Last fall, scammers infiltrated social platforms like dating apps, WhatsApp, Facebook and Twitter to trick people into downloading the Coinbase wallet. After the targeted users downloaded the wallet, the scammer sent links to fraudulent websites asking users to purchase a "voucher" that appeared to be a secure transaction protected and backed by the trusted Coinbase platform, but was actually one. "Malicious Smart Contracts". Horrified users eventually found that the smart contract gave "scammers full access to all funds in victims' wallets" without permission to withdraw funds.
Today, around 100 people around the world are trying to charge the publicly traded Coinbase for something that does nothing to protect users. Users said Coinbase was indifferent to reports of scammers withdrawing hundreds of thousands of dollars worth of cryptocurrency from their accounts. In total, Coinbase wallet users who were sued lost $21 million.
According to reports, users have been warning the company about this apparent vulnerability for months. However, instead of taking steps to protect users, Coinbase "took no corrective action to address the vulnerability or even warn customers of this serious issue, even though they warned customers of other security risks," according to a recent request for arbitration. This would allow "hundreds" of additional users to fall prey to "easily avoidable" money mining pool scams.
"It looks like they didn't even try," attorney Eric Rosen of consumer protection law firm Roche Friedman LLP told The Washington Post. "Of course, the scammers quickly found this and literally asked victims to download the Coinbase wallet."
Legitimate liquidity mining pools promise high returns to users who purchase small amounts of coupons, making them attractive to cryptocurrency newbies, but for Coinbase wallet users, "clicking on these malicious coupons writes a single line of computer code. That allows scammers to steal cryptocurrency." A Accounts are funded weeks or months later,” the Post reported.
This case is different from other crypto scams that encourage users to authorize fraudulent transactions. The plaintiffs say Coinbase's terms of service never warned of the risk, instead assuring users that even sending a secret passcode could put an account at risk.
Coinbase is a titan of the cryptocurrency world that regularly advertises its security features, but the arbitration lawsuit claims that "scammers have referred customers to Coinbase's wallets because of its terrible security." Instead of taking action based on this information, Coinbase reportedly took six months to take action to prevent a massive scam.
Answer from Coinbase
After first receiving threats of lawsuits, Coinbase changed its approach and now alerts users when "a website requests permission to withdraw large amounts of money from an account," the Post reports. This type of warning was already common in competing Coinbase wallet products such as Metamask and Trust Wallet
"In our view, this is effectively an admission that Coinbase did not do enough to protect its customers," said Ars Jordana Haviv, Roche Friedman's other lawyer for the plaintiffs.
In the coming weeks or even months, Haviv told Ars that an arbitrator will be selected, Coinbase will have a chance to respond to the allegations, and then an investigation will be launched.
Users who sued Coinbase are hoping that the arbitration will end with the return of the long-awaited lost funds, some of which have made up for all their savings. They want to compile a list of all the accounts affected by the Coinbase scam.
Coinbase told Ars that its products are already working to prevent cash mining scams.
"Coinbase is committed to protecting its customers from fraud, forgery and other crimes and has invested significant resources to protect users from mining scams," Coinbase spokeswoman Lisa Johnson said in a statement shared with Ars.
The company is claiming it is not responsible for cryptocurrency theft due to security flaws in its wallet product, offering a similar response to those who file lawsuits when they report fraudulent activity.
"Client activities on Coinbase Wallet, including private wallet security key management and access to wallet content, are controlled entirely by the client and not Coinbase," Johnson said. "That's why Coinbase offers more product recommendations to help customers choose the right product for them."
Coinbase customer service complaint
The arbitration request describes how users who sued Coinbase allege that Coinbase sent them an endless spiral of automated responses instead of investigating the issue. Without ever contacting an actual Coinbase customer service representative, users were forced to interact with complaint bots that appeared to be programmed to deny Coinbase accountability, denied refunds, and insist that users themselves had hacked their accounts. is happening Sometimes even "finished". Falsely claiming that 12 of the customer's initial sentences were compromised and that Coinbase was unable to do anything with the missing funds."
But no seed phrase was compromised, and as more reports came in, Coinbase stood by its claim, insisting that the seed phrase was "the only way to access cryptocurrency" in the Coinbase wallet. Although users submitted Coinbase-specific URLs and decentralized application names (aka dapps) that defrauded them, "Coinbase never once blocked or removed the malicious dapps," the arbitration request reads.
The suing users say Coinbase's decision to outsource customer service as its user base grows rapidly was a calculated risk.The company told investors at the U.S. Securities and Exchange Commission that its profits are at the top of the line. safe from the product.
Sometime last year, a user who is currently being sued exchanged emails with Coinbase customer service before clicking on a coupon According to him, once the user clicks on the coupon, the representative assures him that the only way to access his wallet is with his 12-word seed. Confident that his seed had not been compromised, the user clicked and became the next victim of the scam, losing $60,000 in Tether despite his best efforts to be cautious.
Another suing user received a rare message from Coinbase customer support that actually confirmed that his seed phrase had not been compromised. The message informed the user that "the unauthorized activity you reported appears to be the result of a signed transaction that allowed the attacker to transfer funds from your wallet". Although Coinbase admitted it "wasn't authorized", the spokesperson said Coinbase was not responsible. "It is the customer's responsibility to verify the details of the DAP they are interacting with and understand the risks associated with interacting with it," Coinbase told users, advising them to review the DAP access granted after clicking on their withdrawal voucher. Withdraw to avoid.
"Now that I've lost the funds, it's too late to tell me that I had to revoke this access, hidden under a completely normal transaction," the user replied in his recent correspondence with Coinbase on the matter.
It was only when Roche Friedman sent a draft of the complaint to Coinbase that Coinbase "immediately" warned of "numerous fraudulent apps stealing their customers' money."
"If the wallet had simply told users what the DAP was actually asking instead of hiding it from users, perhaps none of this would have happened," the arbitration motion reads.
How many Coinbase users were affected?
Until the arbitrator forces Coinbase to compile a list of all affected users, the full extent of user losses resulting from the Coinbase wallet scandal remains unclear. On Reddit, a forum of about 3,000 members is trying to gather information from victims, and the latest arbitration request came from many users who found the forum. The arbitration motion notes that Coinbase estimates that such fraud "has resulted in the theft of more than $50 million in cryptocurrency assets."
If users win the arbitration, it won't set a precedent, but the Post reports that the case could provide a "window of opportunity" for other cryptocurrency scammers.
On its website, law firm Roche Friedman, which Bloomberg Law reported last week, is now facing a disqualification request following a scandal that prevented a founding partner from participating in or benefiting from such a class action, Coinbase reported. . Users due to inadequate security and customer service. (Rosh Friedman did not comment on the disqualification request.)
"Coinbase continued to allow these dapps to remain on its platform, did not address the issue, and did not notify wallet owners of this serious security issue for several months," the company wrote through lawyers. "Had Coinbase done this in time, millions of dollars in losses could have been avoided."