Last week’s highly organized breach of cryptocurrency exchange Coinbase (COIN) left behind more questions than answers.

While some hailed Coinbase’s response as a «really great example» in dealing with a crisis, the breach has now caused a potentially massive privacy issue that mirrors the Ledger data breach in 2021 — which led to a spate of real-world robberies as criminals were able to get a hold of names and addresses of crypto holders. Coinbase has already acknowledged that its customers may have lost close to half a billion U.S. dollars as a result of its breach.

Cybercriminals accessed Coinbase user data by bribing and convincing Coinbase support employees to share that data, but this was entirely preventable, according to numerous experts that spoke to CoinDesk.

“A failsafe system would make stealing data technically impossible, but Coinbase clearly didn’t prioritize these measures, leaving the door wide open,” Andy Zhou, co-founder of blockchain security firm BlockSec told CoinDesk.

Allowing these criminals to access personal data, whether through a hack or, in this case, social engineering, is a major blight on an exchange that facilitates billions of dollars worth of volume every day. The breach created a myriad of issues, including user privacy and trust. How could Coinbase, a publicly traded company, allow attackers to steal personal information and money through the front door? And could it have been prevented?

Hackett Communications CEO Heather Dale hailed Coinbase’s response as a “masterclass in communication,” but Coinbase’s method of tackling the issues was simple: throw as much money at it as possible.

The exchange offered a $20 million bug bounty for anyone who reported information that would lead to an arrest or prosecution. It also committed to voluntarily reimbursing impacted users with between $180 million to $400 million.

What happened?

Before analyzing the fallout of the breach, it’s important to understand how exactly the breach occurred at a publicly traded company that spends millions of dollars per month on security infrastructure.

In February, on-chain sleuth ZachXBT reported a rise in thefts involving Coinbase users. He said that it was “a result of aggressive risk models and Coinbase’s failure to stop its users losing $300 [million] per year to social engineering scams.”

The fear of cybercriminals stealing hundreds of millions of dollars became a reality last week when Coinbase published a blog post revealing that account balances, government ID images, phone numbers, addresses and masked bank account details were stolen.

Unlike other hacks and breaches, which involve attackers exploiting a faulty back-end, these attackers went in through the front door—communicating directly with Coinbase employees and buying access to the information via rogue insiders. Coinbase claimed that it fired all responsible employees on the spot, although it did not reveal the method it used to find those responsible in the blog post.

The issue, however, is not confined to crypto. In 2022, digital bank Revolut confirmed that 50,000 sets of customer data were stolen, while one year later, trading platform Robinhood had up to 5 million email addresses leaked. The latter was fined $45 million by the SEC following the breach after it emerged that a portion of customers had their accounts wiped by attackers.

The BBC reported in October that one particular Revolut user lost £165,000 ($220,0000) following a data breach and that the neobank’s fraud detection system prevented £475 million in fraudulent transactions in 2023.

Coinbase competitors Binance and Kraken said they managed to fend off similar social engineering attacks in recent weeks.

Coinbase CEO Brian Armstrong also posted a video on X last week, stating that he received a “ransom note” for $20 million in bitcoin in exchange for these attackers not releasing some information they claimed to have obtained on Coinbase customers.

ZachXBT added on Thursday that the attackers began obfuscating the stolen funds by swapping BTC for ETH on Thorchain, a venue often used by the infamous North Korean hackers Lazarus Group.

‘Major wake-up call’

Andy Zhou, co-founder of blockchain security firm BlockSec, told CoinDesk that Coinbase should have conducted “stricter background checks on employees handling sensitive data » and set up “alarms for weird activity” like someone suddenly downloading thousands of customer profiles.

Zhou added that Coinbase should have implemented several technical solutions. These include strict role-based access, meaning employees only see necessary data, or privacy tools that allow work without exposing raw details (for example, blurring ID photos).

Nick Tausek, lead security automation architect at Swimlane, told CoinDesk that the breach should be a “major wake-up call” for robust insider threat detection.

“As outsourcing scales and operations stretch across time zones, insider threat detection and access governance cannot be afterthoughts. A single insider with the right access, or in this case, the wrong incentives, can punch a hole in even the most fortified security posture. Because, as this breach shows, it only takes 1% of customers breached to make 100% of the headlines.”

However, not everyone is piling onto Coinbase.

