Coinbase Faces DOJ Probe, BIPA Lawsuit After 2025 Data Breach

Coinbase Global Inc., the largest U.S. cryptocurrency exchange, recently achieved a historic milestone by becoming the first crypto platform to join the S&P 500 index, signaling growing mainstream acceptance of the crypto industry within traditional finance. However, this achievement has been overshadowed by a significant user data breach that has drawn widespread attention. On May 19, 2025, Bloomberg reported that the U.S. Department of Justice (DOJ) launched an investigation into the data breach, with criminal investigators also involved. Concurrently, Illinois users filed a class-action lawsuit against Coinbase, alleging violations of the state’s Biometric Information Privacy Act (BIPA) due to the unauthorized collection, storage, and sharing of facial biometric data with third parties.

The Coinbase Data Breach: A Social Engineering Attack

On May 15, 2025, Coinbase disclosed a major data breach involving sensitive customer information, including names, addresses, phone numbers, government-issued ID images, and account details. The attack, which began as early as January 2025, was executed through social engineering tactics, with cybercriminals bribing employees and contractors at Coinbase’s India-based customer support operations to extract the data. On May 11, 2025, Coinbase received an anonymous email demanding a ransom of $20 million in Bitcoin to prevent the stolen data from being leaked. The company refused to pay, instead offering a $20 million bounty for information leading to the perpetrators’ identification and arrest.

The breach affected less than 1% of Coinbase’s monthly transacting users, approximately 84,000 accounts, some of whom were subsequently targeted in social engineering scams that tricked users into transferring funds to fraudulent accounts. In filings with the U.S. Securities and Exchange Commission (SEC), Coinbase revealed that it had detected unauthorized data collection by overseas customer support agents in the months leading up to the ransom email. The company has since terminated all involved employees and contractors, emphasizing that no customer funds, private keys, or login credentials were compromised.

The financial impact of the breach is substantial, with Coinbase estimating costs ranging from $180 million to $400 million, covering remediation efforts and customer reimbursements. On-chain investigator ZachXBT reported that the attackers specifically targeted high-net-worth accounts holding seven- to eight-figure balances, a claim corroborated by Bloomberg’s May 17 report identifying Sequoia Capital partner Roelof Botha as one of the victims.

DOJ Investigation and Industry Context

On May 19, 2025, Bloomberg reported that the DOJ, including its criminal division in Washington, D.C., launched an investigation into the Coinbase breach to pursue the perpetrators. Coinbase’s Chief Legal Officer, Paul Grewal, confirmed the company’s cooperation with authorities, stating, “We have notified and are working with the DOJ and other U.S. and international law enforcement agencies and welcome law enforcement’s pursuit of criminal charges against these bad actors.” Grewal clarified that the investigation targets the cybercriminals, not Coinbase itself. Regulatory bodies in the UK and Ireland are also evaluating the breach following Coinbase’s report, with potential implications for data protection compliance.

The Coinbase incident is not isolated. On May 17, 2025, Bloomberg reported that Binance and Kraken successfully defended against similar social engineering attacks, with Binance’s AI-driven monitoring systems detecting and blocking bribe attempts via Telegram. These events follow a record-breaking $1.5 billion hack on Bybit in February 2025, underscoring the escalating threat of cyberattacks in the crypto sector.

Illinois Class-Action Lawsuit: BIPA Violations

Adding to Coinbase’s challenges, a class-action lawsuit filed on May 13, 2025, in Illinois accuses the exchange of violating the state’s Biometric Information Privacy Act (BIPA). The plaintiffs allege that Coinbase collected facial biometric data during its Know Your Customer (KYC) processes without providing written notice, obtaining user consent, or disclosing data retention and destruction policies. The lawsuit further claims that Coinbase shared this data with third-party verification providers without permission, potentially affecting thousands of users.

The plaintiffs seek $5,000 per intentional violation and $1,000 per negligent violation, with over 10,000 users reportedly filing arbitration requests. Coinbase’s refusal to cover arbitration fees has led to the dismissal of these claims, escalating legal tensions.

Additionally, according to Cointelegraph, between May 15 and May 16, 2025, at least six lawsuits were filed against Coinbase, raising various claims that the exchange failed to implement robust security protocols to protect user data and mishandled the response to the data breach. Coinbase has not yet responded to these lawsuits. This ignorance may be part of a broader strategy by Coinbase to avoid individual arbitration, a common tactic used by companies to sidestep costly class-action lawsuits.

Market Impact and Coinbase’s Response

The breach and lawsuits have impacted investor confidence, with Coinbase’s stock (COIN) dropping 7.2% on May 15, 2025, following the disclosure. However, the stock demonstrated resilience, rebounding to its pre-disclosure price and even climbing further, trading at $269 on May 16, potentially supported by Coinbase’s S&P 500 inclusion and a bullish crypto market.

Coinbase is taking proactive measures, including establishing a U.S.-based support hub to reduce reliance on overseas contractors and enhancing internal security protocols. The company’s refusal to pay the $20 million ransom and its cooperation with law enforcement signal a commitment to combating cybercrime. As the DOJ investigation progresses and the BIPA lawsuit unfolds, Coinbase’s response will likely set a precedent for how crypto platforms address security and compliance in an increasingly scrutinized industry.