Leading blockchain security firm suggests a shift to Zero-Trust Architecture
Coinbase’s May 2025 data leak was a stark reminder that crypto’s scariest exploits don’t always happen in the code of an obscure DeFi application.
Unlike cold, calculated hacks in programming logic, social engineering exploits our most human vulnerabilities, with nefarious actors playing on our fear and confusion to steal millions of dollars.
Certora, a leading blockchain security firm, argues that centralized exchanges need to be doing more to protect their users. In a recent report, Certora outlines the importance of safe OpSec practices and suggests how Coinbase could’ve prevented the May Data Leak from ever happening in the first place.
In May 2025, criminals bribed a group of Coinbase’s offshore contractors, acquiring highly sensitive customer data like passports, banking identifiers, and masked social security numbers.
Coinbase’s initial disclosure indicated that the leak affected less than 1% of its monthly-transacting users. According to the Maine Attorney General’s office, regulatory reporting documents confirm that the incident put as many as 69,641 people at risk of social engineering attacks.
Remarkably, reports indicate that sensitive data was being leaked as early as December 2024. It’s impossible to know the extent of the damage that may have been caused before the breach was discovered on May 11, 2025. Coinbase has since made whole affected customers who were targeted by the criminals and lost funds.
Even if you consider yourself a crypto veteran, you’re still not immune to the damages that data leaks can cause. Solana Labs co-founder Raj Gokal probably didn’t get duped by a social engineering scam, but he certainly didn’t appreciate having his personal information shared across the internet.
Certora, a leading blockchain security firm, posits that social engineering is one of the easiest attack vectors available to malicious actors. The unpracticed-but-crypto-curious demographic is low-hanging fruit for experienced scammers. Why try and find chinks in battle-hardened, audited protocols when you can convince someone that you’re a Coinbase employee and “help” them secure their account?
While investors are responsible for educating themselves to a certain level, Certora argues that exchanges need to up their game and “account for the fact that vulnerable insiders, whether malicious or not, are susceptible to compromise.”
Certora champions the growing momentum of an OpSec movement called Zero Trust Architecture, or ZTA. Put simply, ZTA requires teams to stop trusting the “company network” as a safe bubble. Remote work, cloud apps, and rogue phishing make that security perimeter porous and insecure.
Exchanges need to realize that their employees are vulnerable to OpSec blunders, and lock each sensitive resource with its own access rules and checks. Every request is verified and given only the absolute minimum amount of data needed. That way, a single compromised account can’t roam or cause wider damage.
Going back to the Coinbase example, Certora raises a valid point about the access authorities and sensitive data visibility given to overseas contractors. There is no reason why a customer support agent should have access to a user’s passport, let alone their masked social security numbers and comprehensive account history.
While Coinbase evidently dropped the ball in this case, individuals are still strongly encouraged to educate themselves on security practices. Even if investors are frightened by the prospect of self-custody, those who store assets in centralized exchanges would still benefit from a few golden, unbreakable rules:
Crypto’s prolific growth and adoption in 2025 are massively beneficial for the industry. Unfortunately, the influx of millions of new users and investors is a mouth-watering prospect for malicious actors. Exchanges need to lift their game to protect users, or the industry will never overcome the reputational damage caused by security leaks like Coinbase’s recent blunder.
Prop AMMs are dominating Solana DeFi
