Coinbase users scammed out of $21M in crypto sue company for negligence
Nearly 100 users sue Coinbase for allegedly overlooking security flaw.
ASHLEY BELANGER – OCT 17, 2022 6:04 PM | 129
Last fall, scammers infiltrated social platforms like dating apps, WhatsApp, Facebook, and Twitter, attempting to convince people to download Coinbase Wallet. Once the targeted users downloaded the wallet, the scammer would then send links to fraudulent websites, prompting users to purchase a “voucher” that seemed like a safe transaction protected and facilitated by Coinbase’s trusted platform but was “actually a malicious smart contract.” Horrified users eventually discovered the smart contract gave “the scammers complete access to the entire funds in the victim’s wallets” without requiring authorizations to withdraw funds.
Today, nearly 100 people from all over the globe are seeking to make the publicly traded Coinbase pay for allegedly doing nothing to protect users. Users allege that Coinbase was unmoved by reports that scammers were draining accounts of tens or hundreds of thousands of dollars’ worth of cryptocurrency. In total, Coinbase Wallet users that are suing collectively lost $21 million.
For months, users allegedly warned the company of this seeming security flaw. Instead of acting to protect users, though, Coinbase “took no remedial steps to fix the security flaw or even warn customers about this major problem, despite warning customers about other security risks,” according to a recently filed arbitration demand. This allegedly allowed “hundreds” of additional users to become targets of “an easily preventable” liquidity mining pool scam.
“They didn’t even appear to try,” Eric Rosen, an attorney from Roche Freedman LLP, the law firm representing users, told The Washington Post. “Of course, scammers quickly picked up on this, and literally directed victims to download the Coinbase Wallet."
Legitimate liquidity mining pools promise high returns to users who buy vouchers for small sums, making it enticing to those new to crypto, but for Coinbase Wallet users, “clicking on these innocuous-looking vouchers would record a single line of computer code granting the scammers permission to steal crypto deposited into an account, weeks or months later,” the Post reported.
VIDEO How Lighting Design In The Callisto Protocol Elevates The Horror
This case is diTerent from other crypto scams that prompt users to authorize fraudulent transactions. Claimants allege that Coinbase's terms of use never warned of the risk, assuring users instead that only sharing a secret passcode could compromise an account.
Coinbase is a titan in the crypto world that regularly touts its security features, but the arbitration demand says that “scammers directed customers to the Coinbase Wallet because of its terrible security.” Rather than act on this information, Coinbase allegedly spent six months before taking any action to prevent more users from being scammed.
Coinbase’s response
Since first being threatened with legal action, Coinbase has changed its ways and now provides warnings to users when “a website is requesting permission to withdraw a huge sum of dollars from an account,” the Post reported. This type of warning was already customary on competitors' products, like MetaMask and Trust Wallet.
“In our view, this is eTectively an admission that Coinbase previously wasn't doing enough to protect its customers,” Jordana Haviv, another Roche Freedman attorney for the claimants, told Ars.
In the coming weeks or possibly months, Haviv told Ars that an arbitrator would be selected, Coinbase would be provided an opportunity to respond to allegations, and then discovery would begin.
Users suing Coinbase hope that arbitration will end in the long-sought recovery of funds lost, which to some amounted to their entire life savings. They also want Coinbase to compile a list of all accounts hit by the scam.
Coinbase told Ars that its products already work to prevent liquidity mining scams.
"Coinbase is committed to protecting its customers from scams, fraud, and other crimes and has invested significant resources in protecting users against liquidity mining scams,” Coinbase spokesperson Lisa Johnson said in a statement provided to Ars.
The company seems to be maintaining that it’s not responsible for stolen cryptocurrency due to security flaws in its Wallet product—the same response it gave to users now suing when they reported the fraudulent activity.
“A customer’s activities on Coinbase Wallet, including managing the wallet’s private security keys and access to the wallet’s contents, are exclusively controlled by the customer, not Coinbase,” Johnson said. “That is why Coinbase provides customers with multiple product oTerings, so they can choose the products that are best for them."
