05-21-2025 
|
Getting your Trinity Audio player ready...
|
Coinbase (NASDAQ: COIN) is reportedly looking to buy its stablecoin partner Circle while the digital asset exchange deals with a major data breach with customers fearing for their safety.
- Coinbase, Ripple wooing Circle
- Coinbase data breach announcement timing challenged
- Breach has high-value customers seeking protection
- Who’s to blame, what’s to be done?
- Illinois class action targets Coinbase biometric data-handling
On May 19, Fortune reported that USDC-issuer Circle was the subject of not one but two ongoing acquisition attempts. Circle’s suitors are the Coinbase exchange and Ripple Labs, the issuer of the XRP token. Fortune quoted banking and private equity execs who claimed Circle had held ‘informal talks’ with both Coinbase and Ripple regarding a takeover.
Ripple’s interest in Circle was originally reported last month, but Circle rejected the $4 billion to $5 billion offer as too low. Circle was also said to be focused on its plans to list on the Nasdaq exchange, its second attempt at an initial public offering (IPO). Circle was forced to scrap its previous IPO in late 2022 due to the onset of ‘crypto winter’ and the resulting decrease in investor interest.
While Circle is said to remain keen on going public, one Fortune source claimed that “if Coinbase wanted to buy them, Circle would sell in a heartbeat.” A different source claimed that Coinbase and Circle already “feel like they’re one company.”
Coinbase owns a piece of Circle following the companies’ rejigging their USDC partnership in 2023, which gave Coinbase 8.4 million shares in Circle worth around $210 million at the time. Coinbase and Circle also have a revenue-sharing deal in USDC that appears to benefit Coinbase far more than Circle.
Coinbase’s stake in Circle gives it a veto over Circle striking similar USDC deals with other companies. Discussing Coinbase’s Q1 earnings, chief financial officer Alesia Haas noted that Coinbase approved Circle’s December 2024 deal with rival exchange Binance, saying “in the case of Binance, we did agree because we think that it grows the overall USDC market cap.”
Coinbase recently announced a $2.9 billion acquisition of derivatives exchange Deribit, which you’d think might have suppressed the company’s M&A appetite for a spell. But having recently become the first crypto-specific firm to be included in the S&P 500, Coinbase appears to feel that it’s time to go big or go home.
On May 14, Bloomberg asked Coinbase CEO Brian Armstrong about the possibility of his firm acquiring Circle. Armstrong hedged, saying that while Coinbase was “always looking at M&A opportunities,” he had “nothing to announce today.”
Ripple’s bid to acquire Circle would likely rely on its vast stockpile of XRP plus some actual cash, while Coinbase could offer Circle a mix of cash and its own Nasdaq shares.
Ripple is coming off its own major acquisition, a $1.25 billion deal for prime broker Hidden Road. Just as Coinbase and Circle’s partnership boosted USDC’s profile (and market cap), Ripple hopes Hidden Road will help expand the use of Ripple’s RLUSD stablecoin, which has struggled to gain traction in the increasingly crowded stablecoin market since its launch last December.
Data breach announcement timing challenged
Coinbase’s addition to the S&P 500 came just three days before it announced its customer data breach, leading critics to accuse the company of delaying its announcement until after its stock promotion was a done deal. But that wasn’t the only element of Coinbase’s announcement generating controversy.
On May 19, crypto journalist Molly White tweeted that Coinbase had revised its user agreement on April 12 to limit users’ ability to participate in class action lawsuits against the firm. The changes also require users to pursue legal redress in New York state and federal courts, unless the dispute proceeds to out-of-court arbitration. The changes applied “only to disputes that you or we initiate after May 15, 2025,” the day Coinbase announced its data breach.
Armstrong replied to White’s tweet, saying Coinbase “started notifying users about this on April 11th, so it had nothing to do with the data breach.” Armstrong dismissed White’s tweet as “your conspiracy theory.”
White responded by asking Armstrong “If you knew about the data breach as far back as at least April 11 (or much further, according to outside reporting from Bloomberg), why did it take you another month to disclose with the SEC [Securities and Exchange Commission]?” Armstrong has yet to reply to this tweet.
The Bloomberg report that White appeared to be referencing cited an unidentified source who claimed the hackers had “near-constant access to some of Coinbase Global Inc.’s most valuable customer data since January.” The hackers obtained the data by bribing Coinbase contractors in India—who have since been fired—to fork over the data.
