Space Coast Credit Union, Coinbase Settle Crypto Hack Lawsuit

They had a checking account with Space Coast and a cryptocurrency trade account with Coinbase, which was linked to their credit union debit card, according to the suit. 

On Aug. 17, 2024, a hacker allegedly used the couple’s stolen credentials, intercepted a two-factor authentication code to access their Coinbase account and liquidated Rueda’s cryptocurrency, withdrawing $4,997, followed by another $3,150 withdrawal on Aug. 22. The lawsuit did not explain how the two-factor authentication code was intercepted.  

Coinbase confirmed the hack in an email and said it was irreversible, according to the suit. The company denied a refund on grounds that the account holder is responsible for activity even when credentials are compromised. 

On Aug. 28, two days after receiving notice of the alleged fraud, Space Coast applied nine provisional credits of $700 each, fully restoring the $6,300, pending VISA’s investigation. But nearly two months later on Oct. 19, Space Coast reversed every dollar of the provisional credits leaving the account overdrawn. That same day Space Coast mailed a form letter to the couple stating the charges were valid and the provisional credits were removed, according to the suit. 

Rueda and Echevarria-Cabret said they made repeated calls to Space Coast seeking documents and reconsideration; however, none were provided. 

Although Space Coast and Coinbase did not answer the lawsuit, their court filings indicated the companies were in negotiations with the couple’s attorney to resolve the case. 

Rueda and Echevarria-Cabret claimed that the credit union and Coinbase allegedly violated three provisions of the Electronic Fund Transfer Act (EFTA), alleging both organizations failed to investigate the disputed transactions, did not provide any documentation to back their decisions that rejected the disputed transactions, and improperly held the couple liable for the full losses. 

After months of negotiations, Rueda, Echevarria-Cabret and Space Coast filed a joint stipulation of dismissal with prejudice on Jan. 13, meaning the lawsuit cannot be refiled.  

Coinbase, Rueda and Echevarria-Cabret are expected to submit their joint dismissal with prejudice filing by the end of this month. 

Coinbase has reported other security incidents, including one that involved an unidentified financial institution.  

In July 2025, Coinbase reported a data breach that affected nearly 70,000 individuals, according to Maine’s Attorney General office. The breach occurred in December 2024, exposing personally identifiable information and bank account identifiers, but it did not include passwords, private keys and other information that would enable hackers to access accounts or funds.  

However, a year earlier in July 2024, Coinbase reported a breach with an unidentified third-party financial institution that experienced a security incident, which could have potentially impacted a small amount of Coinbase data.  

The bank’s investigation revealed that a file containing transactions data, which included personal information of more than 150 individuals, was mistakenly uploaded to an external location from which an unauthorized person may have accessed it, according to a notice Coinbase filed with Maine’s Attorney General. But the bank’s investigation did not indicate that the file had been accessed by an unauthorized third party or had been involved in any ID theft or fraud incident.  

Peter Strozniak can be reached at peter.strozniak@arc-network.com.