What the Coinbase hack means for your safety

Is crypto’s real security problem... people?

Coinbase Hack Exposed Crypto’s Biggest Security Risk… And It’s Not the Blockchain

Coinbase refused to pay hackers after customer data was stolen in a sophisticated bribery scheme. This episode unpacks what really happened and what it says about crypto’s security model.

Coinbase revealed on Thursday that cybercriminals bribed overseas customer support contractors to steal sensitive customer data as part of a $20 million extortion scheme. While no funds or private keys were compromised, customer names, addresses, and ID documents were exposed for nearly 1% of the company’s 8+ million “monthly transacting users,” according to a blog post.

The story raises tough questions for the entire industry. Is KYC making users more vulnerable? Can human error ever be fully eliminated? And is crypto’s real security problem… people?

Security experts Jameson Lopp, James Wester, and Alexander Leishman delve into:

  • What went wrong at Coinbase

  • Why human vulnerabilities are still crypto’s biggest risk

  • Whether KYC makes the problem worse

  • What companies should do next to protect their users

Listen to the episode on Apple Podcasts, Spotify, Pods, Fountain, Podcast Addict, Pocket Casts, Amazon Music, or on your favorite podcast platform.

Now, let’s get into this week’s news! In today’s edition:

  • 📈 Coinbase makes history as first crypto company added to the S&P 500

  • 📝 Leaked docs expose secret $50M token deals at Movement Labs

  • 🤝 Robinhood, Animoca, and American Bitcoin lead wave of crypto M&A activity

  • 🏦 JPMorgan settles tokenized U.S. Treasuries on public blockchain for the first time

  • ⚡ Leadership chaos and big spending stall Bitget’s Morph blockchain launch

  • 💸 Pump.fun offers creators 50% fee split as report warns of widespread fraud

  • 🖼️ Yuga Labs hands off CryptoPunks to new $25M digital art foundation

  • ⚖️ SEC seeks public input on BlackRock’s bitcoin ETF in-kind redemption plan

  • 🪙 Tether boosts bitcoin treasury with $500M purchase for Twenty One Capital

  • 🚨 Security incidents hit Lido, Curve, and ZKsync as teams race to respond

  • 🍽️ Trader wins dinner with President Trump after memecoin leaderboard gamble

Coinbase Joins S&P 500

Coinbase is set to become the first crypto-native company to join the S&P 500, replacing Discover Financial Services. The change will take effect before trading begins on Monday, May 19.

“Joining this prestigious index reflects how far Coinbase and the industry have come,” said Alesia Haas, Coinbase’s Chief Financial Officer. CEO Brian Armstrong also acknowledged the achievement on social media, stating, “Crypto is here to stay.”

Coinbase met the S&P 500’s listing requirements, including sustained profitability and a market capitalization exceeding $18 billion. Its shares surged nearly 15% following the announcement, adding over $8 billion to its market value.

Leaked Documents Reveal Secret Token Deals at Movement Labs

Movement Labs, a blockchain startup backed by Donald Trump’s World Liberty Financial, secretly promised large portions of its MOVE token supply to early insiders, according to internal documents obtained by CoinDesk.

Two signed agreements reveal that advisers Sam Thapaliya and Vinit Parekh were promised up to 10% of MOVE’s token supply, valued at over $50 million. These deals were never disclosed to investors or the public. Thapaliya, described by insiders as a “shadow co-founder,” is now threatening legal action to claim his share.

Movement Labs told CoinDesk the agreements were “non-binding,” but the documents include termination clauses requiring mutual consent.

The revelations add to the fallout from Movement’s earlier market manipulation controversy involving Chinese market maker Web3Port. The scandal has also fueled the termination of Movement’s co-founder Rushi Manche. 

Crypto M&A and IPO Wave Accelerates

Crypto merger and acquisition activity surged this week, highlighted by five major announcements across North America and beyond.

Robinhood revealed plans to acquire Canadian crypto firm WonderFi for nearly $179 million in cash. The deal includes WonderFi’s platforms Bitbuy and Coinsquare, boosting Robinhood’s push into Canada’s crypto market.

