- Coinbase breach traced to TaskUs staff; $400 million lost after hackers exploited insiders who sold customer data.
- Court documents show TaskUs workers sold records, triggering fraud, lawsuits and about 300 employee terminations.
- Coinbase tightened controls, cut ties with TaskUs, and refunded victims after insider-driven data theft.
New court filings reveal that the Coinbase data breach disclosed in May 2025 originated at an outsourced customer service provider.
The breach, which has been linked to TaskUs employees, exposed highly sensitive user information, including national ID numbers and bank details.
Attackers later used that information to impersonate Coinbase staff and trick users into transferring cryptocurrency to fraudulent wallets.
Coinbase estimates total losses reached roughly $400 million.
The revelations underscore how insider threats at third-party providers continue to undermine security across the digital asset industry.
TaskUs employee identified in data theft
The amended class-action complaint filed in the U.S. District Court for the Southern District of New York states the breach stemmed from TaskUs, a business process outsourcing firm that provided customer support services to Coinbase.
The filings indicate that criminal groups began contacting TaskUs employees in 2024, offering payments in exchange for highly sensitive user records.
Beginning in September 2024, TaskUs employee Ashita Mishra allegedly photographed confidential Coinbase customer files and sold the images to external hackers for about $200 per photo.
Court records show Mishra’s phone contained data on more than 10,000 customers when TaskUs discovered the breach in January 2025. On some days up to 200 photos were taken.
The documents describe a scheme broader than a single individual.
Multiple TaskUs employees reportedly worked in small groups and forwarded stolen records to organized criminal networks.
The breach was detected in early January 2025, but neither TaskUs nor Coinbase publicly disclosed the incident until May 2025.
Scope of the Coinbase breach and ransom demand
When the breach became public in May 2025, Coinbase reported that attackers had bribed support agents to obtain sensitive records. Reports at the time noted the attackers demanded a $20 million ransom.
Coinbase refused to pay and instead offered a $20 million reward for information leading to the identification and prosecution of those responsible.
Meanwhile, fraudsters used the compromised details to pose as Coinbase representatives.
Victims were tricked into transferring assets to wallets controlled by criminals.
The complaint says numerous customers lost life savings and retirement funds. It alleges stolen assets may have reached as much as $400 million.
The breach also had market consequences. Coinbase’s stock fell after the disclosure, leading to additional investor lawsuits citing financial losses.
Insider network and mass firings
The lawsuit reveals TaskUs fired approximately 300 employees at its India-based centers after identifying the conspiracy.
Investigations suggested Mishra and an accomplice organized smaller cells within TaskUs to collect and distribute stolen Coinbase user records.
Although TaskUs discovered the breach in January 2025, neither Coinbase nor TaskUs immediately informed customers.
Both companies stated in their Form 10-K filings that they were unaware of any material data breach, despite the incident having been identified internally.
During months of silence, customers continued to be targeted by phishing campaigns and impersonation schemes, exacerbating the impact of the breach.
Coinbase response and security tightening
Coinbase has since confirmed it severed ties with the implicated TaskUs personnel and implemented stricter insider controls.
According to reports and subsequent corporate statements, Coinbase notified affected users and regulators and reimbursed impacted customers.
The exchange also moved to limit remote access for outsourced support staff to reduce the risk of insider threats and infiltration.
The company cited concerns about foreign actors, including North Korean-linked groups, seeking to exploit vulnerabilities through social engineering and bribery.
The case highlights the vulnerabilities of third-party outsourcing in crypto security.
Even when exchanges deploy advanced technical defenses, insider risks at service providers remain a critical attack vector.
The ongoing litigation will determine liability among Coinbase, TaskUs and the networks of employees who enabled one of the most damaging insider breaches in the industry.