When Matthew Allan realized nearly $100,000 in Bitcoin was missing from his Coinbase account, he wasn’t too worried. He had signed up for Coinbase One, a $29.99 monthly subscription that promised up to $1 million of account protection.
Coinbase’s response? Allan was out of luck. During five months of back-and-forth with the company, Coinbase maintained that “customers are responsible for any activity that occurs on their account, even when those devices or credentials are compromised,” according to court records. And Allan wasn’t eligible for account protection anyway, the firm said, because he hadn’t turned on certain security settings required by the terms and conditions.
Allan sued. The complaint was eventually compelled into private arbitration, and it’s not clear if he received any compensation for his losses. Even in the context of consumer grievances, his ordeal is revealing: Allan works as the Chief Risk Officer of Intuit Inc., overseeing efforts to protect the financial software giant from fraud and hackers. If he couldn’t safeguard his own crypto wallet — or understand the fine print in a warranty program — what chance does anyone else have?
As a growing number of U.S. investors add crypto to their portfolios, they’re discovering that the most novel features of digital money — transfers that are typically immediate, self-directed and irreversible — are also a real security risk. If an online hacker or a real-world thief can siphon tokens out of a crypto wallet, they’re gone instantly, with very little recourse. And where banks can tout the protection of the Federal Deposit Insurance Corporation (FDIC) and brokerages have a similar backstop, there’s no equivalent for crypto wallets or exchanges.
For anxious investors, a growing number of firms, including Coinbase and Crypto.com, and third parties like underwriters affiliated with Lloyd’s of London, have started selling peace of mind through supplementary criminal insurance or warranties that broadly promise restitution in the event of an attack. Yet a careful reading of the contractual terms and claims processes of some of these products suggests customers have far less account coverage than they may think — if they have any at all.
Part of the problem is that the whole crypto ecosystem is built to move with as little institutional intervention as possible, says Dmitry Tokarev, founder of Bron Labs, which sells secure wallet services to crypto investors. Crypto exchanges and wallets have a much higher tolerance for transactions that traditional banks might flag as unusual; users retain more control over their finances but also carry much more risk and responsibility.
Before more universal insurance protections make sense, account security needs to improve to the point where “irrespective of how many guns are pointing to a person’s head, they cannot give up their crypto,” Tokarev says. “Nobody’s robbing people in the middle of the night to ask them to transfer $100 million out of their J.P. Morgan Private Bank, because they know they can’t.”
As it is, thefts are rising. More than $2.7 billion in crypto was stolen in 2025 through hacks of major services and large wallets, according to researcher Chainalysis, up 22% from the year before. “The threats are getting larger and more consistent,” says Harry Denley, who leads threat intelligence at crypto-wallet provider MetaMask. “We have less technical people jumping into crypto, and we can’t expect them to be security experts.”
One of the first attempts to sell protection to crypto investors was launched by London-based Nexus Mutual in 2019. It sells insurance-like coverage for hacks or other threats. Roughly 80% of its 9,000 members are retail investors, says founder Hugh Karp, and it’s paid out more than $18 million of claims for incidents ranging from smart-contract hacks to the FTX fiasco.
“Retail users are buying coverage because there’s still a chance they could lose all of the value of their positions,” Karp said. “There could be a bug in the code and all the money is gone. In traditional finance, generally the money doesn’t disappear fully like that.”
Crypto.com offers a measure of account protection for customers, provided they set up an anti-phishing code and take other steps to help secure their accounts. If they still experience an “unauthorized incursion,” the trading site promises up to $1 million in compensation. The company declined to say whether any claims have been filed or settled.
Perhaps the most popular program, though, is what’s offered by Coinbase Global Inc. — the same platform where Allan’s account was drained. He didn’t respond to requests to talk about his experience, and Intuit declined to comment. A Coinbase spokesperson says that matter was resolved nearly three years ago and that its subscription-based account protections do not promise to reimburse every loss involving fraud or coercion. “Each claim is evaluated individually under the published terms,” the spokesperson says.
Coinbase first introduced its account protection program in 2021. It already had criminal insurance, which generally covers certain losses resulting from corporate server breaches or employee theft. The new service was sold as an upgrade for individuals seeking indemnity against anyone who would fraudulently take over their account. There are other features of the Coinbase One subscription, but advertisements from this period highlighted account protection, promising “reimbursement for up to $1M in losses,” as well as priority phone support and no-fee trades.
