New loan assistance will help Lahaina families rebuild homes after wildfires

Maui County is launching a new loan program this summer to help middle-income Lahaina homeowners who are still struggling to rebuild since the Aug. 8, 2023, wildfires.
The Deferred Payment Loan Program is aimed at residents who fall into the 'gap group '—families who make too much to qualify for federal disaster assistance but not enough to cover the full cost of rebuilding on their own.
Maui County is committing $7.5 million to the program as part of its fiscal year 2026 budget, with additional contributions expected from philanthropic partners.
The Hawaii Community Foundation and Maui United Way have pledged to support the program financially, though exact amounts have not yet been announced. The county's share will be administered through Hawaii Community Lending, which will act as the implementing agency.
The program is scheduled to launch later this summer, with July as a tentative target date.
Interested Lahaina homeowners can begin the application process through the Lahaina Homeowner Recovery Program at hawaii communitylending.com /mauirelief, to find information about eligibility, required documentation and available support services.
The loans, which require no monthly payments upfront, are designed to close critical funding gaps that have left many families in limbo nearly two years after the disaster.
'This is about ensuring everyone has a path forward, ' Mayor Richard Bissen said in a statement. 'Our community deserves a recovery that reaches all—from our most vulnerable residents to the middle-class families who may not qualify for federal aid but still need support to rebuild their homes and lives. This partnership is a commitment to them.'
The Deferred Payment Loan Program is a collaboration among Maui County, HCF, MUW and HCL, which expands on an earlier initiative already underway through the Lahaina Homeowner Recovery Program.
Josiah Nishita, Maui County managing director at the Department of Management, said the new loan program has been in the works for some time as officials looked for ways to support families left out of traditional disaster funding streams.
Although the county continues to coordinate with FEMA, the Small Business Administration and the U.S. Department of Housing and Urban Development to bring in long-term recovery dollars through the Community Development Block Grant Disaster Recovery—or CDBG-DR—program, that federal assistance comes with strict eligibility criteria and income thresholds.
'The (Deferred Payment Loan ) program is primarily going to be able to help those families that are cut in the middle, ' Nishita said. 'They make too much for some of the federal assistance programs but then don't make enough to finance reconstruction or rebuild their homes on their own.'
Nishita said HCL already has been working with affected homeowners to help them navigate the complex recovery process, offering one-on-one guidance to connect people with grants, insurance support and financial counseling.
The new loan program will build on that work, targeting costs like property surveys, construction estimates, fire-safe rebuilding upgrades, homeowners insurance gaps and even foreclosure prevention.
Nishita added that program flexibility is key, as every family's situation is different. While officials do not yet have a specific number of households the program will serve, Nishita said the goal is to stretch available resources to make the greatest possible impact across a wide range of needs.
The county also emphasized strong oversight. Each participating organization will be responsible for ensuring that funds are used appropriately, and the county will require documentation and reporting for its share of the funding.
'Hawaii Community Lending has been very open and transparent with the community, as well as engaging a lot of community dialogue, ' Nishita said. 'We have our own requirements for use of public funds, including on grant reporting processes and documentation. … Maui United Way and Hawaii Community Foundation each have their own sets of requirements that Hawaii Community lending will need to ensure to meet so that people can have confidence in the funds being spent appropriately.'
As the community awaits the broader rollout of CDBG-DR funds—Maui County expects to receive roughly $1.6 billion in federal aid—Nishita said the loan program fills a critical gap to ensure no one falls through the cracks. HUD already has approved the county's administrative action plan for CDBG-DR, which allows 5 % of the total funds to be used for managing and administering recovery programs.
'One thing that Mayor (Richard ) Bissen has said many times is, if we build a bunch of buildings but don't recognize the faces within them, then we've really failed our mission, ' Nishita said. 'Our goal is really simple : to keep our community at home and to keep our community together … keep our local residents in their homes and on their properties with their neighbors in their neighborhoods.'
Outreach will continue through community meetings in Lahaina and updates from the county's Office of Recovery, which also helps survivors access other recovery programs.
To date, the county and its partners have held around 60 meetings with homeowners and plan to continue hosting them twice a month.
Nishita encouraged wildfire survivors to stay engaged.
'If you've been impacted by the wildfire, continue to participate in the county's informational updates, meetings and keep providing us good feedback, ' he said. 'The county is fully committed to ensure that our local families can continue to stay here, to raise their families here and thrive here.'

