New court filings have shed light on Coinbase’s data breach, which was discovered in May. The filings show that a TaskUs employee, Ashita Mishra, helped plan the theft of confidential customer information and funneled it to criminals who used it in phishing schemes.
Coinbase revealed in May that the breach had affected at least 69,000 customers, and the damage was estimated to be worth around $400 million. The exchange initially linked the breach to a rogue staff member in an Indian-based vendor. The amended court filings outline how Mishra, a TaskUs service center employee, stole the information beginning in September 2024.
TaskUs employee allegedly sold customer data
The latest lawsuit alleges that Ashita Mishra, a TaskUs employee in Indore, India, sold confidential customer data, including Social Security numbers and bank details, to a phishing hacker group. She also recruited other TaskUs employees to carry out the breach in a style described as a hub-and-spoke conspiracy. The investigators uncovered over 10,000 Coinbase customer data points on Mishra’s phone. Mishra was allegedly paid $200 per data record, which she captured for up to 200 customers.
The hacker group behind the breach was associated with a loose group called ‘the Comm,’ who used the stolen data to impersonate Coinbase staff and deceive customers into giving up their crypto holdings. According to the latest findings, the breach was disclosed in May. The petitioners argued that TaskUs took extra steps to hide the extent of the compromise, including the dismissal of 226 employees in January and the termination of its internal HR team.
TaskUs has been accused of misleading regulators by downplaying the breach in its February Form 10-K filing. The filing omitted any revelation of a material incident despite the outsourcer later dismissing hundreds of staff linked to the breach. The Indian vendor allegedly continued to assure the regulators that it faced no material breach even as it pursued a $1.6 billion buyout deal with Blackstone.
Coinbase has distanced itself from the vendor. It immediately notified the regulators and affected customers, reimbursed the impacted accounts, tightened the internal controls, and ended its partnership with TaskUs. In a statement by a Coinbase spokesperson, the exchange refused to pay the criminals and instead created a $20 million reward for information leading to the arrest and convictions.
Coinbase says the vendor actions were systemic
TaskUs, headquartered in Texas, has not yet responded to the accusations but has previously reiterated its commitment to safeguarding client data and confirmed that it has strengthened its security protocols. Coinbase alleged that TaskUs’ actions were systemic and not isolated, citing violations of Section 5 of the FTC Act, which covers unfair practices.
Regulators are expected to take the next step to assess whether TaskUs used sufficient safeguarding methods, such as encryption or multi-factor authentication. They will also assess whether the risk could be avoided and whether the breach exposed customers to identity theft or financial loss. Coinbase, on the other hand, has received multiple lawsuits from the affected customers, although the exchange has so far sought to consolidate the claims and move the case to arbitration.
Cryptopolitan reported in May that Binance and Kraken may have also been involved in social engineering attacks similar to Coinbase’s. The report stated that hackers attempted to bribe Binance employees to steal sensitive information, even sharing Telegram contacts to coordinate.
Binance utilized AI-driven monitoring to flag and stop the conversations, alongside limiting access to user data for verified customer-initiated calls. Kraken, on its part, denied the allegations, saying it had already warned Coinbase of suspicious activities before its breach.
