Coinbase was informed as early as January 2025 about a breach involving outsourced customer support agents in India, according to a Reuters investigation. Six people familiar with the matter told the report that the crypto exchange knew that sensitive user data had been compromised via its contractor, TaskUs, months before its formal announcement in May.
In a May 14 SEC filing, TaskUs documented one section of the breach in which an Indiabased employee of TaskUs was caught taking photos of the work computer screen with her personal phone. Five of the former TaskUs workers confirmed that the employee and a suspected accomplice were allegedly bribed by hackers to get Coinbase user data.
Coinbase was immediately alerted, three of the employees and one additional source said. Shortly afterward, more than 200 employees were fired from Indore’s TaskUs center, drawing media attention in India. Initially, Coinbase blamed ‘overseas support agents,’ but now it estimates that the breach could cost the company up to 400 million dollars.
Inside the campaign to exploit Coinbase’s BPO network
Coinbase had long partnered with TaskUs, a Texas-based outsourcing firm, to cut labor costs by assigning customer support duties to offshore teams. Since 2017, TaskUs agents have handled Coinbase customer inquiries, often from countries with lower wages. In Indore, India, those agents reportedly earned between $500 and $700 per month, low enough to attract criminal bribes.
In the company’s May filing, Coinbase admitted that it didn’t know the full scale of the attack until May 11, when it received a $20 million extortion demand. In response, the company severed ties with TaskUs employees responsible for the breach as well as with some other unnamed foreign contractors. Coinbase also said it had notified regulators, reimbursed affected users, and strengthened its internal controls.
In its public statement, TaskUs acknowledged firing two staff for data theft but did not name Coinbase. The company said the two were part of a coordinated criminal campaign that had hit other service providers tied to the client.
Coinbase’s crypto wallets were not directly breached in the attack. Instead, hackers used the stolen personal information to impersonate Coinbase employees in a wave of social engineering scams. They would pretend to be support agents, tricking victims into moving their crypto assets.
Security researchers believe a loosely organized group known as “the Comm” orchestrated the breach. The group comprises young hackers experienced in conducting high-profile attacks, with one of its hits being casinos and crypto firms.
A report by Fortune also stated that the hackers had different roles for their members—some bribed insiders to steal data while others executed the scams. Social media platforms such as Telegram and Discord were used to coordinate operations and split the proceeds.
The impersonation schemes, investigators noted, were more effective as those targeting Coinbase customers spoke in fluent North American English. Scammers were able to leverage the stolen info to appear credible enough to get users to turn over their crypto.
Even after the breach, Coinbase is ramping up its operations. The company recently added to the S&P 500 index and recently made a strategic acquisition announcement. CEO Brian Armstrong said he still plans to make Coinbase a leading global financial services app within the next 10 years.
The Coinbase attack comes amid major growth in crypto hacks that have exceeded $2.2 billion by 2024, Chainalysis reports, highlighting the perils of outsourcing and attackers’ increased digital sophistication.
Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now
