Stock Falls as Exchange Confirms Data Breach and Regulatory Scrutiny Over “Verified Users” Claim
Coinbase shares fell sharply on May 15, closing 7% lower in after-hours trading at $244, as the exchange confirmed a cyberattack and acknowledged an ongoing investigation by the U.S. Securities and Exchange Commission (SEC) regarding past user metrics.
The stock dip came after a New York Times report revealed that the SEC has been investigating whether Coinbase misrepresented its user base during its 2021 IPO, particularly the claim that it had “100+ million verified users.”
Coinbase Confirms SEC Investigation Is Still Ongoing
The probe, which began under the Biden administration, has continued into the Trump administration, despite a broader regulatory shift toward more crypto-friendly policies.
“This is a hold-over investigation from the prior administration about a metric we stopped reporting two and a half years ago,” said Paul Grewal, Coinbase’s chief legal officer, in a statement to Cointelegraph.
Grewal emphasized that the exchange has long since replaced the “verified users” metric with the more relevant “monthly transacting users” (MTU) figure and continues to disclose MTUs in its filings.
“We strongly believe this investigation should not continue, but we remain committed to working with the SEC to bring this matter to a close,” Grewal added.
Coinbase has retained Davis Polk & Wardwell, a prominent U.S. law firm, to manage its response to the SEC inquiry.
Data Breach Leads to $20M Extortion Attempt
On the same day, Coinbase confirmed that it was the target of a cyberattack, which resulted in a $20 million extortion attempt by hackers who allegedly recruited rogue overseas support agents.
The attackers exploited insider access to steal user account data from a “small subset” of customers, the company said.
“These insiders abused their access to customer support systems,” Coinbase explained in a public statement.
Although Coinbase declined to pay the ransom, it committed to reimbursing affected users and estimated that remediation and reimbursement expenses could range from $180 million to $400 million.
SEC Enforcement Paused, But Probe Remains
Despite the Trump-era SEC dropping its 2023 enforcement lawsuit against Coinbase earlier this year, the ongoing user-metric investigation underscores how legacy regulatory actions continue to impact the exchange.
The SEC’s concern centers on Coinbase’s widely publicized “100+ million verified users” claim, which featured prominently in marketing and IPO materials at the time of the exchange’s public debut. Coinbase stopped reporting that metric in 2022.
Final Thoughts: Regulatory Hangovers and Cyber Risks Weigh on Sentiment
Coinbase’s double setback — regulatory scrutiny and cybersecurity breach — comes at a time when the company is otherwise enjoying momentum, including its pending inclusion in the S&P 500 and strong derivatives market expansion.
Still, the events have rattled investors, raising concerns about internal security vulnerabilities, regulatory unpredictability, and potential financial liabilities tied to the breach.
With Coinbase now facing up to $400 million in reimbursement costs, the exchange’s next moves — particularly in how it handles SEC cooperation and fortifies platform security — will be closely watched by the market.
