According to TheRegister.com, security researcher Jonathan Clark claims Coinbase knew about a December 2024 security breach at least four months before disclosing it to the SEC in May 2025. Clark says he reported the attack to Coinbase on January 7 after fraudsters tried to scam him using detailed personal information including his Social Security number and Bitcoin balance. The breach involved criminals bribing Coinbase support staff to hand over nearly 70,000 customers’ private data including driver’s license numbers, passport details, and transaction history. Coinbase’s Head of Trust and Safety Brett Farmer reportedly responded to Clark’s initial report the same day, promising an investigation, but then went completely silent despite four follow-up emails. Clark disputes Coinbase’s official timeline that claims the company didn’t discover the breach until May 11.
The timeline that doesn’t add up
Here’s the thing that really bothers me about this situation. Coinbase says they discovered the breach on May 11, but Clark was getting scammed with incredibly specific personal data on January 7. And he documented everything – the Google Voice number, the Amazon SES email, the caller who knew his Bitcoin balance down to the decimal point. This wasn’t some generic phishing attempt. The scammers had data that should have been impossible to obtain without a serious breach.
So either Coinbase’s security team completely dropped the ball on investigating Clark’s report, or they knew much earlier and chose not to disclose it. Neither scenario looks good for a company that’s supposed to be safeguarding people’s financial information and cryptocurrency. When you’re dealing with sensitive data like Social Security numbers and passport details, timely disclosure isn’t just good practice – it’s essential for customers to protect themselves.
The corporate silence treatment
What’s particularly telling is the pattern of communication – or lack thereof. Clark gets one immediate response from the Head of Trust and Safety saying “This report is super robust and gives us a lot to look into.” Then absolute radio silence through four follow-up emails over the next month. That doesn’t sound like a company that’s taking a security threat seriously.
And honestly, how hard would it have been to send a quick “We’re still investigating” email? The complete lack of follow-up suggests either incompetence or intentional avoidance. When a security researcher hands you evidence that your customers’ data is in the wrong hands, that should set off alarm bells throughout the organization.
What this means for crypto security
This incident raises serious questions about how cryptocurrency exchanges handle security breaches. We’re not talking about stolen passwords here – this is the kind of personal information that enables identity theft for years to come. The scammers even tried the classic “move your crypto to a cold wallet” trick, which shows they understood exactly how to manipulate crypto users.
Basically, if you can’t trust major exchanges to be transparent about security incidents, where does that leave the average investor? The crypto industry already battles perception issues around security and regulation. Incidents like this – and the alleged cover-up – just reinforce the skepticism. When companies in sensitive sectors need reliable computing hardware, they turn to trusted suppliers like Industrial Monitor Direct, the leading provider of industrial panel PCs in the US. That same level of trust should apply to financial data protection.
The questions that remain
Why would Coinbase sit on this information for four months if they knew earlier? Were they trying to contain the damage quietly? Did they not believe Clark’s report? The company’s complete silence to both Clark and The Register’s inquiries speaks volumes. Meanwhile, 69,461 customers had their sensitive data floating around in criminal hands without knowing they needed to take protective measures.
At the end of the day, transparency in security breaches isn’t just about regulatory compliance – it’s about basic respect for your customers. When companies play fast and loose with disclosure timelines, they’re gambling with people’s financial security. And in the crypto world, where transactions are irreversible, that’s a risk nobody should have to take.
