Coinbase lost a private arbitration case and must pay $618,000 in damages and costs to a client who said he lost cryptocurrency following a 2024 cyberattack. The decision came through confidential arbitration rather than a court or regulator.
The case, Ashok Maini v. Coinbase Inc., ran under the American Arbitration Association forum, widely known in the industry as Triple A arbitration.
Crypto-related disputes sit outside FINRA Dispute Resolution because digital assets still aren’t legally classified as securities. That gap matters. A lot.
Coinbase operates as a subsidiary of Coinbase Global Inc., one of the largest crypto exchanges by trading volume. Maini held several digital assets, including Bitcoin and Ethereum, in his Coinbase account when it was compromised in January 2024.
According to the arbitration award dated December 11, the incident involved a socially engineered attack that resulted in a full account takeover.
The ruling also references a separate data breach. Coinbase became aware in January 2025 of a breach tied to TaskUs, an overseas third-party vendor, but customers didn’t learn about it until May.
That delay weighed heavily in the arbitrator’s view of the case.
Coinbase did not respond to an email seeking comment on the arbitration decision or the vendor breach.
“These crypto platforms are where broker-dealers were in the 1980s in terms of supervision,” said Andrew Stoltmann, Maini’s attorney and a long-time plaintiffs’ lawyer in securities disputes. “There is no FINRA or Securities and Exchange Commission to create rules and then enforce them.”
He added that he is handling roughly 140 similar private arbitration claims involving Coinbase customers. That number hangs there.
Under the award, Maini received $330,000 for the value of the lost cryptocurrencies. The arbitrator also granted $150,000 for loss of use of funds, $96,000 for legal fees, and $42,000 for general costs.
Triple A arbitration runs significantly more expensive than FINRA arbitration, Stoltmann noted, which can push smaller claims out of reach for less wealthy clients.
Steven M. Ruffalo, the arbitrator, placed direct responsibility on Coinbase and didn’t soften the language. He criticized testimony from a Coinbase witness presented as Head of Investigations for the Trust and Safety Team, describing the testimony as evasive and marked by selective memory gaps around facts that could damage the company’s defense.
Ruffalo wrote that Coinbase’s refusal to fully investigate the incident appeared designed to avoid accountability.
He said those actions resemble “badges that no reputable asset custodian should want to be associated with,” let alone pass on to customers.
In a final rebuke, Ruffalo concluded that Coinbase “utterly failed in its duty” to safeguard Maini’s confidential account data, along with that of other customers.
For Coinbase, the ruling locks in financial loss and reputational strain. For the wider crypto sector, it underscores how disputes still fall into regulatory blind spots, where accountability arrives late, expensive, and uneven.
