Is Coinbase Safe? An Honest Look at the Risks of Keeping Bitcoin on an Exchange

The Short Answer

Coinbase is the most regulated, most audited, and most publicly accountable cryptocurrency exchange in the United States. It is publicly traded, subject to SEC oversight, and has invested heavily in compliance and security infrastructure. For someone who is new to Bitcoin and needs a place to start, it is a reasonable first step.

But safe is not the same as secure. And for holders who have been accumulating Bitcoin seriously, the question of whether Coinbase is safe enough deserves a more careful answer than the brand recognition alone suggests.

This article walks through what Coinbase does well, where the real risks are, what has actually happened to Coinbase customers in recent years, and how to think about whether your current setup is appropriate for the size of your position.

Nothing here is financial or legal advice. This is an honest assessment of publicly documented risks based on Coinbase's own disclosures, SEC filings, and third-party reporting.

What Coinbase Does Well

Before getting into the risks, it is worth being clear about what Coinbase genuinely does well. A fair assessment requires both.

Coinbase is a regulated financial institution operating under US law. It holds money transmission licenses across US states, is publicly traded on NASDAQ under the ticker COIN, and files regular disclosures with the SEC. That regulatory accountability is meaningful and distinguishes it from offshore exchanges that operate with far less oversight.

Coinbase also carries crime and commercial insurance on the digital assets it holds in hot wallets, and its cold storage assets, the vast majority of what it holds, sit offline. The company has invested significantly in security engineering and employs a dedicated security team. It publishes transparency reports and communicates publicly when incidents occur, which is more than most exchanges do.

For someone buying their first fraction of a Bitcoin, Coinbase is a reasonable starting point. The onboarding is clean, the interface is accessible, and the regulatory standing provides a floor of accountability that unregulated exchanges cannot offer.

The question is not whether Coinbase is the worst option. It is whether, as your Bitcoin position grows, Coinbase's risk profile remains appropriate for what you are protecting.

The Core Risk: One Institution, One Point of Failure

Every risk that Coinbase users face ultimately traces back to a single structural fact: one institution holds your Bitcoin.

When you keep Bitcoin on Coinbase, you do not hold Bitcoin. You hold a claim on Bitcoin that Coinbase owes you. Coinbase holds the private keys. If Coinbase is compromised, goes offline, freezes withdrawals, faces a regulatory action, or fails entirely, your ability to access your Bitcoin depends entirely on what happens to that one institution.

This is not a hypothetical concern. It is the same structural vulnerability that caused billions of dollars in losses when exchanges like FTX, Celsius, BlockFi, and Voyager collapsed between 2022 and 2023. Coinbase is meaningfully safer and more regulated than any of those platforms. But the architectural dependency is identical: one custodian, one point of failure.

When you keep Bitcoin on Coinbase, you do not hold Bitcoin. You hold a claim on Bitcoin that Coinbase owes you.

There is a secondary dimension to this that is less discussed. Coinbase is not just the largest US exchange for individual account holders. According to its own disclosures, Coinbase custodies roughly half a trillion dollars in client assets across its retail and institutional businesses, and holds custody over the Bitcoin backing the majority of US spot Bitcoin ETFs. That concentration means that Coinbase is not simply one institution among many. It is the dominant single custodian for a significant share of all institutionally held Bitcoin in the United States. The systemic implications of a Coinbase custody failure extend well beyond individual account holders.

The Documented Breach History

The centralization risk is structural. But the incident history is what makes it concrete. Coinbase has experienced a series of security incidents over the past several years that are worth understanding in detail, because they illustrate the specific ways that single-custodian exchange custody fails in practice.

2021: 6,000 accounts accessed

In 2021, at least 6,000 Coinbase customers had their accounts accessed by unauthorized parties through a combination of phishing attacks and a vulnerability in Coinbase's SMS account recovery process. Coinbase reimbursed affected customers, but the incident was the first significant public demonstration of how account-level security failures could be exploited at scale.

2022: SIM swap attacks become systematic

By 2022, SIM swap attacks targeting Coinbase accounts had become systematic enough that individual customers began filing lawsuits. In one documented case, a customer lost $96,000 in a SIM swap attack and sued Coinbase for failing to prevent it. A SIM swap attack works by convincing a mobile carrier to transfer a victim's phone number to a device the attacker controls. Once the attacker owns the phone number, they can intercept SMS two-factor authentication codes, reset the Coinbase password, and drain the account in minutes. The victim often does not know it is happening until the funds are gone.

