Coinbase Breach Exposes Crypto Security Gap as Exchange Users Lose Millions to SIM-Swap Attacks

The Artist’s Journey

Sean Everett, CEO of artificial intelligence startup Prome, makes a decision in March 2017 that seems prescient. He sells all his stocks—Apple, Amazon, everything—and pours the proceeds into Bitcoin and Ethereum through Coinbase, the San Francisco-based cryptocurrency exchange. The bet pays off almost immediately. As cryptocurrency prices rocket upward through the spring, Everett watches his portfolio multiply in value. By mid-May, he is sitting on a small fortune.

Then, on the evening of May 17, while walking his dog after 10 p.m., Everett receives a phone call from T-Mobile. The carrier wants to confirm that it is switching his phone number to a different device. It is a move Everett never requested. He pleads with the agent to block the switch, but it is already too late. Within five minutes, his cell service dies. Rushing to his computer, he watches a nightmare unfold in real time: email notifications flood his inbox as an attacker seizes control of his Gmail account, then his Coinbase wallet, using the hijacked phone number to bypass two-factor authentication. In two minutes, the thief cleans him out of thousands of dollars in cryptocurrency.

The loss stings doubly. In the weeks that follow, Ethereum quadruples to $400 and Bitcoin breaks $3,000 for the first time. “I’m not only still out my money, I also didn’t get the rise in price,” Everett tells Fortune in a June interview. His story, reported by Fortune on August 22, 2017, becomes a cautionary tale for an entire industry.

Collection Mechanics

The attack vector that fells Everett is deceptively simple: SIM swapping, also known as SIM hijacking or port-out fraud. An attacker calls a mobile carrier, impersonates the victim, and convinces the representative to transfer the victim’s phone number to a SIM card controlled by the attacker. Once the number is ported, the attacker receives all incoming calls and text messages—including the two-factor authentication codes that protect email accounts, cryptocurrency exchanges, and other sensitive services.

With the 2FA code in hand, the attacker resets the victim’s Gmail password, gains access to the email account, and then uses the email to reset the Coinbase password. The entire chain, from SIM swap to drained wallet, takes less than five minutes. The sophistication required is minimal—the attack relies on social engineering rather than technical hacking.

Coinbase itself has never been directly hacked. The exchange stores more than $3 billion in cryptocurrency for over 9 million customers and processes $25 billion in cumulative trading volume. Its security infrastructure is robust enough to earn a $1.6 billion valuation in its latest $100 million funding round, making it the blockchain industry’s first unicorn. Venture capitalist Fred Wilson compares Coinbase to “JPMorgan or Goldman Sachs for blockchain.” But the exchange’s individual users are vulnerable through the weakest link in their security chain: their mobile phone numbers.

Utility and Perks

The Fortune investigation on August 22 reveals that Everett’s case is not isolated. A growing number of Coinbase users report SIM-swap attacks throughout 2017, and the pattern is always the same: an attacker targets a known cryptocurrency holder, social-engineers their mobile carrier, and drains their exchange accounts before the victim can react. The attacks target individuals rather than the exchange itself, exploiting the gap between institutional-grade security and consumer-grade authentication.

Coinbase offers several security features designed to protect users: two-factor authentication via SMS or authenticator apps, multi-signature wallets, and the ability to disable SMS-based 2FA in favor of stronger methods. However, SMS-based 2FA remains the default for most users, and many never upgrade to more secure options. The convenience of receiving a text message with a login code comes at a steep cost when the underlying phone number can be stolen with a single phone call.

The exchange also provides insurance for funds stored in its hot wallets, but this protection does not extend to individual account takeovers. If an attacker logs in with legitimate credentials obtained through a SIM swap, the transaction appears authorized, and Coinbase’s insurance does not cover the loss. Users are left to pursue recourse through law enforcement, a process that yields little results in the anonymous world of cryptocurrency.

Secondary Market Action

The SIM-swap epidemic emerges against a backdrop of explosive market growth. On August 22, 2017, Bitcoin trades at $3,912 after a correction from its $4,400 high, while Ethereum holds at $310. Bitcoin Cash, barely three weeks old, recovers 15.6% to $696 after a sharp Monday selloff. XRP surges 45.3% in a single day. The total cryptocurrency market cap sits at $135 billion, nearly seven times its value at the start of the year.

This exponential growth creates a massive incentive for attackers. A cryptocurrency wallet that held a few hundred dollars in January contains thousands by August. The asymmetric nature of the crime—low technical barrier, high financial reward—attracts both opportunistic criminals and organized operations. Reports surface of attackers bribing mobile carrier employees to facilitate SIM swaps, turning insider access into a criminal commodity.

The secondary effect ripples through the market. As stories of theft proliferate, they undermine confidence in cryptocurrency as a store of value. If the safest exchange cannot protect its users from a phone call, mainstream adoption faces a significant psychological barrier. Institutional investors, already wary of cryptocurrency’s volatility, cite security concerns as a primary reason for staying on the sidelines.

Final Verdict

The Coinbase breach stories of August 2017 expose a fundamental tension in cryptocurrency security: the technology is designed to eliminate intermediaries, but the human layer remains the weakest link. Blockchain itself is immutable and trustless. The smart contracts governing token transfers execute flawlessly. But the path from human intent to blockchain transaction passes through email accounts, phone numbers, and SMS messages—systems that were never designed for financial security.

The solution, already advocated by security experts in 2017, is straightforward: hardware-based two-factor authentication, multi-signature wallets, and the elimination of SMS as a second factor. Coinbase will eventually push users toward stronger authentication methods, and the broader industry will adopt hardware security keys as standard practice. But the transition is slow, and in the meantime, users like Sean Everett bear the cost.

The lesson extends beyond individual security practices. The August 2017 SIM-swap wave demonstrates that cryptocurrency adoption requires not just better blockchain technology, but better security infrastructure around the human-computer interface. Exchanges must design systems that protect users from their own security choices, not just from external threats. The next generation of cryptocurrency platforms must build security that assumes the weakest link will fail—because it always does.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk. Always conduct your own research and use hardware-based authentication where available.