- Coinbase breach traced to TaskUs employees; hackers used insider-sold customer data to steal an estimated $400 million.
- Court documents show TaskUs staff sold records, triggering fraud, lawsuits and about 300 employee dismissals.
- Coinbase tightened controls, severed ties with TaskUs, and compensated victims after the insider-driven data theft.
New court filings reveal how the data breach disclosed in May 2025 originated inside a third-party customer service outsourcing firm.
The breach has been attributed to TaskUs employees and exposed highly sensitive user information, including Social Security numbers and bank account details.
Hackers later used that information to impersonate Coinbase representatives and trick users into transferring cryptocurrency to fraudulent wallets.
Coinbase estimates total losses from the scheme at roughly $400 million.
The revelations highlight how insider threats at third-party providers continue to undermine security across the digital-asset industry.
TaskUs employees implicated in data theft scheme
An amended class action complaint filed in the U.S. District Court for the Southern District of New York traces the breach to TaskUs, the business process outsourcing firm that handled Coinbase customer support.
According to court records, a criminal network began contacting TaskUs employees in 2024, offering payment in exchange for highly sensitive user records.
Starting in September 2024, TaskUs employee Ashita Mishra allegedly photographed confidential Coinbase customer documents and sold the images to external hackers for roughly $200 per photo.
When TaskUs discovered the activity in January 2025, Mishra’s phone reportedly contained records for over 10,000 customers, with some days showing as many as 200 photos taken.
Filings indicate the activity involved more than one individual.
Multiple TaskUs staffers are reported to have collaborated in small groups, forwarding stolen records to organized criminal operators.
The breach was discovered in early January 2025 but was not publicly disclosed by TaskUs and Coinbase until May 2025.
Scope of the Coinbase breach and ransom demand
When the incident became public in May 2025, Coinbase reported that attackers had bribed support agents to obtain access to sensitive records. Initial reports said the attackers demanded $20 million in ransom.
Coinbase declined to pay and instead offered a $20,000,000,000 bounty for information leading to the identification and prosecution of those responsible.
Meanwhile, fraudsters used the leaked details to impersonate Coinbase representatives.
Victims were persuaded to transfer assets to wallets controlled by the criminals.
The lawsuit asserts that several customers lost life savings and retirement funds. The complaint places stolen funds at up to $400 million.
The breach also had market consequences: following the disclosure, Coinbase’s share price fell and investors pursued further legal action citing financial losses.
Internal network and mass terminations
The lawsuit states that TaskUs terminated roughly 300 employees at its India center after uncovering the conspiracy.
Investigators allege Mishra and at least one accomplice formed smaller networks within TaskUs to collect and distribute stolen Coinbase user records.
Although Coinbase and TaskUs detected the wrongdoing in January 2025, they did not immediately notify customers.
Both companies filed 10-K disclosures asserting they were unaware of any material data breach even though the internal exposure had already been identified.
During months of silence, customers remained targets of phishing and impersonation campaigns, worsening the breach’s impact.
Coinbase response and strengthened security
Coinbase later confirmed it severed ties with the implicated TaskUs staff and implemented stricter internal controls.
According to court documents and subsequent company statements, Coinbase notified affected users and regulators and reimbursed impacted customers.
The exchange also limited remote work access for external support personnel to reduce the risk of insider threats and remote infiltration.
Company statements cited concerns about foreign actors, including North Korean operatives, attempting to exploit the vulnerability through social engineering and bribery.
The case underscores vulnerabilities tied to third-party outsourcing in crypto security.
Even with advanced technical defenses in place at exchanges, internal risks within service providers remain a critical attack vector.
Ongoing litigation will determine the responsibilities of Coinbase, TaskUs, and the network of employees whose actions produced one of the most damaging insider-driven breaches the industry has seen.