For Tanja Vidovic, it was a moment of panic: She had received a series of alerts about someone changing access to her cryptocurrency account. And she realized, as she stared at her computer screen, that nearly all of her $168,000 in holdings was gone — vanished before her eyes.
She was stunned.
Nearly four months have passed, and it has yet to sink in, she said.
Tanja and Jared Vidovic jumped into cryptocurrency investing in 2017 and watched their funds nearly quadruple over four years.
The Vidovics used Coinbase, the country’s largest cryptocurrency exchange, for their plunge into the virtual currency. On exchanges such as Coinbase, users can deposit U.S. dollars and trade them for cryptocurrencies, such as bitcoin and ethereum, which the couple purchased.
“I looked into Coinbase, and it seemed like it was one that everybody used and trusted,” Tanja said.
The growing investment was a welcome boon for the Safety Harbor, Florida, couple and their three children. But in late April, Tanja, a firefighter, opened her computer to a barrage of security alerts and password change notifications.
“I signed onto the crypto. And I said, ‘It’s gone,’” Tanja said.
The Vidovics said they tried to contact Coinbase but they couldn’t get anybody on the phone.
Interviews with Coinbase customers around the country and a review of thousands of complaints reveal a pattern of account takeovers, where users see money suddenly vanish from their account, followed by poor customer service from Coinbase that made those users feel angry and left hanging.
Making the issue even worse, cryptocurrency transactions cannot be reversed, according to the FBI. Experts say once criminals access an account, funds can be drained in minutes.
Coinbase, which went public in April, has a market cap of about $65 billion, has more than 68 million users in 100-plus countries, more than 2,100 full-time employees and $223 billion in held assets, according to the company.
“Hopefully, Coinbase going public and having its direct listing is going to be viewed as kind of a landmark moment for the crypto space,” CEO Brian Armstrong told CNBC in April, when the company went public. “People no longer need to be scared of it like in the early days.”
While the cryptocurrency exchange company has grown rapidly, complaints have continued to arise. Since 2016, Coinbase users have filed more than 11,000 complaints against Coinbase with the Federal Trade Commission and Consumer Financial Protection Bureau, mostly related to customer service.
Former employees told CNBC the company’s customer service practices shifted over time, with representatives struggling to keep up with demand.
The Vidovics’ account had risen to $168,596 on April 28 when the hacking occurred, according to account statements the Vidovics shared with CNBC. That amount was essentially wiped out, with only a $587.15 balance shown the next day.
Like the Vidovics, Ben, a Virginia resident who asked that his last name be withheld, said he saw thousands of dollars vanish. He logged onto his Coinbase app in March, verifying his identity with two-factor authentication, but over a four-minute stretch almost $35,000 in various coins disappeared from his account, he said.
In a response to his frantic email, Coinbase told Ben his computer had been hacked and there wasn’t anything the company could do.
“I really am baffled,” he said. “It just seems to me that Coinbase did absolutely zero research and just said, ‘Hey, yeah, sorry.’”
The CFPB responded to one of Ben’s ensuing complaints with an answer from Coinbase’s Regulatory Response Team. The email noted that transactions on the blockchain are irrevocable and said Coinbase’s insurance policy does not cover theft from individual accounts.
“There is no credible or supportable evidence that the compromise of your login credentials was the fault of Coinbase,” the message said. “As a result, Coinbase is unable to reimburse you for your alleged losses.”
Eventually, the company sent a $200 credit, telling Ben, “your Coinbase experience and your wait for a response to your formal complaint was not up to our standards.”
Experts say SIM swapping, where fraudsters seize control of a victim’s phone number and SIM card through their phone company, is to blame for many of the cryptocurrency thefts.
“The problem with SIM swapping and cryptocurrency is the moment you lose access to your cell phone, professional hackers will steal all of your money in less than 30 minutes,” said David Silver, an attorney who focuses on cryptocurrency.
Silver, whose firm represents the Vidovics, said the top complaints from potential clients are getting locked out of their cryptocurrency exchange platform account and SIM swaps.
“Most people who contact me would tell you it’s poor customer service,” Silver said. “They’re being almost victimized twice. Because they themselves have almost no ability to contact Coinbase and deal with them directly, they’re forced to retain professionals.”
Etay Maor, senior director of security strategy for cybersecurity company Cato Networks, said he’s seen cybercriminals on the dark web discussing how to break into accounts, including those of Coinbase users.
Once hackers break into Coinbase accounts, they put them up for sale on the dark web, according to Maor. He said while credit cards sell for a few dollars, hacked Coinbase accounts can sell for $100 to $150.
“These exchanges have to invest heavily, invest in security if they want to take it seriously, just like the banks have done and have learned the hard way,” Maor said.
Account takeovers are on law enforcement’s radar.
“When the attacker withdraws those funds from the exchange, that’s not a transaction that you can take back,” Ali Comolli, a management and program analyst at the FBI, told CNBC.
Comolli said the FBI tries to help victims of account takeovers recover their stolen money.
“It’s obviously a huge impact on the victims, which is incredibly difficult for them,” Comolli said.
After a review of Coinbase’s complaints, the Better Business Bureau in March determined the company has a “pattern of complaints from customers who state they are locked out of their accounts, even after providing required information or updates.” The organization has received 1,128 complaints in the past three years, according to its website.
BBB said it sent a letter to Coinbase in order to address the customers’ complaints and receive feedback from any implemented improvements.
The group has “not heard a response from this business, about the situation, pattern of complaints for the last three years,” Alma Galvan, a marketing and communication manager with the organization, said in an email to CNBC.
