A recent data breach at Coinbase has reignited a broader discussion about the security trade-offs between centralized exchanges (CEXs) and decentralized finance (DeFi) protocols.
The breach has intensified pressure on the leading U.S. crypto exchange, as the SEC alleges it misreported verified user numbers.
In a May 15 blog post titled “Protecting Our Customers – Standing Up to Extortionists,” Coinbase revealed that it had rejected a $20 million ransom demand after attackers, aided by bribed insiders, accessed private customer data. Instead of giving in to the extortion, Coinbase committed to fully compensating users who incurred financial losses from the subsequent phishing attacks.
Attackers stole names, addresses, identification documents, and the last four digits of Social Security numbers. Coinbase confirmed that only 1% of its user base was affected by the breach and asserted that passwords, private keys, and customer funds remained secure.
Earlier this year, blockchain investigator ZachXBT reported that Coinbase users lose over $300 million annually to social engineering scams, highlighting the severe impact of past data breaches on the platform’s users.
Although the centralized exchange has responded to the breach by dismissing suspected individuals and offering a $20 million reward for information leading to arrests, the incident highlights the contrasting security approaches of centralized and decentralized systems.
The Risk of Centralized Weak Links
In a statement to The Defiant, David Carvalho, founder and CEO of Naoris Protocol, emphasized that the Coinbase incident once again illustrates how susceptible centralized systems and single points of failure are to cyberattacks. He noted that cybercriminals understand these vulnerabilities well and continue to refine their methods to exploit them.
Carvalho stressed that the issue will likely intensify over time and asserted that the only effective solution is to adopt decentralized security systems that eliminate single points of failure. He further emphasized the need to protect sensitive information and data through decentralized infrastructure rather than entrusting it to human intermediaries.
Phil Mataras, founder of the Arweave-powered permanent cloud network AR.IO, echoed Carvalho’s perspective and stated that incidents like these reveal deeper structural flaws rather than being mere misfortunes.
He explained that these incidents reveal how much crypto infrastructure still depends on centralized, opaque systems that replicate Web2 vulnerabilities. He added that concentrating trust and access in a single entity allows one mistake or insider threat to endanger the security of millions.
Mataras stated that broader security concerns stem from foundational system design rather than faster responses or thorough vetting. He emphasized the need to build systems that minimize trust by default—distributing control, promoting operational transparency, and ensuring essential data remains tamper-proof and preserved.
The Hidden Dangers of DeFi
Carvalho explained that DeFi platforms carry their own set of security vulnerabilities. He noted that many so-called “decentralized” exchanges remain reliant on centralized elements such as frontend interfaces hosted on conventional servers, APIs operating on corporate infrastructure, oracles retrieving data from centralized providers, and cross-chain bridges overseen by limited groups of developers.
He further noted that when these components fail—often in cases like bridge breaches and oracle tampering—the illusion of decentralization quickly collapses.
Carvalho stated that even if the blockchain layer is decentralized, centralization in the surrounding infrastructure stack remains, creating security gaps that advanced attackers can identify and exploit.
Patrick Young, head of Galxe, mentioned in a statement to The Defiant that although decentralized exchanges (DEXs) offer users greater control, they sometimes fail to provide strong identity protections, leaving them vulnerable to bots, sybil attacks, and front-running tactics.
Young stated that the industry needs to transform its approach to identity and verification across both centralized and decentralized models. He called for solutions that not only protect collected data but also enable platforms to verify legitimacy without compromising user privacy. He emphasized that the goal shouldn’t be choosing DEX over CEX, but ensuring both systems are built to be secure, compliant, and capable of earning user trust.
SEC Launches Regulatory Inquiry
Coinbase confirmed on Thursday that the U.S. had launched an investigation. Securities and Exchange Commission (SEC) to determine whether the company had misrepresented its user statistics. The inquiry specifically focuses on the reported figure of “verified users,” which Coinbase has stated exceeds 100 million.
According to data from Dune Analytics, Coinbase hosts approximately 167 million unique addresses. However, a recent SEC filing reported that the platform had about 9.7 million monthly transacting users in the first quarter of 2025.
In a statement, Coinbase’s chief legal officer, Paul Grewal, explained that the investigation continues from the previous administration and concerns a metric the company has not reported for the past two and a half years, which it had fully disclosed to the public. He clarified that the “verified users” figure encompassed individuals who had verified either their email address or phone number with the platform, which may have resulted in an overstatement of the actual number of unique customers.
He added that, although he does not consider the continuation of the investigation necessary, Coinbase is fully cooperating with the SEC.
Reports earlier this week confirmed that Coinbase is set to be added to the S&P 500. Shortly after the announcement, its stock price rose despite the surrounding negative news. COIN is currently trading at approximately $264, marking a daily increase of around 8%.