Activity tagged "crypto"

Posted:

The TrumpWallet​.com website, which was previously hosting a waitlist sign-up for the Trump wallet project, has just gone offline.

This is less than an hour after Bloomberg reported that the World Liberty Financial project sent a cease and desist to both the memecoin project and Magic Eden.

Posted:

I think this is a more or less up-to-date map of the businesses, LLCs, and people associated with the Trump family crypto projects.

Extremely tangled diagram depicting relationships between nine LLCs, seven major companies, the Trump family, Bill Zanker and various other individuals, and various crypto projects including the $TRUMP memecoin, NFTs, World Liberty Financial, and the new Trump wallet

The relative separation between World Liberty Financial and the Trump memecoin projects, both of which are trying to develop defi trading platforms, may help to explain the chaos around the latter’s wallet launch announcement yesterday.

It is very plausible to me that Trump has sold his likeness to so many separate projects, not to mention his sons also using the “Trump” branding, that no one really knows what’s going on in aggregate.

However, it’s still not fully clear to me how the memecoin end of the business could launch a wallet using Trump’s name and likeness without the sons’ knowledge unless the original licensing agreement for the memecoin was extremely broad.

This diagram is of course limited to what is publicly disclosed, and you’ll see a few places where links are uncertain, and where LLCs’ operators are partially or completely unknown. The flow of money is also a very partial accounting.

Posted:

Absolute chaos. After my scoop about the upcoming launch of a Trump Wallet by Magic Eden, in cooperation with the $​TRUMP memecoin team, Magic Eden pushed out their announcement. Both Eric and Don Jr then repudiated the project, stating they had no prior knowledge.

Magic Eden says claims the wallet is the “Official Trump Wallet” created in collaboration with the Trump memecoin team. Trump memecoin team is Fight Fight Fight LLC (Bill Zanker), though the Trump Organization-affiliated CIC Digital also holds a substantial quantity of tokens.

However, now Eric and Don Jr are saying the Trump Org had no knowledge of this deal between the TRUMP memecoin project and Magic Eden. No statement yet from the memecoin project or from President Trump.

Magic Eden is a relatively big player in the crypto world, so this is not a case of some nobody creating a fake project pretending to be an official Trump-affiliated app.

Posted:

Representative Raskin cited my analysis in his letter investigating Trump’s memecoin dinner

A close analysis of the top buyers on the “leaderboard” on the website of $TRUMP shows that a majority of the attendees appear to be foreign nationals who purchased the token through offshore cryptocurrency exchanges that prohibit U.S. customers from participating. 15 Analysis reveals that 161 of the 220 top buyers, or 73% of the invitees, are likely foreign nationals. Among the top 25 “VIP” guests who were offered additional private access to you, including a “VIP White House tour” 16—and who each spent between $1.25 million and $16 million on $TRUMP tokens—23 out of 25 are likely foreign individuals or entities.17 A majority of those on the guest list had never purchased a $TRUMP token prior to the announcement of the dinner, suggesting that the buyers were primarily drawn by the promise of direct access to you rather than intrinsic interest in the memecoin itself.18
14 Trump Meme, $TRUMP Leaderboard (May 5, 2025), https://trumpdinner.gettrumpmemes.com/leaderboard. 15 Molly White, Meet Trump’s Memecoin Dinner Guests, CITATION NEEDED: A NEWSLETTER BY MOLLY WHITE (May 7, 2025), https://www.citationneeded.news/trump-memecoin-dinner-guests/. 16 Olivia Rubin and Lucien Bruggeman, Trump's Top Meme Coin Investors Visit White House, ABC NEWS (May 23, 2025), https://abcnews.go.com/US/trumps-top-meme-coin-investors-invited-whitehouse/story?id=122128541. 17 Eric Lipton, The Trumps Get Richer, N.Y. TIMES (May 14, 2025), https://www.nytimes.com/2025/05/14/briefing/trump-family-business.html. 18 Molly White, Meet Trump’s Memecoin Dinner Guests, CITATION NEEDED: A NEWSLETTER BY MOLLY WHITE (May 7, 2025), https://www.citationneeded.news/trump-memecoin-dinner-guests/.
Rep. Jamie Raskin of Maryland demanded that President Trump turn over the names of the guests at the White House dinner for top investors in his meme coin.
Posted:

Given the recent data breach and Coinbase’s user agreement that aims to force customers into arbitration rather than individual or class action lawsuits, it’s interesting to read the outcome of a recent arbitration case against Coinbase.

