Resolution criteria:
More than 50 depositors (who did not participate in the hack/fraud) are suspended from withdrawals for 30+ days on the basis of that hack/fraud; OR
ANY depositor (who did not participate in the hack/fraud) is either suspended from withdrawals for 365+ days on the basis of that hack/fraud, or is never made whole.
This question resolves when any deadline in the above schedule expires with a depositor unwhole, according to the date the first $150k worth of cryptocurrency was illegally transferred out of Coinbase-controlled wallets from a given attack. (This clause is to avoid ambiguity: breaches are complex and have many phases ranging from recon to exploitation to pivoting to trial withdrawls; the breach may not be discovered immediately; there may have been no “date of breach” for certain insider threats, etc.)
Exclusions:
Losses which are entirely reimbursed by Coinbase within the above schedule will, obviously, not cause this question to resolve.
Losses to a depositor which are due to a cyberattack on that depositor’s IT equipment or network and do not pivot through Coinbase’s network to exfiltrate funds which that depositor did not have access to, will be entirely excluded from this question, EVEN WHEN many depositors are similarly affected AND that loss could have been prevented by Coinbase.
For example: An attacker is able to breach the laptops of several depositors, through no particular fault of those depositors. The attacker is able use this access to exfiltrate funds from the Coinbase accounts of these depositors. The attacker is also able to pivot to exfiltrate funds from a Coinbase account belonging to the spouse of one of these depositors through a “joint account”, “authorized user”, or similar control which was already configured. Coinbase refuses to reimburse any of the affected depositors for their losses. A court later holds that Coinbase was partially to blame for not having enough safety controls on outbound transfers, but the depositor is still not made entirely whole.
This scenario would NOT cause this question to resolve, because Coinbase and its systems were NOT breached — only the depositors’ were.
Losses to a depositor which are due to a cyberattack which depended on some fault of that depositor, will be entirely excluded from this question, EVEN WHEN many depositors are similarly affected AND that loss could have been prevented by Coinbase.
For example: Several non-employee depositors use weak or shared passwords, and an attacker is able to brute-force or credential-stuff them. That attacker then launches a spear phishing campaign to convince the depositors to allow them through any MFA controls, and wages the whole campaign without compromising Coinbase’s website, e-mail servers, or TLS or DKIM keys; the depositor could have easily defeated the attack. The attacker is able use this access to exfiltrate funds from the Coinbase accounts of these depositors. A court later holds that Coinbase was partially to blame for having insufficient brute-force password controls, but the depositor is still not made entirely whole.
This scenario would NOT cause this question to resolve, because Coinbase was NOT exactly hacked — just the depositors’ individual Coinbase accounts, and due to the depositors’ individual mistakes.
Hairsplitting:
In the hideously unlikely event that Coinbase, due to a cyberattack or fraud, suffers a loss of customer funds worth less than $150k, which it chooses to pass on to some innocent depositor(s), this question will resolve according to the date the first such depositor’s account is frozen for withdrawals.
Timestamps according to the transactions on the Bitcoin and Ethereum blockchains and according to the US/Pacific timezone. Instantaneous Midnight is included in the following day.