How step-up would have prevented $400M Coinbase fraud

On May 15, 2025, Coinbase disclosed that bribed overseas support agents had stolen customer data — including government-issued IDs, names, addresses, and partial Social Security numbers — affecting approximately 70,000 users. The estimated cost: between $180 million and $400 million.

This wasn’t a technical exploit. Nobody hacked the database. Nobody found a zero-day. The KYC data that was supposed to protect users became the weapon used against them.

The KYC data that was supposed to protect users became the weapon used against them. The database was the breach.

The attack chain

Understanding why this breach was so devastating requires mapping the exact sequence of events from insider theft to stolen funds.

The attacker has the victim’s name, address, government ID, SSN, session token, and 2FA codes. They have everything except the one thing that can’t be stolen, forwarded, or faked in real-time: the victim’s physical face in front of a camera at that exact moment.

Stolen KYC data can impersonate an identity. It can’t impersonate a face in real-time.

Why onboarding KYC failed

The irony is brutal: the KYC data collected to protect users became the attack vector used against them. Onboarding identity verification creates a single point of failure — a static record that, once stolen, can be reused indefinitely.

This reveals the fundamental limitation of verify-once-at-signup: it proves who someone was when they signed up. It doesn’t prove who is operating the account right now.

The verification gap in most financial platforms looks like this:

• At signup: KYC — identity verified once, documents collected, stored forever
• At login: 2FA — proves a device is present, not a specific human
• At the transaction: Nothing. The session is “trusted.” The money moves.

The Coinbase breach exploited the gap between “at login” and “at the transaction.” Every check before the transaction was compromised. The only check that matters — verifying the human at the moment money moves — didn’t exist.

Why 2FA didn’t help

Two-factor authentication proves a device, not a person. When the victim provided their 2FA code to the social engineer, the attacker had everything needed to pass the device check. SIM swaps, authenticator app compromises, and social engineering all defeat 2FA because 2FA was never designed to verify the human — it was designed to verify the device.

The stolen KYC data made the social engineering trivially easy. An attacker who knows your government ID number, home address, and date of birth is indistinguishable from “Coinbase support verifying your identity.”

The economics of prevention

Coinbase estimated the breach cost at $180-400 million. The 70,000 affected users represent approximately 0.06% of Coinbase’s user base. The damage was disproportionate because each compromised account could be drained fully before detection.

At , adding biometric step-up verification to every withdrawal above $1,000 for Coinbase’s entire user base would cost a fraction of a single day’s trading fees. Even at millions of verifications per month, the cost is orders of magnitude less than one breach.

The ROI calculation isn’t 2x or 10x. It’s asymmetric — the cost of prevention is negligible compared to the cost of a single successful attack.

What the JWT proves

If Coinbase had biometric step-up verification on withdrawals, the attacker’s session would have hit a wall at the withdrawal step. The API would return:

{
  "match": false,
  "rejection_reason": "face_mismatch",
  "confidence": 0.12,
  "liveness_score": 0.00,
  "action_attempted": "withdraw_47500_usdc",
  "verified_at": "2025-05-15T03:22:14Z",
  "capture_hash": "7f2a..."
}

That response is a signed, timestamped, cryptographic record of a failed impersonation attempt — with the exact action that was blocked, the confidence score showing the face didn’t match, and the timestamp for the security team to investigate.

Instead of a $400 million loss, Coinbase would have a log of blocked withdrawal attempts and a list of compromised accounts to lock down proactively.

The lesson

The Coinbase breach didn’t fail because of bad technology. It failed because of a structural assumption: that verifying identity once at signup is sufficient for the lifetime of the account. When the onboarding data itself becomes compromised, every downstream action that depends on that data is vulnerable.

Step-up biometric verification breaks this dependency. It doesn’t rely on stored data from months ago. It verifies the human in real-time, at the moment the action occurs, with a cryptographic proof that can’t be forged from stolen records.

KYC tells you who signed up. Lorica tells you who is here right now.