ll be made whole.
Again, had Coinbase been properly registered as a broker, their written policies and procedures likely would have been more robust in alerting customers of the scam and determining timelines for delivering relief. Coinbase probably would have alerted FINRA and begun the process to make customers whole, instead of waiting until the company was compelled to disclose the incident to shareholders in a separate regulatory filing. And if they didn’t act promptly and comprehensively to provide customers with redress, Coinbase could have been subject to enforcement actions from the SEC or FINRA.
The consequences of inaction are huge. In the words of one harmed investor, “Coinbase should have been proactively implementing scam awareness measures months ago…the most effective thing they could have done was email all of their customers and alert us that there are people impersonating Coinbase support. They could have prevented a huge amount of theft. In my opinion, they’ve been woefully remiss and, in my case, the consequences of that have been significant.”
Conclusion
In a digital world with many threat actors, data breaches are inevitable. But rules governing how companies respond matter – especially for companies whose business is holding and protecting your money. Because the SEC dismissed the litigation arguing that the firm was an unregistered broker, Coinbase was not subject to SEC rules or exams and instead was held only to a patchwork of state laws geared mostly towards informing customers of data breaches. This episode, while being terrible for the affected customers, also underscores the missed opportunity to provide crypto customers with a regulatory framework that puts investors first.
[1] Specifically, the SEC alleged that Coinbase commingled functions including being an unregistered securities exchange, broker-dealer and clearing agency. The SEC provided a handful of example crypto tokens that were alleged to be unregistered securities offerings across which Coinbase offered these alleged exchange, broker-dealer and clearing agency functions.
Amanda, You may be interested in what I wrote in 2021. Coinbase has at least two SEC registered broker dealers but they are dormant. If you do not have to register then you don't need them. https://thedig.substack.com/p/coinbase-and-its-sec-registered-broker