A São Paulo court has ordered Coinbase to reimburse approximately $100,000 to a customer after funds vanished from the individual’s Coinbase Wallet, rejecting the company’s argument that self-custody solutions are not its responsibility when user funds are stolen.
Brazilian court rejects Coinbase’s liability defense
The São Paulo State Court directed Coinbase, a leading cryptocurrency exchange based in the United States and publicly traded on NASDAQ, to return over 507,000 reais to an investor named Joubert. He had transferred his digital assets from other exchanges into his Coinbase Wallet, only to find them missing later without any authorization on his part.
Coinbase contended that it had no access to the wallet’s private keys and was powerless to control blockchain transactions. However, Judge Ju Hyeon Lee determined that Brazil’s Consumer Protection Code required Coinbase to provide evidence proving Joubert authorized the transaction. The company could not deliver such proof.
The court also found that Coinbase failed to prove the compromised wallet was equipped with essential security features, such as blocking mechanisms or two-factor authentication. Judge Ju Hyeon Lee criticized Coinbase for submitting technical documents that were difficult for the court to interpret and not explained in simple language.
As a result, Coinbase must repay the entire sum and pay court costs totaling 10% of the claim, in addition to potential legal fees.
Magistrate Ju Hyeon Lee ruled that Coinbase had to demonstrate that the customer approved the disputed transfer and criticized the company for not translating technical records into understandable terms for the court.
Potential impact on Brazilian crypto regulation
Legal experts believe the decision may set an important precedent for how Brazilian regulators and courts assess responsibility in self-custody crypto products. Raphael Souza, a digital law attorney, emphasized that the court’s decision challenges the common defenses used by crypto platforms—specifically, disclaimers about responsibilities for products marketed as self-custody.
Souza explained that manufacturers and providers are responsible for user security, regardless of the underlying technical architecture. He also noted that companies cannot simply overwhelm courts with complex documentation and expect judges to determine liability on their own.
Brazil’s legal system has increasingly prioritized consumer protection in recent years. The Superior Court of Justice has previously held crypto platforms accountable for fraud when unable to prove their security practices.
In a recent move, Brazil’s central bank reclassified virtual asset service providers as Type 3 institutions under Resolution 580/2026. These changes, effective January 1, 2027, put crypto service providers under the same regulatory requirements as securities brokerages. From mid-2024 to mid-2025, Brazil processed around $318 billion in crypto transactions.
Mini dictionary: Type 3 institutions — In Brazil’s regulatory framework, these are financial service providers, including virtual asset platforms, now subject to strict compliance and oversight regulations similar to those managing securities.
| Institution Type | Previous Regulation | New Regulation (as of 2027) |
|---|---|---|
| Virtual Asset Service Providers | Limited oversight | Treated as Type 3, regulated like securities brokerages |
| Securities Brokerages | Full regulatory compliance | No change |
Ongoing security and fraud challenges at Coinbase
Coinbase has faced several other high-profile security incidents beyond this recent court ruling. In December 2025, on-chain investigator ZachXBT traced approximately $2 million in stolen funds to a scammer posing as Coinbase support.
In a separate incident, prosecutors in Brooklyn charged a 23-year-old man with stealing $16 million from around 100 Coinbase users through fraudulent impersonation calls.
Many of these scams traced back to a significant breach in May 2025, when corrupt overseas support agents leaked customer data. Attackers reportedly demanded a $20 million ransom and threatened to release sensitive information belonging to nearly 70,000 Coinbase users.
Coinbase CEO Brian Armstrong later revealed that instead of paying the ransom, the company allocated that $20 million to fund a bounty program aimed at tracking down the attackers.
Rather than meet extortion demands, Coinbase’s leadership committed $20 million to pursue the culprits behind the customer data breach.
Coinbase may now choose to appeal the São Paulo court ruling or comply fully with the financial penalties assigned.