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Yahoo

an hour ago

• Yahoo

Owners claim Maui residents can't afford converted vacation rentals, UH study says otherwise

Owners and managers of Maui short-term vacation rentals have argued during two days of public hearings that local residents cannot afford the rent if 6, 100 units are converted into long-term housing, as proposed by Mayor Richard Bissen. Residents who also testified before the Maui County Council last week in support of Bill 9 repeatedly have called the claim offensive. An economic analysis by the University of Hawaii Economic Research Organization backs up the residents' testimony. The analysis shows that over 11, 600 Maui households—or 21 % of all households on the island—already use 30 % of their incomes to pay for housing and could afford to move into converted units because the owners would see their tax rate fall to Maui County's lowest rate as the value of their homes continues to drop. The pool of Maui residents already paying even more of their incomes for housing is even greater. An additional 15, 500 Maui households use 30 % to 50 % of their incomes toward housing, according to the UHERO analysis, and they also could afford to rent converted vacation rentals, meaning long-term housing for a total of over 27, 100 Maui households. Matt Jachowski, one of Bissen's executive assistants, told the Honolulu Star-Advertiser, 'Many of our households already spend that range of money on housing.' Some '27 % of all renters in the county are already cost-burdened, ' Jachowski said. 'So it's obtainable.' The Maui County Council's Housing and Land Use Committee will have to vet the competing claims when it resumes hearings all day Monday and again Tuesday night. All nine members of the Council serve on the committee, so the committee vote on Bill 9 will provide a strong indicator of how the full Council will act on the measure. If approved, Bill 9 would take effect in West Maui by July 1, 2028. The units in question represent less than half of Maui's estimated 13, 000 legal short-term vacation rentals, and Bissen previously told the Star-Advertiser that tourists remain welcome on Maui. Bissen said he wants to free up housing for local residents and bring better balance to the proportion of vacation rentals on Maui, which has more short-term vacation rentals than even Oahu. On Maui, temporary vacation rentals make up 21 % of the housing inventory. 'Maui is this complete outlier in how many TVRs we have, ' said Jachowski, noting the figure is only 3 % for London, which has the highest percentage of housing dedicated to transient vacation rentals compared to Los Angeles, Boston and Barcelona. UHERO ALSO reported that the total monthly cost of housing for Maui residents to move into a converted short-term vacation rental also would fall, from $5, 829 to $4, 601, because of declining property values and taxes. Maui County witnessed eight consecutive years of increased condo sales prices, from $402, 000 in 2016 to $900, 500 in 2024. But prices dropped for the first time since 2016 after Bissen introduced Bill 9. In the first five months of 2025, the average sales price has fallen from $900, 500 to $760, 000. Several owners of short-term rentals and their property managers have testified that no one wants to buy on Maui since Bill 9 was introduced, especially potential out-of-state investors who would be barred from renting them to tourists for their vacations. Owners' monthly cost for a vacation rental, including mortgage, insurance, association fees and other expenses, were running at $5, 800 per month, Jachowski said. Now, with Bill 9 on the table, the costs have fallen to $4, 601 per month, putting the lower price within reach of the 27, 100 Maui residents who already pay that much, he said. UHERO looked at other cities that now restrict 1 % of their short-term vacation rentals and found that housing prices and rents fell by 4 % in Los Angeles and London and by lesser amounts in Barcelona and Boston. Bill 9 would 'revert ' all apartment district properties to long-term residential use and remove the exception for transient vacation rental units built or approved before 1989. For Maui residents who can afford to buy one of the converted units, the tax rates would plummet from $12.50 per $1, 000 of value to just $5 for an owner-occupied unit, Jachowski said. BISSEN spokesperson Laksmi Abraham acknowledged UHERO's expectation of job losses in Maui's short-term vacation rental industry but said there will still be a need for workers in the nearly 9, 000 remaining vacation rentals, including plumbers, electricians and others to work on the units that convert to long-term housing. Short-term rentals average only 53 % occupancy annually, and Abraham said those that remain for tourists 'will see an uptick in their occupancy and they're still going to need somebody to manage a lot of these units. There will be impact, but the transition won't be as drastic as UHERO paints it to be.' At the same time, Ja ­chow ­ski noted that UHERO said that as the 'affordability of housing improves, housing costs are also going down, and that's important.' Maui short-term vacation rental owners and their property managers also have repeatedly argued that local residents do not want to live in their one-and two-bedroom units—a claim residents also called offensive. Data compiled in the aftermath of the Aug. 8, 2023, wildfire that destroyed 3, 500 homes in Lahaina backs up local renters. Many of them have scrambled over the last two years to find and afford increasingly expensive long-term housing. Before the disaster, many survivors were living in large multigenerational homes that were destroyed. Since then, the Federal Emergency Management Agency and the Council for Native Hawaiian Advancement had the highest demand for one-and two-bedroom units as individual, smaller family units that used to live in multigenerational homes searched for housing for themselves, Jachowski said. 'The data clearly shows we have a lot of households that are smaller and could benefit from smaller homes, ' he said. IN 2024, Gov. Josh Green signed Senate Bill 2919 into law clarifying that each county has the authority to determine what to do with transient vacation rentals as the state faced an ongoing shortage of 50, 000 homes. Bissen was the first to respond with Bill 9. Bissen and Green have repeatedly said Maui and the state cannot build their way out of the lack of housing. To them, converting vacation rentals into long-term housing represents the most logical path forward. State Rep. Luke Evslin (D, Wailua-Lihue ), who chairs the House Committee on Housing, has been working on ideas ahead of the next legislative session to create more housing but said the counties now control the future of their own short-term vacation rentals. 'We've done all we can do on the short-term vacation issue, ' Evslin said. 'At this point, it's up to them.' Several members of the Honolulu City Council's Housing, Homelessness and Parks Committee did not respond to Star-Advertiser requests for comment on what they might do about converting Oahu's short-term vacation rentals. Matt Weyer, who serves on the housing committee, said he's more interested in cracking down on the estimated 118 to 120 illegal short-term rental units in his district, especially in residential and rural areas around Turtle Bay Resort. Weyer's Council district stretches across the North Shore down to the upper Windward side and as far south as Mililani. In the North Shore alone, Weyer said, there are about 262 legal short-term rentals, and he has not heard an outcry from residents to convert them into long-term housing. 'I wouldn't say phasing them out would solve the problems we're facing, ' he said. 'We're looking at how we can best target illegal vacation rentals … by enforcing the existing laws. That's the struggle. We want to ensure that folks that are doing it illegally are doing it legally. That really creates the biggest impact.' U.S. Rep. Jill Tokuda, whose district includes rural Oahu and the neighbor islands, said that converting Maui's 6, 100 short-term vacation rentals into long-term housing might help the island's housing shortage and stem the exodus of local residents to the mainland. 'We've got to do something, ' Tokuda said. 'It's going to require some bold, pretty bold action to keep people here and to free up available units for local families. If not, they're going to keep leaving.'