Anchorage Digital announced it is acquiring Mountain Protocol, the issuer of the $48 million USDM stablecoin, which is now being wound down. Anchorage CEO Nathan McCauley said the deal “supports institutional stablecoin adoption.”

Web3 investment giant Animoca Brands is preparing a U.S. public listing. Executive chairman Yat Siu told the Financial Times the company is exploring opportunities under what he called a “unique moment” in U.S. crypto policy.

Meanwhile, David Bailey, a Trump crypto advisor, raised $710 million to launch Nakamoto, a bitcoin investment company set to go public later this year.

Lastly, American Bitcoin, backed by the Trump family, announced it will go public through a merger with Gryphon Digital Mining, adopting the Nasdaq ticker “ABTC.”

JPMorgan Executes First Public Blockchain Treasury Settlement

JPMorgan has completed its first settlement of tokenized U.S. Treasuries on a public blockchain. The transaction used Ondo Finance’s platform and Chainlink’s cross-chain technology to connect JPMorgan’s private Kinexys payments network with the public blockchain ecosystem.

The settlement involved Ondo’s tokenized OUSG Treasuries and used a Delivery versus Payment method, which ensures both payment and asset transfer happen simultaneously.

Sergey Nazarov, cofounder of Chainlink, told Fortune: “This is the beginning of something big.”

Leadership Struggles and Lavish Spending Stall Morph Blockchain

Bitget’s highly anticipated blockchain project, Morph, is facing major challenges as leadership disputes, excessive spending, and unclear decision-making slow its progress, according to a Blockworks report. Initially launched to rival platforms like Coinbase’s Base, Morph raised $20 million in seed funding last year from investors including Dragonfly and Pantera.

Internal tensions between co-founders Azeem Khan and Cecilia Hsueh reportedly disrupted operations, with former employees describing Khan as a “ghost founder” and pointing to Forest Bai of Foresight Ventures as the real decision-maker behind the scenes. “It felt like Bai was the shadow CEO,” one former staff member told Blockworks.

Despite high-profile events and celebrity partnerships, including performances by K-pop group tripleS, Morph has struggled to deliver key milestones like its token launch. Employee turnover, budget cuts, and stalled business initiatives have fueled further uncertainty.

Still, Morph remains backed by Bitget and continues to tease a token launch later this year, keeping investors and users watching for its next move.

Pump.fun Offers New Revenue Split as Report Flags Widespread Fraud

Solana-based memecoin platform Pump.fun has introduced a new revenue-sharing model, offering token creators 50% of trading fees generated on its decentralized exchange, PumpSwap. Under the program, creators will earn 0.05% of trading volume in SOL for every trade involving their token, with payouts delivered instantly. For example, a token reaching $10 million in trading volume would generate $5,000 in creator rewards.

The announcement comes alongside troubling findings from a report by Solidus Labs, which claims nearly 99% of tokens launched on Pump.fun collapse into pump-and-dump schemes. The report warns that “a staggering 98.6% of tokens on Pump.fun collapse into worthless pump-and-dump schemes shortly after launch, highlighting the extreme risk traders face.”

Despite these risks, Pump.fun continues to attract high activity. According to a Dune Analytics dashboard, its daily trading volume has stayed above $100 million almost every day since February.

Yuga Labs Transfers CryptoPunks to New Digital Art Foundation

Yuga Labs has officially handed over the intellectual property rights of CryptoPunks to the Infinite Node Foundation, marking a major shift in the future of one of the most recognizable NFT collections. This move comes roughly three years after Yuga acquired CryptoPunks from Larva Labs in 2022.

The nonprofit, backed by $25 million in funding, plans to showcase all 10,000 CryptoPunks in a new 12,000-square-foot exhibition space in Palo Alto, California. “This purchase secures long-term stewardship for CryptoPunks,” the Foundation said in a statement, outlining plans to partner with museums and elevate digital art globally.

Node’s advisory board includes prominent figures such as Larva Labs founders Matt Hall and John Watkinson, Bored Ape Yacht Club co-founder Wylie Aronow, and Art Blocks creator Erick Calderon. Chair Micky Malka emphasized the Foundation’s goal to make CryptoPunks accessible to scholars and curators, stating, “We intend to future-proof this landmark work.”

