Cryptocurrencies enjoy great popularity, and trading in Bitcoin and other currencies is steadily increasing. But it also harbours many risks and dangers. Not only are cryptocurrencies subject to considerable price fluctuations, and they are therefore associated with significant risks of loss. The rising trade in cryptocurrencies also leads to increased fraudulent activities and hacker attacks in this context. This year, the hacker attack on the crypto exchange Coinbase (the Coinbase hack), which is said to have taken place between March and May 2021, attracted a lot of attention.


How was Coinbase Hacked?

Coinbase is a trading platform for cryptocurrencies. Customers (including business clients) can buy and manage cryptocurrencies via their accounts at Coinbase. The balance in cryptocurrencies is stored and tracked in a so-called wallet.

At least 6,000 customers fell victim to the hacker attack on Coinbase. The total amount of damage caused by the Coinbase hack is not known. The hackers probably exploited a vulnerability in the SMS-based two-factor authentication. The first step is to log in to the Coinbase account with a user name and password with two-factor authentication. Then a randomly generated code must be entered, which the account holder receives via SMS on his mobile device.

To access the Coinbase accounts, the hackers first obtained the account holder’s email address, password and phone number. They also needed access to the account holder’s email inbox. Coinbase itself assumes that the hackers obtained this data via phishing messages with Coinbase branding. The hackers could probably obtain the SMS token required for two-factor authentication due to a vulnerability in the account recovery process. For this reason, the affected individuals were asked to change the password for both their Coinbase account and their email account and to switch from SMS-based to more secure two-factor authentication options.

According to Coinbase, on the other hand, there is no evidence that the hackers obtained the information through the company itself.

Rechtsberatung im Ausländerrecht

Schlun & Elseven Rechtsanwälte advises both private and business clients on legal matters relating to cryptocurrencies. Our German criminal lawyers can be reached by phone, email and our contact form. We support our global clients on matters of cryptocurrency fraud. For further information about our services in German criminal law please visit our German Criminal Law Homepage.

Compensation of the Victims of the Coinbase Hack Attack

In light of the fact that the hackers could exploit a vulnerability in Coinbase’s account recovery process, Coinbase already announced its intention to fully replace the stolen cryptocurrencies. The amount of compensation announced is based on the value of the lost cryptocurrencies at the time of the attack. Against the background of the considerable price fluctuations of cryptocurrencies, this can be unfortunate for affected investors. Others, on the other hand, might even profit.

If you have been affected by the Coinbase hack attack and have not yet received any feedback regarding your compensation, you can always contact our legal team. We will review your case and help you to claim compensation.


How does Coinbase Insure Cryptocurrencies?

The cryptocurrency assets of Coinbase account holders are insured against criminal acts. This insurance applies in particular to cases of theft or fraud. However, the insurance cover does not include any loss resulting from unauthorised access to the personal Coinbase account due to a security breach or loss of login data. In particular, it is the responsibility of the account holder to use a secure password and handle their login data conscientiously so that third parties cannot misuse the login data.


Due Diligence of the Account Holder and Liability of Coinbase

Concerning the security of the account at Coinbase, the User Agreement of Coinbase Germany regulates some duties of care of the account holder. Accordingly, the Account Holder is obliged to keep the electronic device through which he accesses his Coinbase Account secure at all times. The data required to access the account must also be sufficiently protected from access by third parties. Accordingly, all measures must be taken to prevent loss, theft or misuse.

According to the User Agreement, Coinbase is not responsible for any such losses that occur due to a compromise of the login data for which Coinbase is not responsible. This is because if unauthorised third parties obtain this data due to a lack of security precautions on the part of the account holder, Coinbase is not at fault for the resulting loss of assets.

Furthermore, Coinbase is not liable for damages caused by computer viruses or malware. Accordingly, the company recommends its customers regularly use virus-checking and defence software on their electronic devices to avoid corresponding damage. According to its user agreement, the company is also not liable for phishing and spoofing. In phishing, the perpetrator’s goal is to obtain the victim’s personal data through fake emails, links and websites. Spoofing is similar, with perpetrators posing as trusted people or devices to trick users into revealing personal information or performing other actions such as financial transactions. Such attacks often take place via SMS and email services. For this reason, Coinbase recommends that its users always carefully check messages purporting to come from Coinbase.


Liability for Defective Software

Since, in the present case, an unknown vulnerability in Coinbase’s account recovery process is believed to have been exploited, the question also arises as to who is liable for faulty software. If a flaw or vulnerability in the system is exploited, customers’ security measures to protect their accounts cannot prevent an attack.

The manufacturer of defective software is generally liable for any resulting user damage based on a contractual breach of duty (§ 280 BGB). In addition, there is also liability under the Product Liability Act, according to which, however, no pure financial losses are to be compensated. According to the Product Liability Act, the manufacturer is only liable for death, bodily injury and damage to privately used objects (§ 1 para. 1 ProdHaftG). Another basis for a claim is § 823 para. 1 BGB (German Civil Code) in connection with the principles of producer liability. Accordingly, the software manufacturer is generally liable for security gaps that existed when the software was put on the market. In addition, the manufacturer has a duty to monitor the product.

To avoid security gaps, software providers must provide security updates regularly. According to § 69c No. 2 UrhG, this is the exclusive right of the rightsholder to edit a programme protected by copyright and accordingly correct errors. Feel free to contact our legal team should you have any questions concerning liability for software errors.


Cryptocurrencies and Cybercrime

Cybercrime involving cryptocurrencies has increased significantly in recent years. Some of the most common manifestations are identity fraud, infecting the computer with viruses and phishing. In this context, the offences of money laundering (§ 261 StGB), fraud (§ 263 StGB), computer fraud (§ 263a StGB) and spying on data (§ 202a StGB) are particularly relevant. For more information on this topic, see our page on cryptocurrency fraud. Let our criminal lawyers advise and support you if you suspect that you have fallen victim to fraud or any other criminal offence related to cryptocurrencies.


Legal advice from Schlun & Elseven

Schlun & Elseven Rechtsanwälte is available to you nationwide and is your reliable and competent partner for all legal questions regarding cryptocurrencies. As a full-service law firm, we can advise you in all related matters. If you have also suffered asset losses due to the Coinbase hack attack or other cryptocurrency hacks, our lawyers will help you enforce your claims for damages against your crypto exchange, for example.

Our law firm has offices in Aachen, Cologne and Düsseldorf as well as meeting rooms in Berlin, Frankfurt, Hamburg, Stuttgart and Munich and is ready to assist you with legal expertise. We work with clients worldwide on matters relating to cryptocurrencies. Give us a call or send us a message by email at info@se-legal.de or use our online form.