SEC Probes Coinbase Over Historic User Data Reporting
Cryptocurrency giant Coinbase has confirmed that the U.S. Securities and Exchange Commission (SEC) is investigating how the company previously reported its user metrics. The disclosure came Thursday, May 15, as the exchange also revealed it was addressing the aftermath of a significant customer data breach.
According to Bloomberg, the SEC is focusing on whether Coinbase may have overstated the number of unique users in earlier public filings. The metric in question, however, has not been used by the company for over two years.
“This is a holdover investigation from the prior administration about a metric we stopped reporting two and a half years ago, which was fully disclosed to the public,” said Paul Grewal, Coinbase’s Chief Legal Officer. “While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close.”
Reached for comment, an SEC spokesperson declined to address the matter.
The probe adds another chapter to the evolving and often contentious relationship between Coinbase and the U.S. securities regulator. While this current investigation centers on historical data reporting, the company has faced other regulatory battles with the agency, some of which have recently been resolved.
Regulatory Tensions and Recent Dismissals
In June 2023, the SEC filed a lawsuit against Coinbase, alleging that the exchange was functioning as an unregistered securities exchange, broker, and clearing agency. The agency accused Coinbase of violating securities laws by integrating these services without registering them with the SEC, a requirement under U.S. financial regulations.
However, in February 2024, the SEC unexpectedly dismissed the lawsuit, part of a broader apparent shift in its enforcement strategy toward the crypto sector. On February 28, it was reported that the commission had dropped or paused at least eight cases against cryptocurrency firms in the preceding month.
At the time, Grewal took to X (formerly Twitter) to acknowledge the development, writing, “We thank the new leadership and staff at @SECGov. Common sense, once again, is not so common.”
The current investigation into Coinbase’s past reporting practices is reportedly a remnant from the tenure of the SEC’s previous leadership, suggesting it may predate some of the recent strategic shifts.
Breach and Extortion Threaten User Trust
Coinbase’s regulatory disclosures coincided with a separate crisis involving a serious data breach. The company revealed on the same day that it is reimbursing affected users following an internal security compromise that enabled cybercriminals to stage an extortion scheme.
According to Coinbase, the attackers managed to exploit “a small group” of insiders, convincing them to copy sensitive customer information from the company’s support tools. The breach affected fewer than 1% of the platform’s monthly transacting users, but it allowed the hackers to impersonate Coinbase employees and contact customers directly in an attempt to steal cryptocurrency.
The company stated that it had fired the employees involved, referred them to law enforcement, and taken steps to strengthen internal safeguards. “We fired the compromised employees, referred them to law enforcement, will reimburse customers who were tricked into sending funds to the attacker, and are adding new customer safeguards,” Coinbase said.
The dual announcement—addressing both a federal investigation and an internal breach—reflects the ongoing challenges facing the San Francisco-based company as it seeks to maintain trust and transparency in a volatile industry.
Balancing Growth and Oversight
As one of the largest and most recognizable cryptocurrency exchanges in the world, Coinbase has become a bellwether for how digital asset companies navigate increasing regulatory pressure in the United States. The SEC’s continued scrutiny of past disclosures underscores the lingering uncertainty in the regulatory landscape for crypto firms, even as the industry begins to mature and more institutional players enter the market.
At the same time, the recent data breach highlights the vulnerabilities that can arise even in well-established platforms—particularly when internal access is abused. Coinbase’s swift response, including employee terminations and user reimbursements, signals a proactive stance, but it may not be enough to quell broader concerns about security and governance.
With regulators still evaluating the framework under which crypto firms should operate and with public trust on the line, Coinbase finds itself once again at the intersection of innovation, compliance, and crisis management.