2023: Employee phishing by organized hackers

In February 2023, Coinbase employees were targeted in a sophisticated SMS phishing campaign attributed to the hacker group known as 0ktapus, the same group that had targeted more than 130 organizations in 2022 including major technology companies. The attack gained access to internal Coinbase systems and employee contact data. While Coinbase contained the incident, it demonstrated that the attack surface for a major exchange extends well beyond customer accounts to the internal employees and contractors who have privileged access to customer data.

2024 to 2025: The insider breach and $400 million exposure

The most serious incident in Coinbase's history began in September 2024 and was not disclosed until May 2025. According to Coinbase's own SEC filing and subsequent reporting by Fortune, cybercriminals bribed overseas customer support contractors to steal customer data from Coinbase's internal systems.

One contractor at a TaskUs office in India allegedly photographed up to 200 customer records per day using her personal phone, selling each image to hackers for $200. By the time she was arrested in January 2025, her device contained data from more than 10,000 customers. The stolen data included names, email addresses, phone numbers, home addresses, government ID images, partial bank account details, and account balances.

The hackers, linked to a loose criminal network known as the Comm, used that data to impersonate Coinbase customer support agents in highly convincing social engineering attacks. Between December 2024 and January 2025 alone, on-chain analyst ZachXBT documented $65 million stolen from Coinbase users through social engineering attacks enabled by this breach. Coinbase estimates total remediation and reimbursement costs at between $180 million and $400 million.

Coinbase refused to pay the $20 million ransom the attackers demanded and instead established a $20 million bounty fund for information leading to the arrest and conviction of those responsible.

Between December 2024 and January 2025, $65 million was stolen from Coinbase users through social engineering attacks enabled by an insider breach that began in September 2024 and went undetected for months.

The breach is instructive not because Coinbase responded poorly, it did not pay the ransom, it reimbursed affected customers, and it publicly disclosed the incident, but because it illustrates a category of risk that no exchange can fully eliminate: the humans who have privileged access to customer data are themselves an attack surface. The more customers an exchange has, the more contractors and support staff it requires, and the larger and more distributed that human attack surface becomes.

The Three Risk Categories That Matter for Serious Holders

The incidents above cluster into three distinct risk categories that are worth understanding separately, because they have different implications for how you think about custody.

1. Platform-level failure risk

This is the FTX risk: the exchange itself fails, whether through fraud, insolvency, regulatory seizure, or operational failure, and customer assets are unavailable or lost. Coinbase's regulatory standing and public company status substantially reduce this risk compared to offshore exchanges. But it does not eliminate it. Withdrawals can be frozen during periods of stress. Regulatory actions can restrict access. Platform outages during volatile market conditions have historically prevented customers from moving funds when they most needed to.

2. Account-level compromise risk

This is the SIM swap and phishing risk: an individual account is compromised through credential theft, social engineering, or a data breach that gives attackers what they need to impersonate you. This risk scales with the value of your account. The more Bitcoin you hold on Coinbase, the more attractive your account is as a target. The documented incidents above show this risk is not theoretical: thousands of Coinbase customers have lost real money through these attack vectors over the past several years.

3. Data exposure risk

This is the insider breach risk: your personal data, home address, government ID, account balance, is exposed through a breach of Coinbase's systems or contractors, and that data is used to enable physical or social engineering attacks. The 2024 to 2025 breach is the clearest example. The exposure of home addresses and account balances is particularly concerning given the documented rise of physical attacks targeting Bitcoin holders with known large positions. Chainalysis reported that stolen funds through crypto hacks increased 21% year over year to $2.2 billion in 2024, with private key compromises accounting for 43.8% of all stolen crypto.

At What Point Does the Risk Profile Change?

The honest answer is that the risk calculus changes as your position grows.

If you are holding a small Bitcoin position on Coinbase and primarily using it to buy and learn, the risks above are real but manageable relative to the convenience. The regulatory backstop, the insurance on hot wallet assets, and the reimbursement track record all provide a floor of protection that most people at that stage will find sufficient.