Yahoo

5 days ago

• Yahoo

Coinbase victims speak out as breach, brazen hackers and a culture of silence collide

Over the past few weeks, I've spoken with dozens of victims of a stunningly sophisticated account-draining scam —exploiting trust, technology, and a massive data breach at Coinbase, the largest crypto exchange in the United States. Each victim tells a nearly identical story of loss, heartbreak, and feeling ghosted by the company that promises to be "the most trusted place for people and businesses to buy, sell, and use crypto …" Just reading that statement on the company's homepage now makes many of them feel physically ill. And the added banner across the top of the homepage warning about social-engineering scams? Far too little, too late for a nearly $63 billion company that recently made the Fortune 500 list and could have — should have — sounded much louder alarms months ago. Other journalists have done significant work documenting the breach itself—how it happened, who orchestrated it, what Coinbase knew, and when. This is not a story about the hackers. It's a story about the people who got hurt. People often stereotype crypto investors as reckless, young, or greedy. But the people I've interviewed are teachers, engineers, business owners, and parents. They are smart, cautious, and aware of how online scams work. They followed the rules. They double-checked URLs. They asked the right questions. And still, they lost everything: down payments for homes, retirement funds, and the belief that anyone was looking out for them. Many of the people I spoke with asked that we not use their full names due to concerns about reputational harm or possible retargeting. They agreed to be identified by their initials. DR started learning about investing when he was 13 with the goal of building something big. By 32, he had more than $100,000 in his Coinbase account. It was supposed to be his generation's Apple stock. Then, in early May, came a flurry of warnings — emails from spoofed addresses, suspicious activity alerts, and a barrage of phone calls. When he finally picked up, the man on the other end introduced himself as 'Jacob Williams,' a security employee at Coinbase. He sounded official. Still, DR said he cautiously 'grilled him,' and demanded extensive proof. 'Williams' sent a verification email that appeared to be from a address to DR's Coinbase-linked Gmail account (that DR did not give the hacker over the phone). He sent an official-looking email that even fooled anti-scam software. He also instructed DR to check his Gmail Sent folder. Sure enough, there were emails there to help@ that he did not write. DR thought this was the important 'proof' that someone had hacked his Coinbase account and maybe even his Gmail account. (How the hackers gained access to DR's gmail is still unclear.) 'I thought I was being very cautious,' DR told me. 'I asked all the right questions. This guy knew every detail of my account, inside and out.' The caller instructed DR to use a "whitelisted" account to protect his funds. That's an account that DR set up with additional security features within his Coinbase Wallet app. 'There's no way anyone could have seen all of that unless they had internal access,' DR said. The hacker watched and commented on it all in real-time, even though DR claims he never handed over passwords, seed phrases, or any other information that could have given the hackers direct access. 'They had my name, my driver's license, and the last four digits of my Social Security number. They even mimicked official Coinbase warnings. It was terrifying,' DR added. When DR finally hung up and called Coinbase support to confirm that he had now locked down his account, a customer service agent told him that he had fallen for a scam and there was nothing they could do. They advised him to file a police report with his local authorities. FK, an experienced tech entrepreneur in Silicon Valley, shared a similarly devastating story. 'They knew everything. My transaction history, my recent logins, even which tokens I'd moved and when,' he said over the phone. 'The shame is unbearable. I know the industry, the history of scams, and had all the security measures in place.' One moment from the call still haunts him: 'How do I tell my wife that we had hundreds of thousands of dollars stolen over the holidays?' Erin West, a former prosecutor and founder of Operation Shamrock, said the fears about reputational harm or re-targeting are valid. She's now working with more than 60 victims, including 39 who responded within minutes of an initial outreach to her network late last month. 'People have been plunged into incredibly dark places,' West said. 