- Insider theft exposed over 69,000 Coinbase users, costing up to $400M in losses.
- Filings allege TaskUs concealed breach details during its $1.6B Blackstone acquisition.
- Coinbase cut ties with TaskUs, reimbursed users, and launched a $20M bounty program.
A court filing on Tuesday in the Southern District of New York revealed new details in Coinbase’s massive data breach, exposing how a contractor employee in India stole sensitive information from more than 69,000 users between September 2024 and January 2025. The stolen data, sold for $200 per photo, is tied to losses estimated as high as $400 million, with lawsuits now alleging that TaskUs, Coinbase’s outsourcing partner, concealed the scope of the breach.
Insider Theft Exposed in Court Filings
According to the amended complaint, TaskUs employee Ashita Mishra started the breach from the firm’s Indore office. Investigators allege Mishra photographed up to 200 customer records each day, capturing names, emails, addresses, account balances, partial bank details, and Social Security numbers.
By January 2025, authorities stated that Mishra had stored personal details from more than 10,000 Coinbase customers on her phone. The filings further allege she recruited supervisors and team leaders into the operation, turning the theft into a coordinated scheme. Court documents describe a “hub-and-spoke” structure, with Mishra directing smaller groups of employees to funnel data.
TaskUs staff allegedly received $200 per image, generating bribes exceeding $500,000. Plaintiffs argue that the operation ran unchecked for months, as employees used personal phones to take screenshots of Coinbase accounts.
Allegations of Cover-Up by TaskUs
The amended complaint also expands accusations against TaskUs, which is the customer support contractor for Coinbase. Plaintiffs claimed that the company engaged in a cover-up by downplaying the breach, firing investigators, and dismissing more than 300 employees after uncovering the scope in January.
Court documents allege taht the firm terminated human resources personnel who began probing the breach in February, while continuing to assure regulators that no material incident had occurred. In its February Form 10-K, TaskUs reported no breaches impacting the company, months before Coinbase disclosed the incident in May.
According to the plaintiffs, this omission allowed TaskUs to proceed with its $1.6 billion acquisition by Blackstone without revealing the data theft. Moreover, the complaint pointed out that these actions are systemic failures, falling under Section 5 of the FTC Act, which does not allow unfair or deceptive business practices.
Related: Coinbase Tightens Hiring Rules After North Korean Hacker Threats
Coinbase’s Response and Regulatory Scrutiny
After the breach was revealed, Coinbase notified its customers and regulators and reimbursed affected users, cut ties with TaskUs, and announced a $20 million bounty for information leading to arrests and convictions. A spokesperson confirmed that Coinbase refused to pay extortion demands from the criminals behind the theft.
“This was a criminal bribery scheme beginning in late 2024 that exploited external vendors and a small number of Coinbase CX staff outside the U.S.,” the spokesperson stated. Coinbase said that fewer than 1% of its active users were affected.
However, the lawsuit has raised questions about whether crypto exchanges can rely on outsourcing firms to safeguard sensitive user information. Analysts say that regulators will examine whether adequate protections, such as encryption and multi-factor authentication, were in place, and whether customers had any means to shield themselves from exposure.
Courts are expected to weigh whether the stolen data exposes individuals to identity theft or direct financial loss. Andrew Rossow, public affairs attorney and CEO of AR Media Consulting, noted that ignoring federal standards, even if non-binding, could strengthen claims that a company acted carelessly or misleadingly.
The Coinbase breach shows how insider misconduct and alleged cover-up within TaskUs compromised thousands of customers and led to losses nearing $400 million. With lawsuits progressing in New York and regulators assessing systemic protections, the case shows the growing pressure for tighter global oversight of crypto exchanges. Further, the fallout also focuses on accountability, transparency, and the risks tied to outsourcing support operations.