1. FACTUAL BACKGROUND 4. On January 5, 2024, Mr. Spilker filed a Demand for Arbitration with the American Arbitration Association (“AAA”) against Coinbase, Inc. seeking damages in the amount of $350,000 for withdrawal of staked cryptocurrency, allegedly without his authorization. Ex. A at 2. He alleged that he had been in contact with a “Coinbase Agent” and brought causes of action under the Electronic Funds Transfer Act, tort and common law, breach of contract, California law, Oregon and Idaho law, and federal commodities and securities laws. Ex. A at 2-3; Ex. B. 5. The User Agreement between Mr. Spilker and Coinbase, Inc. provided that the parties agreed to arbitrate any disputes, and that the arbitration would be “in accordance with the American Arbitration Association’s rules for consumer related disputes.” A true and correct copy of the User Agreement is attached hereto as Exhibit C. See Ex. C at § 7.2 (the parties’ agreement to arbitrate and agreement that an award may be enforced). 6. Arbitrator Diana Kruze was appointed as the neutral to decide this dispute. Mr. Spilker did not object at any time during the pendency of the arbitration to the selection of Arbitrator Kruze. 7. Coinbase filed a Motion for Summary Judgment on all Mr. Spilker’s claims. Briefing was completed on December 9, 2024. Ex. A at 1. 8. A hearing on the Motion for Summary Judgment was held on December 16, 2024. Id
9. On December 17, 2024, Arbitrator Kruze issued an Order Granting Dispositive Motion as to all of Mr. Spilker’s claims. Ex. A at 6 (“Respondent’s Motion for Summary Judgment is GRANTED. Claimant’s claims against Coinbase are dismissed.”). 10. The Final Award holds: a. Claimant’s EFTA cause of action is time-barred because the “one-year limitations period begins when the first unauthorized transfer occurs, not upon discovery by the consumer, and not when the consumer notifies the defendant of the unauthorized transfer.” Id. at 3, applying 15 U.S.C. §1693m(g) and Wike v. Vertrue, Inc., 566 F.3d 590,593 (6th Cir. 2009). b. “The undisputed facts show that a third party, not Coinbase, caused Claimant’s damages” and that “Claimant’s damages were the result of an intervening and superseding cause: the actions of a third-party scammer. Coinbase, as a matter of law, cannot be held liable for Claimant’s damages.” Ex. A at 4, citing May v. Google, LLC, No. 24-CV-01314- BLF, 2024 WL 4681604, at *10 (N.D. Cal. Nov. 4, 2024). c. The parties’ contract forecloses Mr. Spilker’s causes of action for breach of contract, negligence and tort claims, and claims under Idaho and Oregon law. Ex. A at 5. d. Pursuant to Melchoir v. New Line Prods., Inc., 106 Cal. App. 4th 779, 793 (2003), “Claimant’s cause of action for unjust enrichment fails because ‘there is no [such thing as a] cause of action in California for unjust enrichment.’” Ex. A at 5. e. Mr. Spilker’s CLRA claim fails “as courts have consistently held that the CLRA does not apply to cryptocurrency exchanges like Coinbase”. Id. at 6, citing various cases.

Customer lost $350,000 in September 2022 to a phishing attack from a scammer that the customer said had “confidential information that could have only been obtained with direct access to Coinbase’s database”.

14. Mr. Spilker took many protective measures to keep his account safe. He proactively took steps to secure his account with multifactor authentication safeguards and even purchased and used Yubikey, a hardware authentication device that is supposed to prevent phishing thefts. 15. Mr. Spilker also took adequate steps to protect his account information. He did not share his private keys or password with any third parties.
42. The thief called Spilker on his cell phone and claimed to be an agent calling on behalf Coinbase to report a security breach. Mr. Spilker was suspicious so requested confirmation that the caller was truly a Coinbase representative. 43. The thief responded by reciting confidential information that could have only been obtained with direct access to Coinbase’s database. 44. Specifically, the thief recited Spilker’s transaction history to him as well as certain account specifications that should have only been known to Coinbase. 45. The thief reported that there was a compromise to his account and stated that Coinbase would convert his Ethereum coins to cbETH in order to protect them.

Coinbase didn’t prevent the suspicious transfers, allegedly wiped customer’s transaction history, blamed the customer for the loss, then refused to reimburse. Arbitration concluded with $0 reimbursement.