'They've lost life savings, identity security, and trust in digital systems. The damage isn't just financial—it's emotional and deeply personal.' One of the highest-profile victims is 67-year-old Los Angeles artist Ed Suman, who told Bloomberg he lost more than $2 million in crypto after a fake Coinbase support call. The attackers convinced him that even his 'cold wallet' was compromised. 'The most effective thing Coinbase could have done was email customers and say, 'There are scammers impersonating us,'' Suman said. 'Instead, they were woefully remiss.' A Coinbase spokesperson told me they have warned customers, most notably in blog posts on the company website under the topic 'Consumer Protection Tuesday.' There have been 20 of those articles posted since December 2024. He also pointed to warnings shared from its Coinbase Support account on X and YouTube accounts and said that anytime Coinbase learns of a breach, it files 'in accordance with all state and federal laws, and all are publicly available.' In addition, the spokesperson said that the company contacts anyone affected by the breach immediately. On May 15, Coinbase filed a notice with the Maine Attorney General: nearly 70,000 customers had been affected by a breach. The source? Bribed third-party contractors working for TaskUs, a customer support vendor in India. Using stolen data, such as government IDs, phone numbers, emails, and account histories, criminals launched targeted social engineering attacks. TaskUs later confirmed it had terminated at least two employees for illegal access and disclosed the activity to Coinbase. But a class-action lawsuit in the Southern District of New York filed late last month shows a different TaskUs breach and claims Coinbase executives knew about it as early as January. According to the complaint, TaskUs decided to fire 300 employees at its India call centers over allegations of fraud. Which begs the question, how many breaches have there been, and have any other third-party contractors aside from TaskUs been compromised? That suit is one of at least 13 class actions now pending. One investor alleges Coinbase delayed the breach disclosure to avoid a stock drop. Other litigation encompasses a wide range of issues, including biometric privacy violations, pig-butchering scams, and account lockouts. Bloomberg Law confirmed that even high-profile industry figures, like Sequoia Capital's Roelof Botha, had their data compromised. Coinbase told me they cannot comment on any pending litigation. Erin West is blunt: 'This didn't start in May. I had victims calling me last August.' She said Coinbase ignored numerous warning signs. 'Instead of alerting customers or locking down systems, they waited. They updated their terms of service — quietly — limiting customers' rights to participate in class-action lawsuits. And people, to this day, keep getting hit.' FK's attack happened in late December. Ed Suman's came in March. DR's hit in early May. When FK lost almost $400,000, he reported it immediately to Coinbase, the FBI, and local police. He followed up dozens of times. All he heard back was, 'all transactions confirmed on the blockchain are final.' Then, in late May, after he saw the news of the breach, he reached back out to Coinbase again. He said this time, a Coinbase customer service representative told him, 'more than a million accounts have possibly been affected going back to November 1 of 2024.' FK said the same support agent told him to 'be patient, that it might take a while for the company to alert all of the people possibly involved.' In the meantime, his crypto holdings would be worth nearly $625,000 today. A Coinbase spokesperson wrote to me in an email that 'all impacted customers have already received an email from no-reply@ all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.' When I asked for further clarification and explained that none of the victims I spoke with received emails from Coinbase on May 15, he offered to escalate their cases to the support teams. Then he added, 'But important to note we will reimburse anyone who sent their funds to the attacker as a result of this incident. If a customer was not part of this incident and was socially engineered to send funds to a scammer, that would not fall into the refund.' On June 3, both DR and FK received notice that Coinbase will not reimburse them because their personal information 'was not exposed in the recent incident.' Neither victim understands how the scammers could have accessed their personal information without insider access. They followed security protocol. They didn't share private keys. But hackers still emptied their wallets. 'The hackers sucked the funds out of my wallet without my consent to Roobet, a crypto gambling site in Curaçao,' FK explained. 