1 day ago
3
Coinbase (NASDAQ: COIN) was aware of its customer data leak far earlier than the digital asset exchange previously acknowledged, while its stablecoin partner Circle is supersizing its initial public offering (IPO) plans.
- Coinbase hackers preyed on BPO contractor
- Hackers mocked CEO Armstrong’s bald head
- Crypto’s preferred solution: customer anonymity
- Coinbase seeks to shift Oregon suit to federal court
- Upsized Circle IPO means Coinbase payday
- Coinbase not giving up on San Francisco
On June 3, Reuters reported that the recently disclosed hack of Coinbase’s customer data by customer support staff in India involved the local operation of a Texas-based business process outsourcing firm called TaskUs. In January, at least one TaskUs employee was caught using their phone to photograph Coinbase customer information from a computer screen.
Four sources, including three TaskUs staffers, told Reuters that Coinbase was notified immediately of the security breach, and TaskUs promptly fired two staffers involved in the incident. Coinbase responded by cutting ties with TaskUs, resulting in over 200 staff in the city of Indore losing their jobs. The mass layoff was reported in Indian media at the time.
And yet, it wasn’t until May 15 that Coinbase acknowledged the breach in a filing with the U.S. Securities and Exchange Commission (SEC).
Coinbase said at the time that it knew the contractors had improperly accessed customer data in “previous months” but didn’t realize the extent of the breach until May 11, when it received a ransom demand from individuals to whom the data had been forwarded. Coinbase estimated that nearly 70,000 of its customers have been impacted.
Coinbase CEO Brian Armstrong later claimed that the exchange began notifying impacted users on April 11 but failed to explain why the SEC wasn’t notified until a month later. Crypto journalist Molly White noted that Coinbase revised its user agreement on April 12 to limit customers’ ability to participate in class action suits against the exchange.
TaskUs has since been hit with a class action suit by Coinbase customers alleging negligence. TaskUs said it “believes these claims are without merit” and will defend itself in court.
Coinbase’s customer support is notoriously glacial in its response to complaints, a bad reputation that shows little sign of improvement. Some U.S. customers have resorted to filing complaints with the Consumer Financial Protection Bureau (CFPB) based on its requirements for companies to respond within 15 days.
That could explain CEO Armstrong’s (incorrect) view that the CFPB is an “unconstitutional” body that should be “deleted” because it has “done enormous harm to the country.” Coinbase has been the subject of over 8,000 complaints with the CFPB, a body that the current federal administration is in the process of dismantling.
Insult to injury
Fortune reported that Coinbase has used TaskUs services since 2017, but the latter firm’s reliance on poorly paid staff in India opens up the potential for staff to supplement their wages with bribes.
A TaskUs spokesperson told Fortune that its research suggests the Indore staff who leaked the Coinbase data “were recruited by a much broader, coordinated criminal campaign against [Coinbase] that also impacted a number of other service providers servicing [Coinbase].”
Fortune reported communicating with one of the alleged hackers, who went by the name ‘puffy party’ on Telegram. This individual claimed to be part of a loosely affiliated group of teenagers and twenty-somethings calling itself “the Comm” or “Com” (short for ‘community’). This group has been linked to other notable exploits, including the blackmailing of some Las Vegas casino operators in 2023.
‘Puffy party’ also claimed that members of the Comm/Com perform specific aspects of a heist based on their individual skillsets. One team bribed the TaskUs staff, another performed the social engineering scams, with the spoils divided amongst the teams.
In a reflection of this team’s juvenile status, ‘puffy party’ shared screenshots of messages they’d exchanged with what they claimed was a member of Coinbase’s security team. The messages show the hackers mocking Armstrong, saying they would use some of the proceeds of their blackmail efforts to “sponsor a hair transplant so that he may graciously traverse the world with a fresh set of hair.”
No KYC, no hacks, no problem
Incredibly, the crypto sector’s collective response to Coinbase’s data hacking scandal is not that the exchange needs to beef up its digital defenses and be more upfront with its customers. Instead, calls are mounting to lift ‘know your customer’ (KYC) requirements on digital asset operators based on the view that hackers can’t steal data that companies don’t possess.
As some online critics have observed, traditional banks haven’t been as supportive as they might of the digital asset legislation currently kicking around Congress because banks “think it is unfair for a non-bank to do banking without any of the laws and regulations applicable to banks. And they kind of have a point.”
Coinbase v Oregon
Coinbase responded at the time by claiming that Oregon was “trying to revive regulation by enforcement,” the catchphrase popularized by digital asset firms that reject nearly all aspects of regulatory oversight with which they disagree.
On June 2, Coinbase filed a petition in federal court asking for the suit to be moved out of Oregon and under federal jurisdiction. The petition calls the suit a “regulatory land grab” and notes that Oregon’s Division of Financial Regulation generally takes point on securities transactions, not the AG, calling into question Rayfield’s authority to file the suit in the first place.