ADVERTISEMENT
Coinbase customer service complaints
The arbitration demand describes how users suing Coinbase complained that instead of investigating the issue, Coinbase sent them down an endless spiral of automated replies. Never reaching an actual Coinbase customer service representative, users were stuck interacting with alleged bots that seemed programmed to deny Coinbase liability, refuse refunds, and insist that users themselves had clearly compromised their own accounts, even sometimes “falsely stating that customers’ 12-word seed phrases had been compromised and that there was nothing Coinbase could do about the missing funds.”
But no one’s seed phrases were compromised, and as more reports came in, Coinbase stuck to its claims, insisting that the seed phrase “is the only way to access the cryptocurrency” in a Coinbase Wallet. Despite users sending Coinbase-specific URLs and names of decentralized apps (also known as dapps) that scammed them, “Coinbase did not even block or take down the malicious dapps,” the arbitration demand says.
Users suing say that Coinbase’s decision to outsource its customer service while its user base quickly grew was a calculated risk the company took, telling investors in a US Securities and Exchange Commission filing that its profit-seeking ways could impact product security.
At one point in the past year, one user now suing exchanged emails with Coinbase customer service before clicking on the voucher. That user only clicked on the voucher, he says, a_er that representative assured him that the only way for anyone to access his Wallet was with his 12-word seed phrase. Confident that his seed phrase was not compromised, the user clicked and became the next scam victim, losing $60,000 in Tether cryptocurrency, despite attempting to be cautious.
Another user suing received a rare message from Coinbase customer service that actually confirmed his seed phrase had not been compromised. The message informed the user that “unauthorized activity you reported appears to have resulted from a signed transaction that approved a malicious third party to transfer funds from your Wallet.” Even though Coinbase acknowledge it was “unauthorized,” the representative maintained that Coinbase was not liable. “It’s the customer’s responsibility to review the details of the dapp they interact with and understand the risk when interacting with it,” Coinbase told the user, informing him that he would have had to revoke access granted a_er clicking the voucher to prevent withdrawal.
“Now that I have lost the funds, it is too late to inform me that I had to revoke this access hidden underneath a totally normal-looking transaction,” the user responded, in what became his last correspondence with Coinbase on the matter.
It wasn’t until a_er Roche Freedman sent Coinbase a dra_ of their complaint that Coinbase “immediately” posted warnings on “many of the scam dapps that were stealing its customers’ money.”
“Had the Wallet simply informed users as to what the dapp was actually asking to do, instead of hiding it from the users, none of this would likely have happened,” the arbitration demand says.
How many Coinbase users were impacted?
Unless the arbitrator compels Coinbase to dra_ a list of all users aTected, it will remain unclear the full scope of user losses from the Coinbase Wallet scams. On Reddit, a forum with close to 3,000 members is attempting to gather information from victims, and the most recent arbitration demand comes from many users who found that forum. In the arbitration demand, it’s noted that Coinbase estimated that these types of scams “have resulted in the the_ of over $50 million in crypto assets.”
Should the users win in arbitration, it won’t set any legal precedent, but the Post reported that the case could provide “the possibility of a way forward for” other people scammed out of cryptocurrency.
On its website, the law firm Roche Freedman—which Bloomberg Law last week reported is currently facing disqualification motions a_er a scandal that resulted in a founding partner being dropped from participating in or profiting from all class-action lawsuits like this one—said that Coinbase failed users through deficient security and customer service. (Roche Freedman did not comment on disqualification motions.)
“Coinbase continued to allow these dapps to remain on its platform, failed to correct the problem, and failed to notify the Wallet holders for months about this significant security issue,” the law firm wrote. “Had Coinbase done so on a timely basis, millions of dollars in losses would have been avoided.”
Listing image: Bloomberg / Contributor | Bloomberg
ASHLEY BELANGER SENIOR POLICY REPORTER
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.