According to a Reuters investigation, Coinbase was notified in January 2025 of a violation involving an outsourced customer support agent in India. Six people familiar with the issue told the report a few months before the official announcement in May that the crypto exchange knew that sensitive user data had been compromised through contractor Taskus.
In a May 14 SEC filing, Taskus documented one section of the violation where an employee who is now an indava of Taskus was caught taking photos of a working computer screen on a personal phone. Five of former Taskus workers were said to have been fed by employees and suspected accomplices by hackers to retrieve Coinbase user data.
Coinbase was immediately warned, three employees and one additional source said. Shortly afterwards, more than 200 employees were fired from Indore’s Tasks Centre, attracting media attention in India. Initially, Coinbase denounced “overseas support agents,” but now estimates that violations could cost up to $400 million.
Inside a campaign to exploit Coinbase’s BPO network
Coinbase has long partnered with Texas-based outsourcing company Taskus to reduce labor costs by assigning customer support obligations to offshore teams. Since 2017, Taskus agents have handled inquiries from Coinbase customers, often from low wage countries. In Indore, India, these agents reportedly earn between $500 and $700 a month, which is reportedly low enough to attract criminals.
In its May filing, Coinbase admitted it had no knowledge of the full scale of the attack until May 11, when it received $20 million in fearful tor demand. In response, the company cut ties with Taskus employees responsible for the violations with several other unnamed foreign contractors. Coinbase also notified regulators, reimbursed affected users and said it had strengthened internal controls.
Taskus confirmed in an official statement that two staff members were fired due to theft of data, but did not name Coinbase. The company said the two were part of a coordinated criminal campaign that struck other service providers tied to clients.
Hackers used social engineering to trick Coinbase users
Coinbase’s Crypto wallet was not directly compromised in the attack. Instead, hackers used stolen personal information to impersonate Coinbase employees in a wave of social engineering fraud. They pretended to be support agents and tricked the victim into moving the crypto assets.
Security researchers believe a loosely organized group known as “comms” has adjusted the violation. The group is made up of young hackers who have carried out famous attacks, one of their hits being casinos and crypto companies.
A report by Fortune said the hackers played a different role for their members. Some people fed to steal data, while others committed fraud. I used social media platforms such as Telegram and Discord to coordinate operations and split revenue.
Investigators said the impersonation scheme was more effective as people targeted at Coinbase customers spoke in fluent North American English. Scammers were able to leverage the stolen information to appear reliable enough for users to turn the code over.
Even after the violation, Coinbase is increasing its operations. The company was recently added to the S&P 500 Index and recently made a strategic acquisition announcement. CEO Brian Armstrong said he plans to make Coinbase a global financial services app within the next 10 years.
The Coinbase attack is occurring amid a significant growth in crypto hacks, which exceeded $2.2 billion by 2024, chain analysis reports, highlighting the dangers of outsourcing and the increased digital sophistication of attackers.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
