Last fall, scammers infiltrated social platforms like dating apps, WhatsApp, Facebook, and Twitter, attempting to convince people to download Coinbase Wallet. Once the targeted users downloaded the wallet, the scammer would then send links to fraudulent websites, prompting users to purchase a “voucher” that seemed like a safe transaction protected and facilitated by Coinbase’s trusted platform but was “actually a malicious smart contract.” Horrified users eventually discovered the smart contract gave “the scammers complete access to the entire funds in the victim’s wallets” without requiring authorizations to withdraw funds.
Today, nearly 100 people from all over the globe are seeking to make the publicly traded Coinbase pay for allegedly doing nothing to protect users. Users allege that Coinbase was unmoved by reports that scammers were draining accounts of tens or hundreds of thousands of dollars’ worth of cryptocurrency. In total, Coinbase Wallet users that are suing collectively lost $21 million.
For months, users allegedly warned the company of this seeming security flaw. Instead of acting to protect users, though, Coinbase “took no remedial steps to fix the security flaw or even warn customers about this major problem, despite warning customers about other security risks,” according to a recently filed arbitration demand. This allegedly allowed “hundreds” of additional users to become targets of “an easily preventable” liquidity mining pool scam.
“They didn’t even appear to try,” Eric Rosen, an attorney from Roche Freedman LLP, the law firm representing users, told The Washington Post. “Of course, scammers quickly picked up on this, and literally directed victims to download the Coinbase Wallet.”
Legitimate liquidity mining pools promise high returns to users who buy vouchers for small sums, making it enticing to those new to crypto, but for Coinbase Wallet users, “clicking on these innocuous-looking vouchers would record a single line of computer code granting the scammers permission to steal crypto deposited into an account, weeks or months later,” the Post reported.
This case is different from other crypto scams that prompt users to authorize fraudulent transactions. Claimants allege that Coinbase’s terms of use never warned of the risk, assuring users instead that only sharing a secret passcode could compromise an account.
Coinbase is a titan in the crypto world that regularly touts its security features, but the arbitration demand says that “scammers directed customers to the Coinbase Wallet because of its terrible security.” Rather than act on this information, Coinbase allegedly spent six months before taking any action to prevent more users from being scammed.
Coinbase’s response
Since first being threatened with legal action, Coinbase has changed its ways and now provides warnings to users when “a website is requesting permission to withdraw a huge sum of dollars from an account,” the Post reported. This type of warning was already customary on competitors’ products, like MetaMask and Trust Wallet.
“In our view, this is effectively an admission that Coinbase previously wasn’t doing enough to protect its customers,” Jordana Haviv, another Roche Freedman attorney for the claimants, told Ars.
In the coming weeks or possibly months, Haviv told Ars that an arbitrator would be selected, Coinbase would be provided an opportunity to respond to allegations, and then discovery would begin.
Users suing Coinbase hope that arbitration will end in the long-sought recovery of funds lost, which to some amounted to their entire life savings. They also want Coinbase to compile a list of all accounts hit by the scam.
Coinbase told Ars that its products already work to prevent liquidity mining scams.
“Coinbase is committed to protecting its customers from scams, fraud, and other crimes and has invested significant resources in protecting users against liquidity mining scams,” Coinbase spokesperson Lisa Johnson said in a statement provided to Ars.
The company seems to be maintaining that it’s not responsible for stolen cryptocurrency due to security flaws in its Wallet product—the same response it gave to users now suing when they reported the fraudulent activity.
“A customer’s activities on Coinbase Wallet, including managing the wallet’s private security keys and access to the wallet’s contents, are exclusively controlled by the customer, not Coinbase,” Johnson said. “That is why Coinbase provides customers with multiple product offerings, so they can choose the products that are best for them.”
https://arstechnica.com/?p=1890656