Coinbase Breach Tied to Customer Data Leak in India: Report

Key Insights:

• Coinbase reportedly knew about customer data leak at TaskUs India facility since January 2025.
• Indian employee photographed work computer to feed customer data to hackers for bribes.
• Over 200 TaskUs employees fired in mass layoff following Coinbase data breach investigation.

A recent investigation into the Coinbase data breach has revealed that the exchange was aware of a customer data leak at an Indian outsourcing facility as early as January 2025.

This happened way back before revealing details of the breach in May. The incident involved TaskUs employees in India who allegedly provided Coinbase customer information to hackers in exchange for bribes.

TaskUs Employee Caught Photographing Customer Data in India

According to five former TaskUs workers who talked to Reuters, the breach at the company’s India location was found after an employee in the city of Indore was seen using her personal phone to take pictures of her work computer screen.

The woman and a suspected accomplice were allegedly feeding Coinbase customer information to external hackers in return for bribes.

Colleagues who saw the event and company investigators promptly informed other staff members about it. According to the article, as soon as TaskUs learned about the Coinbase incident, they informed the exchange.

The incident occurred in January 2025. However, Coinbase only realized the full scope of the security campaign after receiving a $20 million extortion demand on May 11, 2025.

Following the discovery, TaskUs conducted a mass layoff that resulted in more than 200 employees being terminated. This action also drew attention from Indian media outlets. The scale of the layoffs suggests the company took extensive measures to address potential security risks within its operations.

TaskUs confirmed in a statement that two employees had been fired early in 2025 after illegally accessing client information. However, the company did not initially identify Coinbase as the affected client.

According to the outsourcing company, it informed the customer of the conduct right away. They thought the two were part of a larger, planned criminal conspiracy that affected other service providers who worked with the same client.

Coinbase Delayed Disclosure Despite Early Knowledge of Breach

The breach’s timeline disclosure has raised questions about when the company first became aware of the security incident and why it took months to inform the public.

Coinbase was informed about the TaskUs issue as soon as it was found in January 2025. According to Reuters sources, but the firm didn’t make the breach public until a May 14 SEC filing.

The cryptocurrency exchange had previously blamed “support agents overseas” for the breach without providing specific details about the timeline or scope of its knowledge.

In its May SEC filing, Coinbase stated it knew contractors had accessed employee data “without business need” in “previous months. However, they claimed it only realized the access was part of a wider campaign when they received the extortion demand on May 11.

The breach affected 69,461 users, though this accounts for a small fraction of Coinbase’s total customer base. However, the extent of the data that was leaked rendered the incident very disturbing to concerned users.

Coinbase did not settle the $20 million ransom request. It rather disclosed the breach publicly and notified impacted users. It also posted a $20 million reward for tips leading to the arrest of the attackers.

The total estimated cost is between $180 million and $400 million, primarily due to the cost of remediation, customer refunds, and phishing scam losses enabled by the stolen information.

Multiple Overseas Agents Involved in Coordinated Coinbase Breach

The Coinbase hack was more significant than the TaskUs compromise and included what appears to be a coordinated criminal attack on multiple service providers.

Coinbase admitted in its letter to Reuters that it has “terminated its relationship with the TaskUs employees involved and other foreign agents.”

TaskUs termed the incident as being part of a “much larger, organized criminal activity” that impacted not only their business but also “a number of other providers working for this client.”

This means that the hackers had established a network of contacts within different outsourcing companies that handled Coinbase’s customer support functions.

The extent of the criminal enterprise suggests an elaborate scheme in data pilferage. The hackers reportedly used workers from different foreign plants to access customer data.

Reuters was not able to verify if anyone has been arrested in relation to the breach. The probe is ongoing, with law enforcement officers racing against time to find and prosecute the perpetrators of the coordinated attack on Coinbase’s customer information across various global facilities.