Key takeaways
- Investor Brady Nessler filed a class-action lawsuit alleging that Coinbase concealed a major data breach and a United Kingdom (UK) regulatory fine, misleading shareholders and causing significant stock losses.
- The May 2025 data breach, allegedly involving a bribed insider and costing up to $400 million, and a £4.5 million Financial Conduct Authority (FCA) fine for onboarding high-risk users, are key components of the lawsuit.
- At least six additional lawsuits have been filed in US federal courts, with claims that Coinbase failed to adhere to basic cybersecurity practices, delayed user notifications, and retained outdated user data.
- Plaintiffs argue that Coinbase underinvested in security, failed to monitor third-party vendors, and put profits ahead of user protection, with some lawsuits also citing unjust enrichment.
- The legal fallout and reputational damage may influence broader regulatory and cybersecurity standards in the crypto industry.
Crypto exchange Coinbase and its executives are facing a new class-action lawsuit from investor Brady Nessler, accusing the company of concealing critical data breaches and United Kingdom (UK) regulatory violations that allegedly triggered substantial stock losses for investors. This legal action marks the first class-action lawsuit directly linked to Coinbase’s declining stock performance.
Breach and FCA Fine Central to Allegations
In the legal document submitted in the district court of Pennsylvania, two incidents are significantly highlighted. In May 2025, a data breach reportedly caused Coinbase shares to plummet by 7.2% in a single day. Coinbase acknowledged that an insider had accepted a bribe to leak user data, an incident with a potential cost of up to $400 million in damages to the company.
The suit also highlights a £4.5 million ($5.7 million) fine that the UK Financial Conduct Authority (FCA) levied against Coinbase in July 2024. The FCA penalized Coinbase for breaching a 2020 agreement, as the exchange onboarded over 13,000 high-risk customers. This violation led to approximately $226 million in unauthorized transactions.
Nessler alleges that Coinbase deliberately withheld information regarding both incidents, misleading investors and artificially inflating the company’s stock price. The lawsuit encompasses shareholders who purchased Coinbase stock between April 2021 and May 2025.
Coinbase has not yet publicly addressed this latest lawsuit.
Widespread Legal Challenges Emerge
Nessler’s lawsuit arrives amidst a broader wave of legal challenges for Coinbase. Between May 15-16, 2025, federal courts across the US saw the filing of at least six additional class-action lawsuits, all stemming from the same May data breach. The breach, which originated from bribed customer support agents overseas, exposed sensitive user information. This included email addresses, masked account numbers, social security digits, transaction histories, and identification documents. However, private keys or passwords remained uncompromised.
Paul Bender, who filed the first of these lawsuits in the Southern District of New York, accuses Coinbase of failing to implement fundamental cybersecurity measures and delaying notification to affected users. Bender asserts the company’s breach response was both disorganized and inadequate.
Other plaintiffs, including Maine’s Zaal Panthaki, Texas’s Alexander Crous, and California resident Rosemary Ortiz, echo similar allegations. They claim Coinbase neglected to properly monitor its third-party vendors, underinvested in security infrastructure, and retained outdated user data, which exacerbated the breach’s impact. One lawsuit further accuses Coinbase of unjust enrichment, alleging the company prioritized profits over user protection.
Coinbase’s Response and Future Implications
Faced by the legal actions, Coinbase has terminated implicated support agents in India, referring them for prosecution, and initiating an internal overhaul. This overhaul includes establishing a new US-based support center, enhancing ID verification processes, and upgrading security protocols. The company also disclosed an attempted $20 million extortion, which it refused to pay, instead offering a matching bounty for information on the attackers.
Read More: Coinbase Hit by $400M Data Breach, Stock Falls Before S&P 500 Entry