Michal Pospieszalk, CEO of MatterFi, said that it “isn’t a Coinbase problem, it’s a systemic vulnerability that’s plagued crypto since day one.”

He argued that the nature of sending crypto without an intermediary means that all platforms are one misstep away from disaster.

Hackers need to engineer a situation that can trick users into sending their funds in an irreversible transaction. In Coinbase’s case, attackers gained access to personally identifiable information from a rogue employee.

The root issue, according to Pospieszalsk, is the problem of users not knowing whether they are sending funds to the right recipient, adding that crypto runs on a “trust me, bro” model of identity verification and that is not sustainable.

What happens next?

Coinbase said it would voluntarily reimburse customers who lost funds during the breach and would continue to work with law enforcement to capture those responsible. But for users, it’s a darker road.

The exchange said in a regulatory filing on Wednesday that the breach impacted 69,461 customers. The filing also noted that the breach occurred in December 2024 and was not discovered by Coinbase until May 15.

These details are out on the internet now, and may even be for sale on the dark web and in shady Telegram groups. After the Ledger breach, customer details were published on Raidforums, a nefarious data-sharing platform, which led to a rise in phishing attempts.

Unfortunately, Coinbase can’t do anything to prevent the sharing of this leaked information, leaving the affected users to attempt to put in as many safeguards as possible. These include changing wallets, changing deposit addresses on exchanges and even changing home addresses to avoid the risk of real-world robberies. Users whose social security numbers were leaked should also lock their credit to prevent identity theft.

It may be cumbersome, but as seen earlier this year during the attempted kidnapping of Ledger co-founder David Balland (and several other individuals over the past few weeks), criminals will not stop until they extract the maximum amount of funds, even if it means inflicting brutal acts of violence.

This also raises a potential legal question: If a Coinbase customer were to be robbed or assaulted due to the data breach, would Coinbase be liable? Ledger failed to escape a proposed class action lawsuit earlier this year, with plaintiffs alleging that Ledger violated its privacy policy and should have had measures in place to prevent the breach.

Crypto researcher Molly White also pointed out that Coinbase changed its user agreement in April, adding two clauses limiting class action lawsuits and requiring lawsuits to be filed in New York, with changes being applied on May 15, the same day the breach was announced.

Coinbase responded to CoinDesk about White’s claims, stating that the exchange had “notified customers well in advance” of the user agreement change and that it had a class action waiver in place for “years.”

Coinbase did not, however, comment on questions related to whether the breach was preventable or how it will safeguard customers who could be at risk of real-world robberies in the future.

Read more: Market Reaction to Coinbase Hack ‘Overblown,’ Say Analysts as SEC Probe Sinks Stock

Tokenized asset platform Centrifuge said it’s expanding services on the Solana blockchain, starting with the $400 million tokenized U.S. Treasury fund managed by Anemoy (JTRSY).

The expansion builds on Centrifuge’s token standard — dubbed «deRWA tokens» — that allows token holders to freely transfer and use tokenized instruments across decentralized finance (DeFi) protocols.

In this case, the deJTRSY token can be swapped, lent, or used as collateral in, enables Solana users to earn yield from short-term Treasuries natively in Solana DeFi platforms, first on decentralized exchange Raydium, lending platform Kamino, and yield aggregator Lulo.

The rollout underlines Solana’s growing momentum in the tokenized RWA space, a red-hot sector that aims to brings traditional financial instruments like bonds, funds and credit onto blockchain rails. It’s a huge opportunity: Boston Consulting Group and Ripple projected that the tokenized asset market could reach $18.9 trillion by 2033.

This week, Solana Foundation partnered with bank-focused blockchain tech firm R3 to bring real-world assets to Solana, while Securitize-issued tokenized fund of Apollo credit assets is also being introduced to Solana-based DeFi protocols.

«Tokenizing assets is just the starting point,» said Bhaji Illuminati, CEO of Centrifuge. «What truly matters is giving real-world assets utility onchain: making them usable across the DeFi stack from day one.»

Read more: Major TradFi Institutions to Pursue Tokenization Efforts on Solana

Congressional Democrats threatened lawsuits, introduced legislation and planned protests in the lead-up to U.S. President Donald Trump’s memecoin dinner.

