- Coinbase breach traced to TaskUs staff; $400 million lost after hackers exploited customer data sold by insiders.
- Court documents show TaskUs employees sold records, triggering fraud, lawsuits, and the firing of about 300 workers.
- Coinbase tightened controls, severed ties with TaskUs staff, and reimbursed victims after the insider-driven data theft.
New court filings have revealed how a data breach at Coinbase, disclosed in May 2025, originated inside an outsourced customer service provider.
The breach, traced to employees at TaskUs, exposed highly sensitive user information, including Social Security numbers and bank details.
Attackers then used this information to impersonate Coinbase staff and trick users into transferring cryptocurrency to fraudulent wallets.
Coinbase estimates total losses reached $400 million.
The disclosure highlights how insider threats at third-party providers continue to undermine security across the digital asset industry.
TaskUs employees identified in data theft conspiracy
An amended class action complaint filed in the U.S. District Court for the Southern District of New York indicates the breach originated at TaskUs, the business process outsourcing company Coinbase used for customer support.
The filing states criminal groups began contacting TaskUs employees in 2024, offering payments in exchange for highly sensitive user records.
Beginning in September 2024, TaskUs employee Ashita Mishra is alleged to have photographed confidential Coinbase customer files and sold them to external hackers for about $200 per image.
Court papers reveal Mishra’s phone stored data on more than 10,000 customers when TaskUs discovered the breach in January 2025. On some days, up to 200 photos were taken.
The documents describe a wider plot involving more than one individual.
Several TaskUs employees reportedly collaborated in smaller groups, passing stolen records to organized criminals.
The breach was discovered in early January 2025, but neither TaskUs nor Coinbase publicly disclosed the incident until May 2025.
Scope of the Coinbase breach and ransom demands
When the breach became public in May 2025, Coinbase reported attackers had bribed support agents to obtain access to sensitive records. Early reports said the attackers demanded a $20 million ransom.
Coinbase refused to pay and instead offered a $20 million reward for information leading to the identification and prosecution of those involved.
Meanwhile, fraudsters used the compromised details to impersonate Coinbase representatives.
Victims were duped into transferring assets to wallets controlled by the criminals.
The complaint alleges some customers lost life savings and retirement funds. The filing states stolen funds amounted to as much as $400 million.
The breach also had market repercussions. Coinbase shares fell after the disclosure, prompting additional investor lawsuits alleging financial losses.
Insider network and mass firings
The lawsuit reveals TaskUs terminated about 300 employees at its India centers after identifying the conspiracy.
Investigators found Mishra and accomplices had formed smaller groups within TaskUs to collect and distribute stolen Coinbase user records.
Although the breach was identified in January 2025, Coinbase and TaskUs did not immediately notify customers.
Both companies stated in their Form 10-K filings that they were not aware of a material data breach, despite the incident being identified internally.
During months of silence, customers continued to be targeted by phishing campaigns and impersonation schemes, heightening the breach’s impact.
Coinbase response and tightened security
Coinbase has since confirmed it severed relationships with the involved TaskUs staff and implemented stricter insider controls.
According to filings and subsequent company statements, Coinbase notified affected users, regulators, and impacted customers.
The exchange also moved to limit remote work practices for external support staff to reduce the risk of insider threats and infiltration.
The company cited concerns about foreign operations, including North Korean actors attempting to exploit vulnerabilities through social engineering and bribery.
This case underscores the vulnerabilities of third-party outsourcing in crypto security.
Even when exchanges deploy advanced technical defenses, insider risk at service providers remains a critical threat vector.
The ongoing litigation will determine accountability among Coinbase, TaskUs, and the network of employees that enabled one of the most damaging insider breaches in the sector.