Signing up — and paying — didn’t automatically make customers eligible for the protections. An 1,800-word subsection in Coinbase’s 2021 legal agreement for US users detailed the rules and limits of the warranty. For example: Subscribers had to submit photo identification and register for two-factor authentication through an approved security method other than receiving an SMS code. Filing a claim required a local police report and compliance with an additional Coinbase investigation and confidentiality about any possible reimbursements. Many kinds of account hacks were excluded, including losses due to “a security vulnerability” in your computer or being deceived by a phishing scam and unwittingly granting a third party access to your account.
Less than three years later, the company replaced its original account protection program, though existing subscribers retained their original coverage. Its new program offers much lower coverage limits — up to $1,000 for $4.99 a month; up to $10,000 for $29.99 a month; up to $250,000 for $299.99 a month — and stipulates that protection only applies to “outbound Digital Asset Transfer cryptographically signed exclusively by Coinbase.” The Coinbase spokesperson says the updated warranty provides more value to its members.
Coinbase users have signed up in droves. In its most recent financial statement, the company reported nearly 1 million paid subscriptions. Owen Lau, an analyst from Clear Street, estimates the company generated about $285 million from Coinbase One last year — roughly 4% of its overall revenue and, critically, a steady flow of cash during unpredictable gyrations of the crypto economy and trading activity.
The terms of Coinbase’s protection product were tested in 2023, after a North Carolina customer suffered a horrific home invasion. Targeting the Bitcoin and Ethereum in the man’s Coinbase account, robbers broke into his home, severely beat his wife, then forced him at gunpoint to give them access to his account on his iMac, according to a criminal complaint. They then took over at the computer and successfully initiated crypto transfers worth $156,000.
Court records indicate Coinbase ultimately reimbursed the couple for the attack, but it’s unclear why. Coinbase’s general criminal insurance doesn’t cover losses if a user is forced to authorize transactions under duress, and its premium warranties only loosely define what would count as an “unauthorized” crypto transfer eligible for coverage. For other Coinbase One subscribers, there’s no guarantee that a similar assault in the future would prove eligible for reimbursement.
Coinbase says it doesn’t comment publicly on how its warranty may or may not apply to a particular customer loss. “Reimbursement to any particular customer does not necessarily require that the loss fell within the scope of either Coinbase’s crime insurance or the Coinbase One account protection warranty,” a company spokesperson says. “On rare occasions, Coinbase may, at its sole discretion, reimburse a loss even if it is not contractually obligated to do so.”
Other crypto firms continue to experiment with various insurance-like products. In December, for example, crypto wallet MetaMask introduced a $9.99 monthly service called Transaction Shield, which is designed to evaluate the security risk in any potential transaction. If MetaMask gives the go-ahead, the subscriber is guaranteed against losses of up to $10,000 across up to 100 transactions per month. But it doesn’t apply to all blockchains or coins; only about 55% of the transactions users make are covered as of now, according to Zhen Chen, who leads the program.
“If we say that a transaction is safe, then it will be safe for you,” Chen said. MetaMask has received several claims and is evaluating them.
Chen likened his company’s product to AppleCare — a limited warranty, rather than full-on insurance. For customers, the difference can be slippery. In the case of the North Carolina couple, the male victim described in court his $29.99 Coinbase One subscription as providing “insurance,” despite the fact that the terms have a section detailing how the warranty is specifically “not insurance.” The account protection service “does not provide reimbursements for many types of losses that insurance is meant to cover,” the terms state, and encourage users to acquire a separate third-party insurance policy for “fortuitous events.”
Furthering the confusion, the criminals who attacked the couple were later ordered by a judge to pay restitution, including $156,000 to Coinbase to replace the money it had reimbursed to the victims. In filings, the criminals are ordered to pay a California-based entity named “Coinbase Insurance.”
A spokesperson for the exchange says this was a mistake: “The references to ‘Coinbase Insurance’ are in error.”
Top photo: MetaMask offers a $9.99 monthly service called Transaction Shield. Photographer: Gabby Jones/Bloomberg.
Copyright 2026 Bloomberg.
