Following a rough year in 2022, the crypto sphere has seen another of its juggernauts run into trouble with the law. Global crypto exchange Coinbase has come under fire for publicising that it has ‘bank level security’, while its customers’ accounts were reportedly hacked and looted. We hear from the legal team taking action against Coinbase as well as industry experts on trust in crypto exchanges and the ‘correct’ response to a hack.
Generating trust in crypto
Following the high of November 2021, when Bitcoin reached its highest value to date (~$68,000), cryptocurrencies have been on a downward trajectory. Though we’ve seen glimpses of hope it has remained on a negative trend. Yet, despite the debacles of Terra and FTX, alongside reports of hacks, crypto adoption continues. In fact, according to MerchantMachine, crypto use is set to increase by 14.9 per cent across the world by 2030.
With its popularity ever growing, users must feel like they can trust cryptocurrencies, and notably, the exchanges in which their assets reside. However, it is difficult to do this when reputable names in the space, like Binance, Poly Network and Axie Infinity, have all suffered incredibly large, impactful hacks in the year. The latest to be added to the list is Coinbase.
Coinbase lawsuit filed
According to a new lawsuit filed against Coinbase, three individual parties were locked out of their accounts for no reason. When they tried to seek help from Coinbase, they were redirected from one complaint screen to another, without being able to speak to anyone. The parties claim their accounts were taken over by hackers leading to a combined amount lost between the parties amounting to over $214,000. These claims were reported in Bloomberg but have not been confirmed by Coinbase to The Fintech Times.
This purported hack follows an incident in 2021 when Coinbase admitted that hackers stole from the accounts of at least 6,000 customers.
Attorney Matt Borden said: “The plaintiffs represent a bigger group of people who have been victimised by arbitration clauses which have meant they couldn’t take the crypto exchange to court. It’s not just a one-off type of hack. People are starting to come out of the woodwork to share their similar experiences.”
Legal sources have suggested two separate cases have been filed:
- A class action, meaning that Coinbase must repair the damages of the hack, repaying the plaintiffs for the amount lost.
- An injunction, meaning Coinbase can’t ‘falsely advertise’ that its products have “bank-level security” when individuals’ accounts have had accounts broken into and looted
One of the plaintiffs’ attorneys spoke to The Fintech Times about two solutions to the injunction. These would involve either removing the alleged false advertising of ‘bank-level security’ OR improving the security systems so the statements are true.
He went into further reasoning behind the class action too. Under US law, if a bank account got hacked, it would be the bank’s responsibility to make the victim whole. Due to Coinbase’s standing as a financial institution, he and the prosecutors believe it should abide by the same law, and in turn return the value of the assets.
We reached out to Coinbase for a comment on the lawsuit but have not received a response.
Crypto trust at risk
The long-term impact of this won’t be damaging to cryptocurrencies as much as it will be damaging to Coinbase’s image. Those who are still interested in crypto will likely go to another exchange, one that can ensure their assets are protected. However, it is possible that had there been better communication and dedication to resolve the issues from Coinbase following the alleged hacks, there may not have been a lawsuit.
So what is the appropriate response to a hack?
Clear communication between exchange and all (impacted or not) customers
Bradley Dizik, executive vice president, emerging issues + technology at Guidepost Solutions, a global security, compliance and investigations consultancy, said: “The best practice for incident response is to immediately diagnose the extent of the cyber intrusion, investigate any potential losses, and immediately execute controls to best mitigate further losses.
“The exchange should provide all its customers, not just the ones impacted, with a letter notifying them of a breach and then make a public commitment to conduct a risk assessment of its information security controls, immediately executing on a risk remediation plan that addresses all the severe, and medium risks for information security vulnerabilities.
“The exchange should also commit to implementing an information security control environment that complies with a known security framework such as ISO 27000, NIST, or another framework and even go as far as seeking a certification. Finally, the exchange should go through an assessment to ensure compliance with relevant regulations such as those applying to exchanges registered by the New York Department of Financial Services.”
The root cause
Max Galka, CEO and founder of Elementus, an organisation helping others leverage the power of blockchain, said: “First, research the root cause of the hack and do what’s necessary to safeguard customer assets. Also, be transparent with customers and communicate the severity of the hack and any additional steps that can be taken to safeguard customer funds (e.g., what’s a call to action for your customers).
“Researching the root cause of a hack involves the ability to analyse blockchain data and often make sense of extremely complicated transaction flows. Hackers attempt to obfuscate this chain of events, so it requires expertise and sophisticated tooling. Working with a company that has this blockchain data and investigations expertise is critical.”
The same level of trust as banks
Understandably, when large sums of money or life savings are involved, customers want to ensure their assets are kept safe at all costs. Recently, due to the rise of fintechs, customers are starting to trust placing their funds in financial entities other than banks. Look at neobanks for example. According to Statista, there are 24.9 million accounts in the US alone with predictions suggesting this number will grow to 39.1 million by 2025.
With this in mind, it is no surprise users are starting to have more trust in crypto. Especially as, Blockware Intelligence predicted that Bitcoin adoption alone will hit 10 per cent worldwide by 2030.
But should exchanges have the same level of trust as a bank? In short, the answer from the industry is ‘no’.
Spencer Soloway, VP of marketing from Horizen Lab, a blockchain company, elaborated saying: “At the end of the day, crypto exchanges, whether centralised or decentralised, aren’t banks. While consumers should feel comfortable purchasing crypto from reputable exchanges, they don’t afford users FDIC protection, and people should understand the risks involved.
“The by now age-old maxim is ‘not your keys, not your coins’. While it is understandable that self-custody can be a confusing topic (and comes with its own set of risks), I would suggest users seriously consider and learn about the options available!”
Centralised exchange regulatory concerns are a problem
Hacks were not the main cause for asset security in crypto exchanges, for Bob Ras, co-founder of Sologenic, a blockchain-powered network for tokenising securities. He noted the importance of decentralised exchanges compared to centralised ones when it came to regulatory concerns:
“Hacks in crypto exchanges have taken the backseat when it comes to malicious activity in the industry, as so many centralised crypto exchanges have crumbled beneath themselves due to poor asset management, inconsistent proof of reserves reporting, and in severe cases, sheer disregard for user funds by the centralised entity behind the exchange.
“So yes, in the current climate, it is exceptionally dangerous for customers to treat centralised crypto exchanges like serious banks because, despite the possibility of a hack, their funds are unsafe due to a lack of regulatory frameworks regarding safeguarding customers’ assets.
“Therefore, I encourage centralised crypto exchanges not only to continue working with reputable auditors but also to consider showing proof of solvency. This formula includes both proof of reserves and proof of liabilities. We desperately need to re-establish credibility for our besieged industry, and while hacks often remain uncontrollable, we do have the power to control how exchanges interact transparently with their customers.
“Affirming customer trust is paramount if we want a healthier crypto market to emerge from this low point. In general, decentralised exchanges (DEXs) are the future of crypto trading and much safer solutions, where all customers are in full control of their own assets without needing a third party in the middle, which can potentially increase the risk of hacks and insolvency.”