'I did not initiate that. They did. Because I never shared my private key or seed phrase with them. They had backdoor access to my actual Coinbase Wallet.' But here's something I just learned: Every transaction you make on public blockchains like Bitcoin or Ethereum is completely transparent, and anyone can look it up. If someone gains access to your wallet address, they can see what you've sent and received, when those transactions happened, and which platforms or smart contracts you've interacted with. They can't always see exact dollar amounts or what you 'bought' in the traditional sense — but they can trace your balance and behavior. In crypto, your wallet address is like your phone number, bank routing number, and purchase history — all rolled into one. And if it's ever linked to your real identity, your entire transaction history becomes searchable. DR and FK still maintain the only way anyone could have gotten their wallet addresses is through a Coinbase breach, but most people investing in crypto right now have no idea how exposed they really are. All of this comes at the same time the current administration is easing restrictions on cryptocurrency trading in the United States. 'This is their chance to do the right thing in a very public way,' DR said. 'It's like crisis communications 101. I've heard that they want people to sign NDA's and drop any future legal action in order to get reimbursed. I would do that in a heartbeat,' he added. FK agreed. 'That's all I want, for Coinbase to do the right thing.' 'Coinbase should have sounded the alarm immediately,' cybersecurity expert Richard Blech told me over the phone. He said other major crypto exchanges, like Binance and Kraken, faced the same kind of social-engineering attacks but blocked them before hackers could steal any customer data. 'That's the difference a real zero-trust system makes,' Blech said. 'In a setup like that, this kind of breach either doesn't happen — or it gets shut down fast.' He called Coinbase's failure a collapse of digital architecture. 'This wasn't just a breach,' he added. 'It was a betrayal of trust. And in crypto, trust is the product. Lose that, and you lose everything.' Everyone's asking the same questions now: Why didn't Coinbase send out a warning months ago? 'The only emails I have from them are promotions,' FK said. Why didn't they take out full-page ads on popular investor channels during the bull run, send in-app alerts, email mass notifications urging customers to be cautious, or go one step further than posting their own warnings on social media and engage with influencers on platforms like YouTube, X, and TikTok to get the word out? Coinbase estimates the most recent breach will cost up to $400 million in reimbursements, legal costs, and security upgrades. But no one knows how they're deciding who to 'make whole' again. Crypto scams aren't new. However, the scale and precision of this latest spate sets a new standard — and serves as a warning to everyone who banks online. The breach didn't unlock Coinbase's crypto vaults. It didn't have to. With enough stolen data, scammers created the illusion of safety and authority. They sounded American. They used Coinbase's scripts. They shared scam tactics over Discord and Telegram. They were organized and, at times, bragged about their exploits. And just as the breach became public, the Department of Justice shut down its National Cryptocurrency Enforcement Team — the only federal group built to stop scams like this. 'It's the Wild West all over again,' West said. 'And good people are paying the price.' Victims want answers. They want Coinbase to: Make the reimbursement process transparent Follow through and do what they claim on their website to harden security and track stolen funds Be much more vocal and prolific with scam warnings Reverse the Terms of Service updates that limit consumer rights And most of all, they want people in charge at Coinbase to realize they're just like them, not nameless, faceless 'users." Join a class action: Law firms like Milberg are pursuing cases. File a complaint: With the SEC, FTC, or your state attorney general. Talk to a tax professional: Some losses may qualify for deductions. Contact Operation Shamrock: For advocacy and support. Use app-based or hardware 2FA Don't give your wallet address to anyone, ever. This is critical. Never move funds based on a call or email Set withdrawal allowlists on exchange accounts Use a hardware wallet like Ledger or Trezor for long-term holdings Don't download remote-access apps unless absolutely necessary And finally: demand accountability. This story isn't over. But hopefully the people who refuse to slink away and remain silent will get a chance to rewrite it—for good. Jennifer Jolly is an Emmy Award-winning consumer tech columnist and on-air contributor for "The Today Show.' The views and opinions expressed in this column are the author's and do not necessarily reflect those of USA TODAY. Contact her via or @JennJolly on Instagram. This article originally appeared on USA TODAY: Coinbase victims speak out amid massive breach at crypto exchange