Yuga Labs framed the sale as part of its renewed focus on developing its Otherside metaverse project.

In related news, Rohun “Frank DeGods” Vora stepped down as head of DeGods and y00ts NFT projects after three years marked by controversies ranging from insider trading allegations to experimental policies such as taxing floor-price sales.

SEC Opens Public Comment on BlackRock’s Bitcoin ETF Redemption Model

The U.S. Securities and Exchange Commission is requesting public feedback on BlackRock’s proposal to shift its iShares Bitcoin Trust from cash-based to in-kind redemptions. The move pauses any immediate decision as the SEC launches a legal and policy review under Section 19(b)(2)(B) of the Securities Exchange Act.

Currently, BlackRock’s bitcoin ETF operates on a cash redemption basis. This process requires the fund to sell bitcoin and distribute cash to investors who redeem shares. BlackRock now seeks permission to offer in-kind redemptions, allowing authorized participants to redeem ETF shares directly for bitcoin instead of cash.

The SEC stated it is seeking additional analysis to determine if this change would uphold investor protections and market integrity. 

Meanwhile, new SEC Chair Paul Atkins announced the regulator will shift away from enforcement-led crypto policy by introducing clearer rules on token issuance, custody, and trading to keep blockchain innovation in the U.S. instead of driving it offshore.

Tether Strengthens Bitcoin Bet With Big Purchase

Tether has confirmed the purchase of 4,812 bitcoin, valued at nearly $500 million at this week’s prices, as part of its funding commitment to Twenty One Capital. The bitcoin was acquired at an average price of $95,319 per coin, according to disclosures from Cantor Equity Partners, which is managing the firm’s upcoming SPAC merger.

Once the merger is finalized, Twenty One Capital will trade under the ticker symbol XXI. The firm’s holdings have now grown to 36,312 bitcoin, positioning it as the third-largest corporate bitcoin holder behind Michael Saylor’s Strategy and mining firm MARA Holdings.

“Tether and Bitfinex are majority stakeholders in Twenty One, while SoftBank has committed $900 million in support,” said Cantor Equity Partners in a regulatory filing.

Led by Strike CEO Jack Mallers, Twenty One Capital aims to expand financial services around bitcoin lending, reserves management, and public market exposure. The company is targeting a total holding of 42,000 bitcoin, valued at over $4 billion at current prices.

Security Incidents Shake DeFi and Layer 2 Platforms

Several leading crypto projects faced security challenges this week, prompting emergency responses and user warnings.

Lido DAO, which oversees Ethereum’s largest liquid staking protocol, launched an emergency on-chain vote after detecting a compromised oracle key. The breach allowed attackers to drain 1.46 ETH from a wallet managed by validator operator Chorus One. While user funds remained safe, Lido quickly moved to replace the compromised key. “Full post-mortem will be published after the investigation is concluded,” a Lido operations member stated.

Meanwhile, Curve Finance warned users to avoid its official website after discovering a DNS hijack that redirected visitors to a malicious site capable of draining wallets. Curve confirmed its smart contracts remained secure as efforts to regain domain control continued.

In a related incident, ZKsync and developer Matter Labs had their official X accounts hacked. The attackers posted false claims about regulatory investigations, briefly pushing ZKsync’s token down nearly 5% before the team regained control and removed the misleading posts.

Fun Bits: Trader Buys Dinner With the President… for Just $1,200

A crypto trader has turned a political controversy into a bargain night out with the President of the United States.

Morten Christensen and four friends will be flying to Virginia next week to dine with President Donald Trump at his National Golf Club. Their winning move? A classic crypto hedge. They bought and shorted Trump’s official memecoin at the same time, locking in leaderboard positions with just $1,200 each in trading fees.

“I didn’t even think it was in the possibility I’d go in to meet the president of the United States,” Christensen told Bloomberg.

The dinner is part of a reward for the top 220 memecoin holders, with the top 25 earning a White House tour. While critics in Congress call it a “pay to play” scandal, Christensen is treating it as a weekend with friends, saying, “If we get to meet Barron, it will be amazing.”

Watch the weekly recap on YouTube!