Last fall, scammers infiltrated social platforms such as dating apps, WhatsApp, Facebook and Twitter, trying to convince people to download Coinbase Wallet. Once the intended users downloaded the wallet, the scammer then sent links to fraudulent websites, forcing users to purchase a “voucher” that looked like a secure transaction protected and facilitated by Coinbase’s trusted platform, but that “actually represents a malicious smart contract”. Shocked users eventually discovered that the smart contract “gave the scammers full access to the entire money in the victim’s wallet” without permission to withdraw funds.
Today, nearly 100 people from around the world are trying to make publicly traded Coinbase pay for allegedly doing nothing to protect users. Users claimed Coinbase was unimpressed by reports of scammers draining accounts of tens or hundreds of thousands of dollars worth of cryptocurrency. In total, Coinbase Wallet users filing a lawsuit have collectively lost $21 million.
For months, users allegedly warned the company about this apparent security flaw. Rather than act to protect users, Coinbase has “not taken corrective action to fix the security flaw or even warn customers about this major problem, despite warning customers about other security risks,” according to a recently filed arbitration claim. . As a result, “hundreds” of additional users could become the target of “an easily prevented” liquidity mining pool scam.
“They didn’t even seem to try,” Eric Rosen, an attorney for Roche Freedman LLP, the law firm that represents users, told The Washington Post. “Of course, scammers quickly picked up on this and literally ordered victims to download the Coinbase wallet.”
Legitimate liquidity mining pools promise high returns to users who buy vouchers for small amounts, making it attractive to those new to crypto, but for Coinbase Wallet users, “clicking on these innocent-looking vouchers would pick up a single line of computer code that the scammers permits permission to steal crypto deposited into an account weeks or months later,” the Post reported.
This case is different from other crypto scams that push users to approve fraudulent transactions. Plaintiffs allege that Coinbase’s terms of use never warned of the risk, instead reassuring users that only sharing a secret passcode could compromise an account.
Coinbase is a titan in the crypto world that regularly touts its security features, but the arbitration claim says that “scammers have been leading customers to Coinbase’s wallet because of its terrible security.” Rather than act on this information, Coinbase would have spent six months before taking action to prevent more users from being scammed.
Response from Coinbase
Since Coinbase was first threatened with legal action, it has changed its practices and now warns users when “a website requests permission to withdraw a huge sum of dollars from an account,” the Post reported. This type of warning was already common on Coinbase Wallet’s competitor products such as MetaMask and Trust Wallet.
“In our view, this is basically an admission that Coinbase has not done enough to protect its customers before,” Jordana Haviv, another Roche Freedman attorney for the plaintiffs, told Ars.
Over the next few weeks or possibly months, Haviv told Ars that an arbitrator would be selected, Coinbase would have a chance to respond to allegations, and then the discovery would begin.
Users suing Coinbase hope arbitrage will end in the long-sought recovery of lost money, which for some amounted to their entire savings. They also want Coinbase to compile a list of all accounts affected by the scam.
Coinbase told Ars that its products are already working to prevent liquidity mining scams.
“Coinbase is committed to protecting its customers from scams, fraud and other crimes and has invested significant resources in protecting users from liquidity mining scams,” Coinbase spokesperson Lisa Johnson said in a statement to Ars.
The company appears to be claiming it is not responsible for stolen cryptocurrency due to security flaws in its Wallet product — the same response it gave to users who are now filing charges when they reported the fraudulent activity.
“A customer’s activities on Coinbase Wallet, including managing the wallet’s private security keys and accessing the wallet’s contents, are controlled exclusively by the customer, not Coinbase,” Johnson said. “That’s why Coinbase offers customers multiple product offerings so they can choose the products that best suit them.”