USA Today

5 days ago

• USA Today

Coinbase victims speak out as breach, brazen hackers and a culture of silence collide

Coinbase victims speak out as breach, brazen hackers and a culture of silence collide Each victim tells a nearly identical story of loss, heartbreak, and feeling ghosted by a company promising trust. Show Caption Hide Caption Vance calls crypto 'hedge' against inflation, bad policies Vice President JD Vance said Bitcoin's independence offers access to those denied banking over political beliefs, including support for gun rights. Coinbase is the largest crypto exchange in the United States. On May 15, Coinbase filed a notice with the Maine attorney general, disclsoing 70,000 customers had been affected by a breach. The breach could cost up to $400 million, and many victims are fighting to get their money back. Over the past few weeks, I've spoken with dozens of victims of a stunningly sophisticated account-draining scam —exploiting trust, technology, and a massive data breach at Coinbase, the largest crypto exchange in the United States. Each victim tells a nearly identical story of loss, heartbreak, and feeling ghosted by the company that promises to be "the most trusted place for people and businesses to buy, sell, and use crypto …" Just reading that statement on the company's homepage now makes many of them feel physically ill. And the added banner across the top of the homepage warning about social-engineering scams? Far too little, too late for a nearly $63 billion company that recently made the Fortune 500 list and could have — should have — sounded much louder alarms months ago. Other journalists have done significant work documenting the breach itself—how it happened, who orchestrated it, what Coinbase knew, and when. This is not a story about the hackers. It's a story about the people who got hurt. People often stereotype crypto investors as reckless, young, or greedy. But the people I've interviewed are teachers, engineers, business owners, and parents. They are smart, cautious, and aware of how online scams work. They followed the rules. They double-checked URLs. They asked the right questions. And still, they lost everything: down payments for homes, retirement funds, and the belief that anyone was looking out for them. Many of the people I spoke with asked that we not use their full names due to concerns about reputational harm or possible retargeting. They agreed to be identified by their initials. 'Why didn't anyone warn us?' DR started learning about investing when he was 13 with the goal of building something big. By 32, he had more than $100,000 in his Coinbase account. It was supposed to be his generation's Apple stock. Then, in early May, came a flurry of warnings — emails from spoofed addresses, suspicious activity alerts, and a barrage of phone calls. When he finally picked up, the man on the other end introduced himself as 'Jacob Williams,' a security employee at Coinbase. He sounded official. Still, DR said he cautiously 'grilled him,' and demanded extensive proof. 'Williams' sent a verification email that appeared to be from a address to DR's Coinbase-linked Gmail account (that DR did not give the hacker over the phone). He sent an official-looking email that even fooled anti-scam software. He also instructed DR to check his Gmail Sent folder. Sure enough, there were emails there to help@ that he did not write. DR thought this was the important 'proof' that someone had hacked his Coinbase account and maybe even his Gmail account. (How the hackers gained access to DR's gmail is still unclear.) 'I thought I was being very cautious,' DR told me. 'I asked all the right questions. This guy knew every detail of my account, inside and out.' The caller instructed DR to use a "whitelisted" account to protect his funds. That's an account that DR set up with additional security features within his Coinbase Wallet app. 'There's no way anyone could have seen all of that unless they had internal access,' DR said. The hacker watched and commented on it all in real-time, even though DR claims he never handed over passwords, seed phrases, or any other information that could have given the hackers direct access. 'They had my name, my driver's license, and the last four digits of my Social Security number. They even mimicked official Coinbase warnings. It was terrifying,' DR added. When DR finally hung up and called Coinbase support to confirm that he had now locked down his account, a customer service agent told him that he had fallen for a scam and there was nothing they could do. They advised him to file a police report with his local authorities. 'I'm afraid for my family' FK, an experienced tech entrepreneur in Silicon Valley, shared a similarly devastating story. 'They knew everything. My transaction history, my recent logins, even which tokens I'd moved and when,' he said over the phone. 'The shame is unbearable. I know the industry, the history of scams, and had all the security measures in place.' One moment from the call still haunts him: 'How do I tell my wife that we had hundreds of thousands of dollars stolen over the holidays?' This isn't just tech. It's trauma. Erin West, a former prosecutor and founder of Operation Shamrock, said the fears about reputational harm or re-targeting are valid. She's now working with more than 60 victims, including 39 who responded within minutes of an initial outreach to her network late last month. 