- Coinbase breach traced to TaskUs staff; $400M lost as hackers exploited insider-sold customer data.
- Court docs show TaskUs workers sold records, triggering scams, lawsuits, and 300 employee firings.
- Coinbase tightened controls, cut TaskUs ties, and reimbursed victims after insider-driven data theft.
New court documents have revealed how a data breach at Coinbase, which came to light in May 2025, originated from inside an outsourced customer service firm.
The breach, traced back to TaskUs employees, exposed highly sensitive user data, including Social Security numbers and bank details.
Hackers later used this information to impersonate Coinbase staff and trick users into transferring cryptocurrency into fraudulent wallets.
By Coinbase’s estimates, the total losses reached $400 million.
The revelations highlight how insider threats at third-party providers continue to undermine security in the digital asset industry.
TaskUs employee identified in data theft conspiracy
The amended class action complaint, filed in the US District Court for the Southern District of New York, shows that the breach stemmed from TaskUs, a business process outsourcing company Coinbase used for customer support.
According to the filings, criminal groups began contacting TaskUs employees in 2024, offering payments in exchange for highly sensitive user records.
From September 2024, TaskUs employee Ashita Mishra allegedly started photographing confidential Coinbase customer files and selling them to external hackers for about $200 per image.
Court filings revealed Mishra’s phone stored data on more than 10,000 customers when TaskUs discovered the breach in January 2025. Some days showed up to 200 photographs taken.
The documents describe the plot as wider than one individual.
Multiple TaskUs employees reportedly collaborated in smaller groups, forwarding stolen records to organised criminals.
The breach was uncovered in early January 2025, yet neither TaskUs nor Coinbase disclosed the incident until May 2025.
Coinbase breach scale and ransom demands
When the breach became public in May 2025, Coinbase reported that attackers had bribed support agents to gain access to sensitive records. Reports at the time noted that the attackers demanded a $20 million ransom.
Coinbase declined to pay and instead announced a $20 million bounty for information leading to the identification and prosecution of those involved.
Meanwhile, fraudsters used the compromised details to impersonate Coinbase representatives.
Victims were tricked into transferring assets into wallets controlled by criminals.
According to the lawsuit, several customers lost their life savings and retirement funds. The complaint notes that the stolen funds reached as much as $400 million.
The breach also had market repercussions. Coinbase stock declined following the disclosure, leading to further investor lawsuits citing financial losses.
Insider networks and mass layoffs
The lawsuit revealed that TaskUs fired about 300 employees at its India-based centres after identifying the conspiracy.
Investigations suggested that Mishra and an accomplice had established smaller groups within TaskUs to gather and distribute stolen Coinbase user records.
Despite becoming aware of the breach in January 2025, Coinbase and TaskUs did not notify customers immediately.
Both firms disclosed in their Form 10-K filings that they were not aware of any material data breaches, even though the breach had already been identified internally.
During the months of silence, customers continued to be targeted by phishing campaigns and impersonation schemes, escalating the impact of the breach.
Coinbase response and tightening of security
Coinbase has since confirmed that it severed ties with the implicated TaskUs staff and has introduced stricter insider controls.
According to filings and subsequent company statements, Coinbase notified affected users, regulators, and reimbursed impacted customers.
The exchange also moved to limit remote work practices for external support staff, aiming to reduce risks of insider threats and infiltration.
The company referenced concerns about foreign operatives, including North Korean actors, attempting to exploit vulnerabilities through social engineering and bribery.
The case highlights the vulnerabilities of third-party outsourcing in crypto security.
Even as exchanges deploy advanced technical defences, insider risks at service providers remain a critical threat vector.
The ongoing lawsuit will determine accountability between Coinbase, TaskUs, and the networks of employees who enabled one of the most damaging insider breaches in the sector.