Trump, whose affiliated businesses issued the $TRUMP memecoin just days before he was inaugurated for his second term, announced he would host the 220 largest holders of his token for a dinner at the Trump National Golf Club in Potomac Falls, Virginia on Thursday, leading to a price spike as interested parties immediately bought more tokens to secure an invite.

Critics called the move corrupt, pointing to the fact that foreign buyers who otherwise could not legally donate money to the president were purchasing tokens, as well as the opacity surrounding their buys — many of the dinner’s attendees are unknown, and some even pointed to the ability to maintain anonymity as a factor in their decision to go, according to the Washington Post.

Tron creator Justin Sun boasted about being the top holder of the token ahead of the dinner, with blockchain explorers suggesting that the wallet with the largest $TRUMP holding is tied to HTX, a crypto exchange connected to Sun.

Legal action

Sen. Richard Blumenthal, the Connecticut Democrat who previously wrote open letters to two Trump-affiliated businesses asking about their crypto ventures, told reporters in a press call organized by center-left watchdog Accountable US that Trump was «auctioning» access to the White House with the memecoin dinner.

“What’s happening tonight…is in effect, putting a ‘for sale’ sign on the White House,” Blumenthal said. “It’s auctioning off access. He’s literally saying to investors, ‘the more you buy of my memecoin, the greater your chance of coming to dinner with me.’”

Blumenthal suggested that a lawsuit might force Trump to comply with at least some rules around foreign gifts or payments.

During Trump’s first presidency, Blumenthal and other members of Congress sued Trump for allegedly violating the U.S. Constitution’s foreign emoluments clause, which forbids public officials from taking gifts from foreign governments without the permission of Congress. Though an appeals court eventually nixed the suit, Blumenthal said Thursday he’s ready to try again.

«If there were an authorization from Congress, members would bring a lawsuit. I would be more than happy to do it. I’d be eager to do it,» he said.

Even if Congress doesn’t authorize this, private groups, like public interest bodies, could also bring a lawsuit, which lawmakers could support through Amicus briefs, he said.

«And essentially, the allegation would be, he’s violating the provision of the United States Constitution that forbids payments or benefits from a foreign power, plenipotentiary,» he said. «It’s specifically enumerated in the Constitution, unless he has consent with Congress and he has no consent.»

New bills

Representative Maxine Waters, the ranking Democrat on the House Financial Services Committee, pushed a new bill on Thursday that again seeks to make the president’s crypto dealings explicitly illegal. The legislation — labeled the Stop Trading, Retention, and Unfair Market Payoffs in Crypto Act of 2025, carefully named for purposes of an acronym as the Stop TRUMP in Crypto Act — prohibits senior government officials and lawmakers from owning, controlling or serving as an officer of a crypto firm or token issuer, and also from trading in digital assets if they have special insight because of their government role.

«Nowhere is Trump’s blatant disregard and disrespect for the rule of law more apparent than in the way he has exploited the office of the Presidency to promote shady, fraudulent crypto ventures that hold no real value, and serve no true purpose other than to pad his pockets,” Waters said in a statement when she announced the legislation.

A White House spokesperson didn’t immediately respond to a request for comment on the backlash from Democrats.

Waters’ bill is substantially similar to earlier efforts from Senator Chris Murphy, a Connecticut Democrat behind the Modern Emoluments and Malfeasance Enforcement (MEME) Act, and Representative Sam Liccardo, who also had a bill in the House.

The Democrats protesting Trump’s dinner, however, further reveal the party’s crypto split. These are largely the same lawmakers who have maintained opposition to crypto legislation, while another faction of the party recently joined with Republicans to advance a stablecoin bill in the Senate. Their argument: Trump’s actions may be inappropriate — or even illegal — but new legislation doesn’t need to further underline that point.

Further protests

Democratic Senators Elizabeth Warren, Jeff Merkley and Murphy were set to hold a press conference Thursday afternoon alongside consumer advocacy groups to decry the president’s dinner plans. The lawmakers are demanding that Trump reveal the names of the evening’s attendees.

«With foreign-linked wallets, untraceable transactions, and no press allowed, the event raises alarming questions about foreign influence, national security and the growing corruption at the heart of Trump’s crypto empire,» they said in a statement announcing the press conference at the U.S. Capitol.

Merkley was also set to join an evening protest near the gold-club dinner location, just outside of Washington.

Read more: Trump’s Memecoin Dinner Draws Crowded Cast of Democratic Protesters from Congress