'People have been plunged into incredibly dark places,' West said. 'They've lost life savings, identity security, and trust in digital systems. The damage isn't just financial—it's emotional and deeply personal.' One of the highest-profile victims is 67-year-old Los Angeles artist Ed Suman, who told Bloomberg he lost more than $2 million in crypto after a fake Coinbase support call. The attackers convinced him that even his 'cold wallet' was compromised. 'The most effective thing Coinbase could have done was email customers and say, 'There are scammers impersonating us,'' Suman said. 'Instead, they were woefully remiss.' A Coinbase spokesperson told me they have warned customers, most notably in blog posts on the company website under the topic 'Consumer Protection Tuesday.' There have been 20 of those articles posted since December 2024. He also pointed to warnings shared from its Coinbase Support account on X and YouTube accounts and said that anytime Coinbase learns of a breach, it files 'in accordance with all state and federal laws, and all are publicly available.' In addition, the spokesperson said that the company contacts anyone affected by the breach immediately. The breaches (plural) that broke the trust and set the stage for more sophisticated scams On May 15, Coinbase filed a notice with the Maine Attorney General: nearly 70,000 customers had been affected by a breach. The source? Bribed third-party contractors working for TaskUs, a customer support vendor in India. Using stolen data, such as government IDs, phone numbers, emails, and account histories, criminals launched targeted social engineering attacks. TaskUs later confirmed it had terminated at least two employees for illegal access and disclosed the activity to Coinbase. But a class-action lawsuit in the Southern District of New York filed late last month shows a different TaskUs breach and claims Coinbase executives knew about it as early as January. According to the complaint, TaskUs decided to fire 300 employees at its India call centers over allegations of fraud. Which begs the question, how many breaches have there been, and have any other third-party contractors aside from TaskUs been compromised? That suit is one of at least 13 class actions now pending. One investor alleges Coinbase delayed the breach disclosure to avoid a stock drop. Other litigation encompasses a wide range of issues, including biometric privacy violations, pig-butchering scams, and account lockouts. Bloomberg Law confirmed that even high-profile industry figures, like Sequoia Capital's Roelof Botha, had their data compromised. Coinbase told me they cannot comment on any pending litigation. What Coinbase knew — and when Erin West is blunt: 'This didn't start in May. I had victims calling me last August.' She said Coinbase ignored numerous warning signs. 'Instead of alerting customers or locking down systems, they waited. They updated their terms of service — quietly — limiting customers' rights to participate in class-action lawsuits. And people, to this day, keep getting hit.' FK's attack happened in late December. Ed Suman's came in March. DR's hit in early May. When FK lost almost $400,000, he reported it immediately to Coinbase, the FBI, and local police. He followed up dozens of times. All he heard back was, 'all transactions confirmed on the blockchain are final.' Then, in late May, after he saw the news of the breach, he reached back out to Coinbase again. He said this time, a Coinbase customer service representative told him, 'more than a million accounts have possibly been affected going back to November 1 of 2024.' FK said the same support agent told him to 'be patient, that it might take a while for the company to alert all of the people possibly involved.' In the meantime, his crypto holdings would be worth nearly $625,000 today. Who decides who gets paid back? A Coinbase spokesperson wrote to me in an email that 'all impacted customers have already received an email from no-reply@ all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.' When I asked for further clarification and explained that none of the victims I spoke with received emails from Coinbase on May 15, he offered to escalate their cases to the support teams. Then he added, 'But important to note we will reimburse anyone who sent their funds to the attacker as a result of this incident. If a customer was not part of this incident and was socially engineered to send funds to a scammer, that would not fall into the refund.' On June 3, both DR and FK received notice that Coinbase will not reimburse them because their personal information 'was not exposed in the recent incident.' Neither victim understands how the scammers could have accessed their personal information without insider access. They followed security protocol. They didn't share private keys. But hackers still emptied their wallets. 'The hackers sucked the funds out of my wallet without my consent to Roobet, a crypto gambling site in Curaçao,' FK explained. 