Coinbase Insider Breach Exposes 69,000 Users In $400M Scheme

On May 15, 2025, Coinbase publicly disclosed a major data breach that had been unfolding since late 2024, revealing that overseas customer support contractors had been bribed by cybercriminals to systematically steal sensitive personal information from approximately 69,461 users. The stolen data included Social Security numbers, bank account details, government-issued IDs, and other personally identifiable information. Coinbase estimated the total financial impact at up to $400 million, making it one of the most consequential insider breaches in cryptocurrency exchange history. The breach originated at TaskUs, a third-party outsourcing firm that provided customer support services for Coinbase. Court filings identified Ashita Mishra, a former TaskUs employee, as a key figure in the scheme. Mishra allegedly extracted up to 200 customer records per day beginning in September 2024, selling each record for approximately $200 to organized criminal buyers. When TaskUs discovered the breach internally in January 2025, Mishra's phone contained data on more than 10,000 customers. Multiple TaskUs employees reportedly collaborated in smaller groups, forwarding stolen records to criminal networks who then used the data to conduct social engineering attacks against Coinbase users, impersonating support staff to drain accounts. The attackers subsequently demanded a $20 million Bitcoin ransom from Coinbase, threatening to release the stolen data publicly. Coinbase refused to pay and instead posted a $20 million bounty for information leading to the arrest and prosecution of those responsible. On May 21, the threat actor swapped approximately $42.5 million from Bitcoin to Ether via THORChain, embedding a taunting message — "L bozo" — in the Ethereum transaction input data alongside a meme video, apparently mocking blockchain investigator ZachXBT. The following day, PeckShield identified further on-chain activity: 8,697 ETH (approximately $22 million) was converted to DAI stablecoin, with the attacker consolidating funds across multiple wallets. Coinbase committed to reimbursing all affected customers and filed a data breach notification with the Maine Attorney General's office. The exchange also terminated its relationship with the implicated TaskUs contractors and referred the matter to law enforcement. However, significant criticism has been directed at both Coinbase and TaskUs for the five-month gap between the breach's discovery in January 2025 and its public disclosure in May — a delay that potentially allowed attackers to continue exploiting stolen data against unsuspecting users. This incident serves as a critical reminder that centralized exchange security extends far beyond smart contract audits and cold storage. Users should enable all available security features on exchange accounts, including hardware security keys for two-factor authentication, withdrawal address whitelisting, and biometric verification. Be extremely skeptical of any unsolicited contact claiming to be from exchange support — legitimate exchanges will never ask for passwords, seed phrases, or remote access. Users who believe their data may have been compromised should freeze their credit, monitor financial accounts closely, and consider using identity theft protection services.