Coinbase VP of legal Ryan VanGrack tweeted Tuesday that the petition was filed because “the case is fundamentally about federal law.” VanGrack claimed Rayfield’s suit “would undermine recent bipartisan progress towards crypto clarity by creating a patchwork of state regulations that harms consumers, innovation, and economic freedom.”
Coinbase’s chief legal officer Paul Grewal added that “[b]ecause Oregon’s claims raise fundamentally federal issues like the meaning of ‘investment contract,’ [as defined by the Howey Test] they should be resolved by federal courts.”
Circle supersizes IPO
Coinbase’s share price has ridden a roller coaster so far in 2025, hitting peaks of over $300 in January and troughs of less than half that sum by mid-April. But the company’s inclusion in the S&P 500 index last month and the expectation of a major payday from its stablecoin partner Circle currently have Coinbase shares hovering just under $260.
USDC-issuer Circle filed its IPO paperwork in early April, and the company has been dotting its i’s and crossing its t’s in anticipation of that magical Nasdaq debut later this week. On May 27, Circle announced plans to offer 24 million shares of its Class A common stock at an expected range of $24-$26, with Circle offering up 9.6 million of that total and selling stockholders accounting for the other 14.4 million.
On June 2, Circle upsized that offer to 32 million shares at a range of $27-$28, allegedly reflecting ‘strong investor appetite’ for all things crypto under President Donald Trump’s second go-round. The IPO is now expected to raise nearly $900 million, while assigning Circle a valuation of up to $7.2 billion.
Coinbase holds 8.4 million shares in Circle after converting its equity in the now defunct Centre consortium that originally oversaw USDC’s business. Should the IPO go off at the upper end of its expected price range, Coinbase’s Circle stock would be worth over $235 million, ~$25 million more than Coinbase’s equity in Circle at the time of the conversion.
Coinbase is unlikely to be selling much of its Circle stake in order to preserve the sweetheart revenue-sharing deal it worked out when it negotiated its exit from Centre. With both companies now required to issue financial report cards, it seems Coinbase actually makes more money off USDC activity than Circle does, while Circle shoulders most USDC expenses.
Last month, reports emerged that Circle was a potential acquisition target of both Coinbase and Ripple Labs, the issuer of the XRP token (as well as its own stablecoin RLUSD). Ripple’s offer was said to be in the $4-$5 billion range, which Circle rejected as too low, a view now apparently confirmed by its IPO valuation. (Ripple CEO Brad Garlinghouse recently denied that his company had pursued a Circle deal.)
A distinctly contrary view of Circle’s prospects was presented in the Financial Times last month. The article called into question Circle’s whole business model, as “98 per cent of Circle’s revenue is interest on the securities holdings which back its stablecoins … although it issues USDC and holds the offsetting assets, it’s not generating revenue from trading or staking transactions involving the stablecoins in either the cryptoverse or the real world.”
“Financially, Circle is a highly levered, uninsured narrow bank with nearly all of its revenue coming from a big bucket of short-term cash investments. It makes money when rates are higher, up to a point, and makes less or loses money when rates are low. That makes Circle a market play on—or a plaything of—volatile short-term interest rates … This then brings us to the unanswerable question at the heart of Circle’s business: Does anyone know where short-term interest rates will be in the future?”
Coinbase left its keys in San Francisco
Coinbase must indeed be feeling flush, as it just announced a deal to lease 150,000 square-feet of new office space in San Franciso. The new space will automatically become the company’s single largest geographical footprint and marks a homecoming of sorts for Coinbase, albeit one that’s a little hard to fathom.
In 2021, as the pandemic forced offices to temporarily close and many tech-firms switched to a remote-first staffing model, Coinbase paid $25 million to break the lease on its former San Francisco office space. At the time, the move was pitched as the company embracing a ‘no headquarters’ philosophy but it seems times (and philosophies) have changed.
CEO Armstrong tweeted that Coinbase was “excited to reopen an office in SF,” adding that the company “never left California” as many of its employees live in the state and “[w]e go to where the talent is.”
Addressing San Francisco Mayor Daniel Lurie, who was elected last year, Armstrong said the city was “so badly run for many years, but your excellent work has not gone unnoticed.” Rival exchange Kraken also shut its SF headquarters in 2022 because founder/then-CEO Jesse Powell believed the city was “not safe.”
Efforts to reduce the city’s crime rate got a potential boost from Ripple co-founder Chris Larsen, whose nonprofit group San Francisco Police Community Foundation has offered the SF Police Department a $9.4 million donation to improve the SFPD’s Real Time Investigation Center.
The gift comprises a $2.15 million retroactive lease of office space and $7.25 million worth of new toys, including nearly $5.3 million in drone surveillance gear. Larsen, a San Francisco native, previously donated millions to expand the city’s security camera network, but controversies surround how some of these funds were allocated.
Mayor Lurie has indicated he’s in favor of allowing the police to accept the donation. We suspect Coinbase’s Armstrong is, as well. After all, there’s some dangerous teenagers out there who’ve put a target on his head.
Watch: Teranode is the digital backbone of Bitcoin
English (US) · 