- Coinbase has denied that it is responsible for a customer losing $96,000 after a security breach
- Jared Ferguson brought a lawsuit against the exchange after he lost his funds in a SIM swap attack
- Coinbase says it isn’t responsible for processing the unauthorized withdrawal
Coinbase has denied that it is responsible for a $96,000 loss suffered by a customer following a SIM swap attack. Jared Ferguson from Staten Island, New York, lost what almost amounted to his life savings in May last year when hackers managed to compromise his device and withdraw the funds from his Coinbase account. On Monday he sued Coinbase over the processing of the unauthorized withdrawal, which was protected by a compromised two-factor authentication feature on the device, after the company argued that it can’t be held responsible for acts carried out on third-party devices.
Coinbase Washes it Hands
Ferguson alleges that in May 2022 he received a text message from his mobile carrier notifying him of a SIM card change request that he had not initiated. Following this, he restored service to his phone with a new SIM card, only to discover the loss of $96,000 worth of cryptocurrencies from his Coinbase account. He contacted Coinbase, who informed him that the security of passwords and two-factor authentication codes were his responsibility, not theirs.
Part of the allegation centers around the suggestion that Coinbase’s security procedure doesn’t include flagging and holding “obviously fraudulent and unauthorized transactions.” This, Ferguson says, should have been obvious in his case, seeing as his account was drained in less than eight hours from a new device, immediately after his password was reset and from an IP address not previously associated with his account.
Ferguson Files Lawsuit
Ferguson filed a suit in New York on Monday using these arguments, suggesting that under state and federal laws Coinbase should be held responsible for the unauthorized withdrawals. Coinbase has yet to respond to the lawsuit, but it can be expected to reinforce its argument that it can’t be held responsible for actions taken against users’ devices, only its own servers.