56. To add insult to injury, Coinbase wiped clean the transaction history on his account. This was either reckless destruction or a deliberate tactic to keep Spilker from discovering the full extent of his losses. Case 3:25-cv-02573-LB Document 1 Filed 03/14/25 Page 26 of 134 13 57. Perhaps even more damaging is that it left Mr. Spilker without the requisite documentation to accurately file his taxes. 58. Coinbase went to great lengths to cover up its fraud. Coinbase dismissed his concerns, suggesting that he was conflating the cbETH launch (which permitted unwrapping) with the actual merge (which would permit unstaking). 59. Following a demand for repayment, Coinbase informed Mr. Spilker on February 14, 2023 that it would not reimburse his account, and blamed Spilker for supposedly taking inadequate safety measures.
Coinbase’s Failures to Take Reasonable Care 61. Coinbase should have prevented these unauthorized transactions based solely on the unusual timing of the consumer having his credentials changed, a demand from Mr. Spilker to lock his account, the previously unused wallet where the funds were sent and the unstaking of assets that were supposedly immobilized. 62. Other cryptocurrency exchanges do not allow these same criminal transfers because those exchanges use standard security measures which include freezing an account when certain actions – such as password changes and attempted transfers to newly linked wallets – occur, until the exchange verifies an account holder’s identity.

Arbitrator found the complaint had been filed too late, and that the customer had admitted that a third party rather than a Coinbase insider had performed the theft. Doesn’t appear the arbitrator investigated the claims of a possible breach, or how the hardware MFA was bypassed.

Here, it is undisputed that the unauthorized transfers occurred between September 7 and 9, 2022. Thus, Claimant needed to file his Demand by September 7, 2023. Claimant, however, did not initiate this action until January 5, 2024—well over one year later. Claimant’s EFTA claim is consequently barred by the applicable statute of limitations. In its opposition, Claimant contends that the limitations period began running only after Respondent’s refusal to investigate or refusal to refund Claimant’s account. (Opp., at 4-5.) Claimant cites no authority to support its assertion that the statute runs at a later time (such as upon completion of the exchange’s investigation). Moreover, even if the Arbitrator were to adopt Claimant’s unsupported view of the law, the undisputed facts show that Respondent investigated his complaint in September 2022 (the same month as the loss) and informed Claimant on October 1, 2022 following its investigation that his account was compromised by a third party, and that Coinbase was unwilling to reverse the transactions. Even under Claimant’s proposed rule, his claim had to be filed no later than October 1, 2023, still many months before he actually initiated this Arbitration. Second, the undisputed facts show that a third party, not Coinbase, caused Claimant’s damages. Causation is an essential component of all of Claimant’s causes of action. While Claimant initially pled that his loss must have been the result of an inside job, recently-produced materials show that allegation to be false. On September 9, 2022, Claimant filed a complaint with the Internet Crime Complaint Center (“IC3”). In that complaint, Claimant asserts that his “Coinbase account was scammed,” and identifies the name and phone number of the third-party scammer. Claimant did not disclose this complaint, or the identify of the scammer, to Respondent until December 2024, just days before the oral argument on this Motion. For its part, Respondent submitted a verified declaration that the individual named in Claimant’s IC3 complaint is not a Coinbase employee, and the phone number listed is not a Coinbase number.
Claimant does not dispute these facts in its briefing. In other words, Claimant’s damages were the result of an intervening and superseding cause: the actions of a third-party scammer. Coinbase, as a matter of law, cannot be held liable for Claimant’s damages. See May v. Google, LLC, No. 24-CV-01314-BLF, 2024 WL 4681604, at *10 (N.D. Cal. Nov. 4, 2024). Third, Claimant’s supplemental production also eviscerates many of Claimant’s other causes of action. For example, in his Demand, Claimant alleges that Coinbase never advised users that staked ETH could be wrapped and traded before his September 2022 loss. In its Motion and Reply, Coinbase previously relied on public statements announcing the launch of cbETH as early as August 2022. Claimant’s belated production, attached to Respondent’s supplemental briefing, also contains undisputed facts that Claimant was himself actually informed about cbETH’s launch before his funds were stolen. This disclosure significantly undermines Claimant’s misrepresentation claims under common law, securities law, and commodities law. Fourth, the parties’ contract forecloses many of Claimant’s causes of action. For example, Claimant’s breach of contract claim is undercut by section 6.6 of the UA, which explicitly apportions the risk of account compromises to Claimant as the user: “Any loss or compromise of . . . your personal information may result in unauthorized access to your Coinbase Account(s) by third-parties and the loss or theft of any Digital Assets and/or funds held in your Coinbase Account(s) and any associated accounts, including your linked bank account(s) and credit card(s). . . .We assume no responsibility for any loss that you may sustain due to compromise of account login credentials due to no fault of Coinbase.” Moreover, the UA’s choice-of-law provision in section 9.5 restricts Claimant to California law, foreclosing Claimant’s Idaho and Oregon-based causes of action. In addition, the UA and California law effectively cut off Claimant’s tort claims, such as his negligence cause of action. See, e.g., Berk v. Coinbase, Inc., 840 F. App’x 914 (9th Cir. Dec. 23, 2020) (Coinbase owes no independent tort duty of care beyond the promises made in the UA). Finally, there are other independent reasons why Claimant’s Demand cannot succeed. For example, Claimant’s cause of action for “unjust enrichment” fails because “there is no [such thing as a] cause of action in California for unjust enrichment.” Melchior v. New Line Prods., Inc., 106 Cal. App. 4th 779, 793 (2003). As another example, Claimant submitted no evidence of any false statements made by
Coinbase, about anything, to anyone. As a final example, Claimant’s CLRA cause of action likewise fails, as courts have consistently held that the CLRA does not apply to cryptocurrency exchanges like Coinbase. Jeong v. Nexo Fin. LLC, 2022 WL 174236, at *23 (N.D. Cal. Jan. 19, 2022); see also Suski v. Marden-Kane, Inc., 2022 WL 3974259, at *7 (N.D. Cal. Aug. 31, 2022) (dismissing CLRA claim with prejudice as cryptocurrency was not a “good” and Coinbase’s cryptocurrency exchange was not a “service”); Doe v. Epic Games, Inc., 435 F. Supp. 3d 1024, 1046 (N.D. Cal. 2020) (“Plaintiff’s CLRA claim therefore fails because the virtual currency at issue is not a good or service.”). As other legal issues and undisputed facts bar relief, the Arbitrator need not address the remaining reasons why Claimant’s Demand fails. The Arbitrator joins Respondent in noting that Claimant’s loss is unfortunate, regrettable, and upsetting. Claimant lost considerable funds, was clearly injured, and was the victim of a terrible scammer who feeds off other people’s misfortune and hard work. But the wrong-doer is not a party to this Arbitration. And the law and the parties’ contract ultimately do not make Coinbase responsible for Claimant’s loss based on the circumstances. IV. CONCLUSION Respondent’s Motion for Summary Judgment is GRANTED. Claimant’s claims against Coinbase are dismissed. The final hearing, and all other applicable deadlines, are off-calendar. ______December 17, 2024_____ _____________/s/ Diana Kruze______________________ Date Diana Kruze, Arbitrator
Posted:

A Coinbase data breach filing with the Maine Attorney General finally gives us some more detail than Coinbase’s vague “less than 1% of monthly transacting users”. 69,461 people were affected, and Coinbase says the data breach occurred on December 26, 2024.

Data Breach Notifications
Entity Information
Type of Organization: Financial Services
Entity Name: Coinbase, Inc.
Street Address: 248 3rd Street #434
City: Oakland
State, or Country if outside the US: CA
Zip Code: 94607
Submitted By
Name: Michael Rubin
Title: Attorney
Firm name (if different than entity): Latham and Watkins LLP
Telephone Number: (415) 395-8154
Email Address: michael.rubin@lw.com
Relationship to entity whose information was compromised: Outside Counsel
Breach Information
Total number of persons affected (including residents): 69461
Total number of Maine residents affected: Approximately 217
If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified:
Date(s) Breach Occured: December 26, 2024
Date Breach Discovered: May 11, 2025
Description of the Breach:
Insider wrongdoing
Information Acquired - Name or other personal identifier in combination with:
Notification and Protection Services
Type of Notification: Written
Date(s) of consumer notification: May 30, 2025
Copy of notice to affected Maine residents: Appendix_A_-_Coinbase_Template_Individual_Notification_Letter.pdf
Date of any previous (within 12 months) breach notifications: 07/16/2024
Were identity theft protection services offered: Yes
If yes, please provide the duration, the provider of the service and a brief description of the service: We are offering all impacted individuals one year of free credit monitoring and identity protection services provided by IDX. The services include credit monitoring, a $1,000,000 insurance reimbursement policy and identity restoration, and dark web monitoring to identify if any information is made available through illegal online forums.

It took them almost five months between the incident and the incident disclosure, although the company has since admitted it knew customer support agents were suspiciously accessing customer data as far back as January.

Security researchers who have spent months trying to call Coinbase’s attention to serious issues at the company are disputing Coinbase’s claims about the timing of the breach. “Threat actors had ongoing access via multiple insiders over a prolonged period of time.”

Oh good apparently now the Coinbase breach happened on Dec 26, 2024.

LOL

So since Coinbase won't be straight with you, I will. 

Threat actors had ongoing access via multiple insiders over a prolonged period of time. (Screenshot of Maine AG notification)
As evidence, here's a very small cutout of one high value customer's Coinbase account.

This wasn't pulled on Dec 26, 2024 honey.

(Screenshot showing dates between 2025-02-07 and 2025-02-10)

The SEC requires material cybersecurity incidents be disclosed within four business days; state laws often have a 30-day disclosure deadline. It’s not clear if customers outside the US were affected; if so, other disclosure laws may apply.