'I did not initiate that. They did. Because I never shared my private key or seed phrase with them. They had backdoor access to my actual Coinbase Wallet.' But here's something I just learned: Every transaction you make on public blockchains like Bitcoin or Ethereum is completely transparent, and anyone can look it up. If someone gains access to your wallet address, they can see what you've sent and received, when those transactions happened, and which platforms or smart contracts you've interacted with. They can't always see exact dollar amounts or what you 'bought' in the traditional sense — but they can trace your balance and behavior. In crypto, your wallet address is like your phone number, bank routing number, and purchase history — all rolled into one. And if it's ever linked to your real identity, your entire transaction history becomes searchable. DR and FK still maintain the only way anyone could have gotten their wallet addresses is through a Coinbase breach, but most people investing in crypto right now have no idea how exposed they really are. All of this comes at the same time the current administration is easing restrictions on cryptocurrency trading in the United States. 'This is their chance to do the right thing in a very public way,' DR said. 'It's like crisis communications 101. I've heard that they want people to sign NDA's and drop any future legal action in order to get reimbursed. I would do that in a heartbeat,' he added. FK agreed. 'That's all I want, for Coinbase to do the right thing.' 'Coinbase should have sounded the alarm immediately' 'Coinbase should have sounded the alarm immediately,' cybersecurity expert Richard Blech told me over the phone. He said other major crypto exchanges, like Binance and Kraken, faced the same kind of social-engineering attacks but blocked them before hackers could steal any customer data. 'That's the difference a real zero-trust system makes,' Blech said. 'In a setup like that, this kind of breach either doesn't happen — or it gets shut down fast.' He called Coinbase's failure a collapse of digital architecture. 'This wasn't just a breach,' he added. 'It was a betrayal of trust. And in crypto, trust is the product. Lose that, and you lose everything.' Everyone's asking the same questions now: Why didn't Coinbase send out a warning months ago? 'The only emails I have from them are promotions,' FK said. Why didn't they take out full-page ads on popular investor channels during the bull run, send in-app alerts, email mass notifications urging customers to be cautious, or go one step further than posting their own warnings on social media and engage with influencers on platforms like YouTube, X, and TikTok to get the word out? Coinbase estimates the most recent breach will cost up to $400 million in reimbursements, legal costs, and security upgrades. But no one knows how they're deciding who to 'make whole' again. The bigger problem: 'It's the wild west all over again' Crypto scams aren't new. However, the scale and precision of this latest spate sets a new standard — and serves as a warning to everyone who banks online. The breach didn't unlock Coinbase's crypto vaults. It didn't have to. With enough stolen data, scammers created the illusion of safety and authority. They sounded American. They used Coinbase's scripts. They shared scam tactics over Discord and Telegram. They were organized and, at times, bragged about their exploits. And just as the breach became public, the Department of Justice shut down its National Cryptocurrency Enforcement Team — the only federal group built to stop scams like this. 'It's the Wild West all over again,' West said. 'And good people are paying the price.' What you can do now Victims want answers. They want Coinbase to: Make the reimbursement process transparent Follow through and do what they claim on their website to harden security and track stolen funds Be much more vocal and prolific with scam warnings Reverse the Terms of Service updates that limit consumer rights And most of all, they want people in charge at Coinbase to realize they're just like them, not nameless, faceless 'users." What you can do Join a class action : Law firms like Milberg are pursuing cases. : Law firms like Milberg are pursuing cases. File a complaint : With the SEC, FTC, or your state attorney general. : With the SEC, FTC, or your state attorney general. Talk to a tax professional : Some losses may qualify for deductions. : Some losses may qualify for deductions. Contact Operation Shamrock: For advocacy and support. To protect yourself Use app-based or hardware 2FA Don't give your wallet address to anyone, ever. This is critical. Never move funds based on a call or email Set withdrawal allowlists on exchange accounts Use a hardware wallet like Ledger or Trezor for long-term holdings Don't download remote-access apps unless absolutely necessary And finally: demand accountability. This story isn't over. But hopefully the people who refuse to slink away and remain silent will get a chance to rewrite it—for good. Jennifer Jolly is an Emmy Award-winning consumer tech columnist and on-air contributor for "The Today Show.' The views and opinions expressed in this column are the author's and do not necessarily reflect those of USA TODAY. Contact her via or @JennJolly on Instagram.