Some customers with lost funds turn to social media to seek help from Coinbase or find community with other disgruntled users. Members of a 941-person Facebook group called “Coinbase Corruption/Scandal Awareness Group” update the page with their struggles to recoup money and accounts.
One poster referred to the group as a “sad party,” and several have brainstormed new places to report their complaints and new methods to pressure Coinbase into making them whole.
Complaints abound on Reddit and Twitter as well, where the company’s support accounts often publicly reply to the messages, sometimes writing that they have “escalated” the issue to an appropriate team.
The Coinbase Support account on Twitter also posts live updates about changes and temporary errors on the exchange platform.
Struggling to keep pace
As the company has scaled into its massive size, customer service practices have changed, former Coinbase employees told CNBC.
In Coinbase’s early years, employees spoke with customers through a live help chat.
Jason Rose, who worked part-time in customer service at Coinbase from 2014 until 2016, said many customers asked for reassurance about cryptocurrency.
“They need that touch of somebody being there while they’re going through this complex transaction,” he said.
When Rose worked at Coinbase, he said live chat acted as a sort of “release valve” for complaints, particularly helpful in moments of crypto volatility.
As the company grew, Rose said, his role changed. Coinbase started a repository of answers to frequently asked questions in order to automate its customer service.
Rose said when he left in 2016 Coinbase was starting to phase out live chat.
“The decision to do that was disastrous because the time that it took to respond back to emails took a lot longer than it would for a live chat. So, we went back to the email box, taking five days to complete a problem that could have been solved in a few minutes,” he said.
Jacques Reulet also fielded customer issues and said it was hard to keep up.
“We were very diligent about making sure that everyone who wrote in got a response, but things were getting a little unresponsive towards the end [of my time there],” said Reulet, who worked in operations and compliance at Coinbase from 2014 to 2015. “The sheer scale at which the company was growing was a lot to handle. I didn’t see that we were keeping up.”
On Jan. 15, Coinbase acknowledged that many new and existing customers are experiencing delays in their response time.
“We recognize this is frustrating. This is not the experience we want for you, our customers,” said Casper Sorensen, vice president of customer experience, in a blog post.
A July blog post announced the company’s intent to roll out live chat messaging and phone support this year, as well as to expand its customer support team.
The customer service issue also came up on an earnings call earlier this month.
“So proud to report that we are doing much better [with customer service], but there’s always more to do,” said CEO Armstrong. “We’ve increased the headcount five times or so since January, beginning of this year, working on support specifically.”
Coinbase, which declined repeated requests from CNBC for an on-camera interview, instead said in an email, “Over the years, we’ve consistently updated our customer support offerings to help us scale. In early 2020, we moved to email as our primary channel of support. Many of our customer inquiries require our agents to conduct a significant amount of research to resolve the issue. And, to avoid long wait times, communicating asynchronously via email was the preferred method. However, we recognize that customers want real-time support, and that’s why we’re rolling out phone support for ATOs this month and live messaging for all customers later this year.”
Asked about the number of customer service complaints, the company said: “Over the past several years, our customer base grew exponentially. We grew from 43+ million users at the end of 2020 to 68+ million registered users, as of June 30, 2021. Through all this growth, some of our customers unfortunately experienced challenges and delays reaching our support team, which resulted in a negative impact for some of our customers. Improving our customer experience remains a top priority for Coinbase.”
The company would not disclose how many customers’ accounts have been taken over by fraudsters or the total amount it has refunded customers as a result of hacks.
It added that since customers have a two-factor authentication, at the minimum, to access their accounts, only “a small number (less than .01 percent) of our customers have been impacted by account takeovers.”
Marci Preble, a California-based marketer, said Coinbase did credit her account the approximate amount of her original investment. But she said that was after months of a nightmare of what seemed like endless emails.
Preble had saved enough money to take the plunge into bitcoin and ethereum earlier this year, investing about $8,000. By April, her investment had grown to $12,000.
But one day that month, when she was trying to buy more crypto, it all started disappearing, she said.
“In front of my eyes, it went to $800,” she said. Suspected fraudsters were able to somehow gain access to her account.
To this day, she said she still has no idea how they did it.
“Horrifying. And all I think could think is, ‘Wow, shouldn’t there be a better firewall?’”
Like the Vidovics, Preble said she never spoke to a human — just email after email.
Then, suddenly in August, she regained access to her account. There was just $502 left in it.
But to her shock, the next day, she received an email from the company informing her that it had transferred $6,583 in ALGO coin.
“My question is how can a publicly traded company on the New York Stock Exchange be doing this to customers? How can they not have a customer service dedicated line worldwide?” Preble said.
Tanja and Jared Vidovic said they have not been able to recover their stolen funds.
After CNBC inquired about what happened to the couple, Coinbase sent Tanja an email on Aug. 20 that said the company “does not have the ability to reverse crypto transfers sent off our platform. Unlike traditional banks or credit card companies, once crypto currency transfers are confirmed on the blockchain, they are permanent.”
“Because this attack was not the result of a breach of Coinbase security or our systems, we cannot reimburse you for this loss. This attack was only possible because the attacker had prior access to your email account and access to your 2-factor authentication codes (meaning they had access to your phone number through a SIM swap) before they attempted to access your Coinbase account,” the email said.
Jared, a nurse, said he knew a hack was possible. “But you don’t think it’s going to happen to you. You think that as long as you’re careful with your password, you don’t have a virus on your computer.”
If you think you are the victim of an account takeover, the FBI asks that you report it to your local FBI office or the Internet Crime Complaint Center at IC3.gov.