Key Insights
- Coinbase sued for alleged biometric privacy violations under Illinois BIPA law.
- Data breach triggered $20M extortion attempt and user lawsuits nationwide.
- Over 10,000 arbitration demands filed amid rising user frustration and backlash.
Coinbase faced a mounting legal crisis after fresh lawsuits targeted its biometric practices and recent data breach disclosure.
On May 13, three Illinois residents—Scott Bernstein, Gina Greeder, and James Lonergan—filed a class-action lawsuit accusing the exchange of violating the state’s Biometric Information Privacy Act (BIPA). The group claimed Coinbase failed to inform users that its Know Your Customer (KYC) process included collecting biometric identifiers through facial recognition technology.
The plaintiffs alleged that Coinbase’s identity verification, which requires uploading a government-issued ID and a selfie, uses third-party software to extract facial geometry. They argued that this amounts to “wholesale collection” of faceprints without proper disclosure or written consent.
Coinbase Sued Over Facial Recognition, Biometric Violations
On May 13, Illinois residents Scott Bernstein, Gina Greeder, and James Lonergan sued COINBASE in federal court. They alleged the company violated the Biometric Information Privacy Act (BIPA) by collecting facial data without user consent.
The complaint stated that Coinbase’s identity verification process involved facial geometry extraction using third-party software. Users reportedly uploaded a selfie and ID, unaware that biometric data would be captured and stored.
The lawsuit named Jumio, Onfido, Au10tix, and Solaris as companies receiving COINBASE user data. Plaintiffs said no clear disclosure or retention policy was provided, violating Illinois law.
“Coinbase does not publicly provide a retention schedule or destruction policy for biometric identifiers,” the filing stated.
Over 10,000 arbitration demands have reportedly been filed with the American Arbitration Association. Plaintiffs claimed COINBASE refused to pay arbitration fees, leading to automatic dismissals.
Data Breach Fallout Triggers Second Round of Lawsuits
The Illinois lawsuit came just two days before Coinbase disclosed a separate breach involving bribed employees and a $20 million extortion attempt.
According to a May 15 disclosure, cybercriminals bribed several Coinbase customer service agents to access internal systems. The attackers reportedly stole user data including names, email addresses, Social Security numbers, driver’s license details, and partial banking information.
Users are suing Coinbase, alleging the exchange failed to protect their sensitive data. Source: PACER
Following this disclosure, at least six separate lawsuits were filed between May 15 and May 16. Plaintiffs argued Coinbase failed to protect sensitive information and responded inadequately to the breach.
One complaint, filed by plaintiff Paul Bender in New York, accused Coinbase of not “implementing and maintaining reasonable security safeguards.” Bender’s suit described Coinbase’s response as “inadequate, fragmented, and delayed,” claiming that affected users were not promptly informed or offered proper support.
Calls for Audits, Data Deletion, and Accountability
A fifth lawsuit filed in California took a more aggressive stance. Plaintiffs requested that Coinbase purge all sensitive user data and hire third-party auditors to test its systems. Another case accused the exchange of unjust enrichment, claiming it failed to invest adequately in cybersecurity.
Coinbase has not publicly responded to the new lawsuits. Instead, it pointed media outlets to a blog post addressing the data breach, in which it confirmed refusing the $20 million ransom and pledged to reimburse impacted users.
In a U.S. Securities and Exchange Commission filing, Coinbase estimated reimbursement costs could range between $180 million and $400 million.
The company also confirmed that it fired a group of India-based customer support agents allegedly involved in social engineering attacks linked to the breach.
COIN Price Swings as Legal Exposure Rises
Following the May 15 disclosure, COINBASE (COIN) stock fell 7%, reaching $244. It rebounded 9% the next day to close at $266, per Google Finance.
The lawsuits arrived as COINBASE continues to face a U.S. Securities and Exchange Commission investigation over 2021 user metrics.
The convergence of biometric suits and data breach fallout could create long-term reputational and financial challenges. Plaintiffs in the Illinois suit sought $5,000 per willful BIPA violation and $1,000 for negligent ones.
This isn’t the first time Coinbase faced legal heat under BIPA. In May 2023, a similar lawsuit was filed, but both parties later agreed to resolve it via arbitration.
As of May 2025, over 10,000 arbitration claims remain unresolved, adding pressure on the exchange’s legal and compliance teams.
Disclaimer
In this article, the views and opinions stated by the author or any people named are for informational purposes only. And they don’t establish the investment, financial, or any other advice. Trading or investing in cryptocurrency assets comes with a risk of financial loss.
Moses K is a crypto journalist covering markets, regulation, and blockchain trends. He has written for The Coin Republic, Coinchapter, Cryptopolitan, Cryptotale, Coinspeaker, and MPost. Known for his concise, data-driven reporting, Moses focuses on price analysis, on-chain metrics, and policy developments shaping the global digital asset landscape.
