Economics

São Paulo Court Orders Coinbase to Return $100K in Self-Custody Wallet Ruling

A São Paulo state court ordered Coinbase to return approximately R$507,000 after unauthorized transactions drained a user's Coinbase Wallet, ruling that the burden of proof fell on Coinbase as the software provider under Brazil's Consumer Protection Code.

4 min read
Overhead view of a courtroom interior with wooden benches and a judge's bench, soft natural lighting, no visible text or signage
Share

Brazil's consumer protection law just turned the self-custody defense into a liability.

Key takeaways

  • The São Paulo State Court (TJSP) ordered Coinbase to return approximately R$507,000 (~$99,000 at the Banco Central do Brasil rate of R$5.11/USD as of July 10, 2026) to a user after unauthorized transactions drained their Coinbase Wallet, applying Brazil's Consumer Protection Code to self-custody software.
  • Coinbase lost not because it was found complicit in the hack, but because it failed to prove the user authorized the transactions or demonstrate that adequate security measures existed.
  • Brazilian cryptocurrency attorney Raphael Souza says the ruling dismantles two industry defenses: that self-custody wallets generate no liability, and that dumping technical documentation in court without explanation constitutes adequate defense.

The São Paulo State Court has ruled against Coinbase in a consumer protection case that could reshape liability exposure for every non-custodial wallet provider operating in Brazil. The court ordered Coinbase to return approximately R$507,000 (roughly $99,000 at the Banco Central do Brasil official rate of R$5.11/USD as of July 10, 2026) to a user who claimed unauthorized transactions drained their Coinbase Wallet, per a report first published in Portuguese by Livecoins.

The mechanism of the loss was not established in the ruling. The court did not need it to be.

What the Court Actually Found

Coinbase Wallet is a self-custody product. The private key is held by the user, not Coinbase. Coinbase argued exactly that in its defense: it had no control over the wallet and therefore bore no liability for what happened.

The TJSP rejected it. Under Brazil's Consumer Protection Code (Código de Defesa do Consumidor), the evidentiary burden falls on the business providing the service, not the consumer. Coinbase was required to prove the user authorized the transactions and to demonstrate the existence of adequate security measures. It did neither.

Brazilian cryptocurrency attorney Raphael Souza described the court's posture, per Livecoins: "Coinbase had every opportunity to prove that the investor authorized the transaction, explain the technical records, and inform where the funds went. It chose not to do any of that."

The ruling also dispatched a second common industry defense. Technical documentation submitted without explanation carries no weight. As Souza put it: "Anyone who develops and puts a product on the market is responsible for its security, regardless of how the technical architecture works behind it."

Coinbase is a registered corporate entity in Brazil with a CNPJ, which is why it could appear before the court at all. That registration did not help.

The Structural Trap for Self-Custody Software

The ruling's danger is architectural, not just legal. Consumer protection regimes that demand a software provider explain where funds went and prove a user did not authorize a transaction are demanding something self-custody is designed to make impossible. The entire point of a non-custodial wallet is that the provider does not have access. A court applying the CDC framework to self-custody software will structurally always find against the developer, because the developer cannot produce the evidence the standard requires.

That asymmetry scales badly. Coinbase has a Brazilian legal presence and showed up to defend itself. An open-source Bitcoin wallet project with no Brazilian entity, no CNPJ, and no legal team faces a worse version of the same problem: default judgment against developers who had no structural ability to comply with the evidentiary standard in the first place. The MiCA-driven push that sent 70% of Binance EU users toward self-custody wallets shows adoption of non-custodial products is accelerating globally. Liability frameworks that treat wallet software as a consumer service are moving in the opposite direction.

Brazil is not an isolated case. The Consumer Protection Code is a legislative model across Latin America. If this ruling survives any appeal and gets cited by other Brazilian courts, it becomes persuasive authority across a region where Bitcoin adoption is growing fast and sovereign-custody restrictions are already tightening.

The thesis here is falsifiable. If a Brazilian appellate court reverses the TJSP on the grounds that self-custody architecture is legally distinct from custodial service provision under the CDC, or if the ruling is narrowly confined to Coinbase's specific evidentiary failures rather than establishing a categorical duty for all wallet software providers, the precedent concern collapses. Right now, neither of those outs exists.

What to Watch

Coinbase has not publicly commented on whether it will appeal. If this is a first-instance TJSP ruling, as appears likely, appeal would be available, and the outcome at the appellate level determines whether this stays a one-off or becomes the template. Watch for the TJSP case docket to surface on the court's e-SAJ portal at esaj.tjsp.jus.br, which would confirm the full text of the order and clarify its scope. Any wallet developer with Brazilian users or a Brazilian legal presence should be reviewing their exposure now.

Sources

Frequently Asked Questions

Not automatically. The ruling applies most directly to Coinbase because it is a registered Brazilian corporate entity subject to Brazilian consumer law. Open-source wallet projects with no Brazilian presence face a different exposure profile. What the ruling does establish is that self-custody architecture is not, by itself, a complete defense under the CDC if a company is operating as a registered Brazilian business. Whether that extends to all wallet software providers depends on how Brazilian courts cite and apply this ruling going forward.

The Código de Defesa do Consumidor (CDC) is Brazil's federal consumer protection statute. Its key mechanism in cases like this is burden-shifting: the business must disprove the consumer's claim, not the other way around. Applied to crypto, that means a wallet provider must affirmatively demonstrate that a disputed transaction was authorized and that adequate security existed. For self-custody software, where the provider has no transactional visibility by design, meeting that standard is architecturally difficult. The CDC also serves as a legislative model for consumer protection frameworks across Latin America, which is why the ruling's potential reach extends beyond Brazil.

If this is a first-instance São Paulo state court ruling, as appears likely, Coinbase could appeal to the TJSP's appellate chamber. A reversal would likely require the appellate court to find either that self-custody software is categorically distinct from a consumer service under the CDC, or that Coinbase's evidentiary failures were specific to this case rather than indicative of a broader duty. Until an appellate decision issues, the first-instance ruling stands.

News and analysis, not financial, investment, legal, or tax advice. Figures and quotes are verified against primary sources where possible. See our editorial and financial disclosures.

Keep reading

All of TFTC

The Bitcoin Brief

Bitcoin, markets, energy, and the tech reshaping all three.

A daily brief on the freedom tech building a parallel economy, written for the curious and the convicted alike. Signal, not noise. Truth for the Commoner.

Free, daily. Unsubscribe anytime.