The calculus shifts meaningfully when Bitcoin becomes a significant share of your net worth. At that point, the question is no longer whether Coinbase is a reasonable starting point. The question is whether single-custodian exchange custody is the right architecture for protecting an asset that, if lost, would materially alter your financial plans.

The specific thresholds vary by situation. But the holders who tend to reach out about moving away from exchange custody are typically those for whom a successful account compromise, a platform freeze, or a social engineering attack enabled by a data breach would represent a genuinely life-altering loss. At that stage, the convenience of exchange custody is no longer the primary variable in the decision.

What the Alternatives Look Like

Understanding Coinbase's risks is only useful if you know what the alternatives actually offer. There are three primary models.

Self-custody

Self-custody means you hold the private keys to your Bitcoin directly, through a hardware wallet like a Trezor, Ledger, or Coldcard, or through a personal multisig setup where multiple keys are required to authorize a transaction. You eliminate exchange dependency entirely. No platform failure, no account freeze, no data breach at a third party can touch your Bitcoin if your keys are secured properly.

The tradeoff is that you take on full operational and security responsibility, and that responsibility does not diminish over time. Hardware must be maintained and eventually replaced. Seed phrases must be stored securely against loss, theft, fire, and physical disaster. If you set up a multisig, the configuration details must be preserved alongside the keys or recovery becomes impossible. And the setup must work for your heirs if something happens to you, which is where most self-custody arrangements quietly fail. Writing down instructions that a non-technical spouse or child can follow under grief and time pressure is a harder problem than most holders anticipate when they set up the wallet.

For technically capable holders at earlier stages of accumulation, self-custody is often the right answer. The cost is low, the sovereignty is real, and the operational burden is manageable. As positions grow and the decades-long maintenance demands compound alongside life changes, many holders find the burden harder to sustain than they expected.

Collaborative custody

Platforms like Unchained and Casa offer collaborative custody, where keys are held across multiple parties including the holder directly. In a typical setup, the holder controls two of three keys and the platform holds one as a recovery key. This eliminates single-custodian exchange dependency and gives the holder direct key participation, which is meaningfully different from handing your Bitcoin entirely to a third party.

The genuine strengths here are real. You have direct sovereignty over your Bitcoin in a way that exchange custody and traditional third-party custody do not offer. The platform provides a recovery path if you lose access to one of your keys without becoming the single point of failure itself. Unchained also offers Bitcoin-backed loans and an IRA product, making it one of the more financially complete options in this category.

The tradeoffs are also real. The holder carries ongoing key management responsibility for their two keys, which creates the same long-term operational burden as self-custody, just with a backstop. The inheritance execution challenge remains partly on the holder's shoulders, because heirs need to understand and be able to execute the key recovery process. And the security model is only as strong as the holder's own key storage and operational security, which varies significantly in practice.

For holders who want direct key participation and are committed to managing that responsibility over the long term, collaborative custody is a serious and legitimate option.

Multi-institution custody

The risks above, exchange failure, account compromise, and data exposure, all share the same root cause: your Bitcoin depends on one institution and one set of credentials. The way to structurally eliminate that dependency is to ensure that no single institution can act on your Bitcoin without authorization.

That is the premise behind multi-institution custody, the model Onramp uses. You retain full control of your Bitcoin. The difference from exchange custody is what happens behind the scenes: your Bitcoin is secured across three independent institutions, and any transaction requires two of the three to sign. You interact with one platform, Onramp, exactly as you would any other. You do not manage multiple relationships or coordinate across institutions yourself. The complexity lives in the architecture, not in your day-to-day experience.

What that means in practice: if one institution is compromised, hacked, goes offline, or disappears entirely, your Bitcoin cannot be moved without the other institutions signing. No single institution, including Onramp, can act alone. Your Bitcoin also sits in a vault titled in your name, not pooled with other customers in an omnibus account the way exchange custody works.

This directly addresses each of the three risks described above. Exchange failure risk is eliminated because no single institution controls your Bitcoin. Account-level compromise risk is dramatically reduced because compromising one institution is not sufficient to move funds. Data exposure risk is contained because even if your personal data is leaked from one custodian, that data alone cannot authorize a transaction.

For a detailed look at how this works in practice, see the What Is Multi-Institution Bitcoin Custody article.