Coinbase’s filing with the SEC detailing the exploit appears to support this timing, saying “these instances of such personnel accessing data without business need were independently detected by the Company’s security monitoring in the previous months.” In response, Coinbase “implemented heightened fraud-monitoring protections and warned customers whose information was potentially accessed.”The Bloomberg source’s timing was disputed by Coinbase’s chief security officer Philip Martin, who said the hackers “did not have persistent access over the course of the entire period” in question. Asked about claims that the hackers retained access to the data as recently as May 14, Martin said he had doubts but couldn’t “prove a negative.”
High-value customers nervous
On May 19, Bloomberg reported that the U.S. Department of Justice (DoJ) had opened a probe into the data breach. The scope of this probe wasn’t specified, but Coinbase’s Chief Legal Officer Paul Grewal said the company “welcome[s] law enforcement’s pursuit of criminal charges against these bad actors.”
Coinbase told the SEC that the breach could cost the company $400 million, primarily through reimbursing impacted customers. But it could cost high-value customers far more than money, as the recent spate of violent kidnappings of high-value crypto individuals and/or their relatives in France makes clear.
Bloomberg quoted an executive at a firm providing security and intelligence for digital asset whales discussing the surge in calls he’s been getting from “crypto investors who don’t want to be caught off guard.”
The report also noted that Coinbase spent $6.2 million on security costs for Armstrong last year, more than the combined sums spent to protect the CEOs of JPMorgan Chase (NASDAQ: JPM), Goldman Sachs (NASDAQ: GS), and Nvidia (NASDAQ: NVDA). Circle paid $800,000 to protect CEO Jeremy Allaire, while Robinhood Markets (NASDAQ: HOOD) paid twice that sum protecting CEO Vlad Tenev.
Who’s to blame and what’s to be done?
On May 19, TechCrunch Founder Michael Arrington tweeted that the Coinbase hack “will lead to people dying. It probably has already … The consequences to companies who do not adequately protect their customer information should include, without limitation, prison time for executives.”
Armstrong responded to Arrington’s tweet by saying jail time for executives “would mean about half of all executives going to jail, and most people running government agencies as well (IRS, DNC, military, etc). I don’t think you will find people willing to take on these roles, knowing your win ratio vs adversaries has to be 100%.”
Arrington also suggested that governments might want to rethink their ‘know your customer’ (KYC) and anti-money laundering (AML) policies to reduce the amount of information lost via data breaches.
Regarding collecting KYC/AML data, Armstrong said, “We don’t want to collect it, and our customers hate it. We are being forced to collect it against our will.” Armstrong said he would like to see “a constitutional challenge to [Bank Secrecy Act]/AML laws, or congress decides to review it at some point.”
A much different take was offered by investor Adam Cochran, who suggested that Coinbase’s KYC/AML policies are the weak link in this chain. Cochran noted that the long list of personal data that Coinbase admitted had leaked included physical addresses and images of government IDs, aka “things you can’t change and things that put customers at physical risk. No element of KYC/AML policy requires this kind of stuff to be accessible to your customer support agents.”
Biometric brouhaha
Coinbase’s handling of sensitive customer data is the crux of a new class action suit filed in the U.S. District Court in the Northern District of Illinois. (The suit was filed on May 13, ahead of Coinbase’s deadline for steering all such suits through New York courts.)
The plaintiffs accuse Coinbase of violating the state’s Biometric Information Privacy Act (BIPA) through its “wholesale collection of faceprints.” Coinbase’s identity verification process utilizes facial recognition technology that requires customers to upload a ‘selfie’ photo and images of their government-issued ID.
The plaintiffs claim that Coinbase failed to inform customers that their biometric data was being “generated, collected, stored, and disclosed” to third-party verification vendors. They further claim that Coinbase failed to obtain prior written consent from their customers regarding the use of this data, nor did the exchange make public their biometric data policies.
While the suit doesn’t claim that any member of the class has suffered any direct damages from Coinbase’s use/misuse of their biometric data, they’re nonetheless seeking $5,000 for each ‘intentional and/or reckless’ violation, or $1,000 for every ‘negligent’ violation, plus injunctive relief and legal costs.
A similar suit was brought against Coinbase in 2023 in the Northern District of California but was dismissed this February after the parties agreed to settle their dispute via arbitration.
Watch: Chronicle Upgrade, Teranode, and Bitcoin Stewardship
Recommended for you
