A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange.
According to Reuters, who spoke to numerous TaskUs employees, the data breach was first discovered in January after a TaskUs employee was caught capturing photos of her computer screen using a personal device.
Reportedly, the incident was witnessed by multiple TaskUs employees, and during the subsequent investigations, two admitted they were funneling sensitive Coinbase user data to external hackers in exchange for bribes.
Upon confirming the data theft in January 2025, TaskUs informed Coinbase accordingly, four months before the breach was publicly disclosed.
Coinbase first disclosed the incident on May 15, stating that rogue support agents stole customer data, including names, emails, partial financial information and SSN, transaction history, and ID document scans.
“Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers,” read Coinbase’s statement.
Coinbase further stated that the threat actors demanded a ransom payment of $20,000,000 from Coinbase not to publish the stolen data.
Instead of succumbing to the demands, the cryptocurrency exchange offered an equal-value reward to unmask those responsible for the extortion attempt. Coinbase estimated that the incident would cause losses of up to $400 million.
On May 21, Coinbase started notifying nearly 70,000 customers who were impacted by the incident.
BleepingComputer contacted both Coinbase and TaskUs about the Reuters report, and a TaskUs spokesperson confirmed that they were involved but stated the employees were recruited as part of a much larger, coordinated criminal campaign.
“Early this year we identified two individuals who illegally accessed information from one of our clients,” TaskUs told BleepingComputer.
“We believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.”
“We immediately reported this activity to the client, terminated the individuals involved, and are coordinating with law enforcement. Out of an abundance of caution, TaskUs ceased all Coinbase operations in Indore, India, in early January 2025, impacting 226 teammates. Following the investigation, all teammates, excluding the two bad actors, were offered a generous severance package, including six months of pay.”
Indian media previously covered TaskUs’ firing of employees in India, which led to protests by staff.
Coinbase has not responded to BleepingComputer’s request for a comment but did not receive a reply to our questions.
Manual patching is outdated. It’s slow, error-prone, and tough to scale.
Join Kandji + Tines on June 4 to see why old methods fall short. See real-world examples of how modern teams use automation to patch faster, cut risk, stay compliant, and skip the complex scripts.