The Bottom Line on Coinbase Safety

Coinbase is not a scam. It is not the next FTX. It is a legitimately regulated, publicly accountable financial institution that has invested meaningfully in compliance and security.

But the incidents above are real, documented, and the product of structural vulnerabilities that are inherent to single-custodian exchange custody at scale. The more Bitcoin you hold on Coinbase, the more those structural vulnerabilities matter to your specific situation.

The right question is not whether Coinbase is safe in the abstract. It is whether the architecture of keeping your Bitcoin with a single custodian, accessible through a single account, dependent on the security of their contractors and infrastructure, is appropriate for the size and importance of what you are protecting.

For many holders, the honest answer to that question changes as their position grows.

Frequently Asked Questions

Has Coinbase ever been hacked?

Yes. Coinbase has experienced multiple significant security incidents. In 2021, at least 6,000 accounts were accessed through a vulnerability in their SMS account recovery process. In 2023, employees were targeted in a phishing campaign by organized hackers. Between 2024 and 2025, an insider breach involving bribed overseas contractors led to the theft of data from over 10,000 customers, which was then used in social engineering attacks that cost users an estimated $65 million between December 2024 and January 2025 alone. Coinbase estimated total remediation and reimbursement costs at between $180 million and $400 million.

Is my Bitcoin insured on Coinbase?

Coinbase carries crime and commercial insurance on digital assets held in hot wallets. Cold storage assets, which represent the vast majority of what Coinbase holds, are not covered by the same insurance. Coinbase's insurance does not protect individual account holders against losses from unauthorized account access or social engineering attacks in the way that FDIC insurance protects cash deposits.

It is also worth understanding the relationship between Coinbase's insurance coverage and the total assets they custody. Coinbase custodies roughly half a trillion dollars in client assets. Like most exchanges, the insurance coverage they carry on those assets is not dollar-for-dollar. In the event of a catastrophic loss, insurance alone would not make all customers whole. Whether you are reimbursed in the event of a hack or account compromise depends on the specific circumstances and Coinbase's policies at the time.

What is a SIM swap attack and how does it affect Coinbase accounts?

A SIM swap attack works by convincing your mobile carrier to transfer your phone number to a device the attacker controls. Once they own your phone number, they can intercept SMS two-factor authentication codes, reset your Coinbase password, and drain your account. SMS-based two-factor authentication is the weakest form of account security precisely because the phone number can be hijacked without ever touching your device. Using an authenticator app rather than SMS for two-factor authentication significantly reduces this risk, though it does not eliminate the underlying single-custodian architecture vulnerability.

What happened in the Coinbase data breach?

In the most significant breach in Coinbase's history, cybercriminals bribed overseas customer support contractors beginning in September 2024 to steal customer records from Coinbase's internal systems. The stolen data included names, email addresses, phone numbers, home addresses, government ID images, account balances, and partial bank account details. That data was used to impersonate Coinbase support agents in social engineering attacks that stole an estimated $65 million from users between December 2024 and January 2025. Coinbase did not disclose the breach until May 2025 and estimates remediation costs at between $180 million and $400 million.

Should I move my Bitcoin off Coinbase?

That depends on your situation. For holders at earlier stages of accumulation using Coinbase primarily to buy Bitcoin, the risks above may be acceptable given the convenience and regulatory backstop. For holders whose Bitcoin represents a meaningful share of their net worth, where a successful attack would be genuinely life-altering, the case for moving to a more secure custody architecture becomes stronger. The right answer depends on your position size, your technical capability, your inheritance planning needs, and how you weigh the tradeoffs between convenience and security. If you are at that stage, a conversation with a Bitcoin custody specialist is worth having before making any decisions.

Further Reading

What Is Bitcoin Custody? Self-Custody vs Third-Party Custody Explained

What Is Multi-Institution Bitcoin Custody?

Is Onramp Right for Me? How to Know If Multi-Institution Custody Makes Sense

Unchained vs Onramp: Which Bitcoin Custody Model Is Right for You?

Casa vs Onramp: Which Bitcoin Custody Model Is Right for You?

What Happens to Your Bitcoin on Coinbase When You Die?

How Multi-Institution Bitcoin Custody Protects Against Physical Threats