Coinbase data breach inside story: Indian customer service center and teen hacker gang

Original authors: Ben Weiss, Jeff John Roberts

Original translation: Luffy, Foresight News

Coinbase Co-founder and CEO Brian Armstrong speaks at an event in Bangalore, India in 2022

On May 15, 2025, Coinbase disclosed that personal data from its tens of thousands of customers was stolen, the largest security incident in the company's history, and is expected to cause up to $400 million in losses. This data breach is not only eye-catching because of its scale, but also because of the hacker's attack method: bribing overseas customer service personnel to obtain confidential customer information.

Coinbase publicly stated that it would pay a $20 million bonus to whistleblowers who provide clues and help criminals arrest and conviction, but little disclosure is made about the identity of the attacker or the details of the hacker attack.

A recent Fortune magazine investigation, including looking up emails between Coinbase and a hacker, revealed new details of the incident, suggesting that a loose network of young English-speaking hackers was partly responsible. At the same time, the survey results also highlight that the so-called BPO (business process outsourcing unit) is a weak link in the safe operation of technology companies.

**Insider commits crime: outsourcing customer service becomes a

breakthrough**

The story begins with TaskUs, a small publicly traded company in Newbrunfels, Texas. Like other BPOs, the company provides customer service to large tech companies at low cost by hiring overseas employees. TaskUs fired 226 employees to work for Coinbase in January from its service center in Indore, India, according to a company spokesperson.

TaskUs has provided customer service staff to Coinbase since 2017, a partnership that has saved the U.S. crypto giant a lot of labor costs, according to filings with the Securities and Exchange Commission. But the problem is: When customers email their account or new Coinbase products, they are likely to be talking to TaskUs employees overseas. Because these agents are paid less than native American employees, they are more likely to be bribed.

"Earlier this year, we found two individuals illegally accessing information from one of our clients," a TaskUs spokesperson told Fortune magazine about Coinbase. "We believe the two were employed in a wider, organized criminal campaign against Coinbase, which also affected many other providers of Coinbase's services."

According to Coinbase’s regulatory filing, TaskUs fired employees in January this year, less than a month after Coinbase discovered that customer data was stolen (Note: Coinbase discovered a data breach in December 2024). A federal class action lawsuit filed in New York on behalf of Coinbase clients on Tuesday alleged TaskUs negligence in protecting customer data. "While we cannot comment on the lawsuit, we believe these allegations are unfounded and we will defend ourselves," a TaskUs spokesman said. "We place protection of customer data at the highest priority and will continue to strengthen our global security protocols and training programs."

A person familiar with the security incident said the hackers also successfully attacked some other BPO companies, and the nature of the stolen data in each incident was different.

This stolen data is not enough to allow hackers to break into Coinbase’s crypto vault, but it does provide rich information to help criminals disguise themselves as fake Coinbase customer service, contact customers and convince them to hand over their crypto assets. The company said hackers stole data from more than 69,000 customers, but did not say how many of them became victims of the so-called "social engineering scam." In this case, the social engineering scam involved criminals using stolen data to impersonate Coinbase employees and convince victims to transfer their crypto assets.

"As we have disclosed, we recently discovered that a threat actor had asked overseas customer service to obtain customer account information dating back to December 2024. We have notified affected users and regulators, cut off contact with TaskUs personnel and other overseas customer service personnel and strengthened controls," Coinbase said in a statement. The statement also added that compensation is being made to customers who have lost funds in the fraud.

Social engineering scams impersonating company representatives are not new, but the scale of hackers attacking BPO companies is quite rare. While no one has explicitly identified the offender, some clues point strongly to a loose organization of young English-speaking hackers.

Teen hacker gang: "They come from video games"

In the days after the Coinbase data breach was disclosed in mid-May, Fortune magazine spoke on Telegram with a man who claimed to be one of the hackers.

Two other security researchers who spoke with the anonymous hacker told Fortune that they thought the person was credible. "Based on what he shared with me, I have carefully pondered his statements and could not find evidence that his statements were false." Both researchers asked for anonymity because they feared receiving subpoenas for talking to the so-called hacker.

During the exchange, the man shared many screenshots, saying these were emails with the Coinbase security team. The name he used when communicating with Coinbase was "Lennard Schroeder". He also shared a screenshot of an account belonging to a former Coinbase executive showing crypto transactions and a large number of personal details.

Coinbase does not deny the authenticity of these screenshots.

The emails shared by the self-proclaimed hacker included threats to blackmail for $20 million in Bitcoin (Coinbase refused to pay), and sarcastic comments about the hacker gang going to use some of the stolen money to buy hair for the company's bald CEO Brian Armstrong. "We are willing to sponsor hair transplant surgery so that he can travel around the world in a daze," the hacker wrote.

In Telegram news, the person (fortune learned of his existence from a security researcher) expressed his contempt for Coinbase.

Many cryptocurrency robberies were carried out by Russian criminal gangs or the North Korean military, but the hacking was allegedly done by a loose coalition of teenagers and young people in their 20s known as "Comm" or "Com".

Over the past two years, reports of the Comm gang have appeared in media coverage of other hacking incidents, including a New York Times earlier this month in which a suspect suspected of committing a series of cryptocurrency thefts claimed to be a member of the group. In 2023, investigators identified as hacking by the group as several online casinos operating in Las Vegas and attempted to blackmail $30 million from the MGM Resorts, The Wall Street Journal reported.

Unlike Russian and North Korean crypto hackers who usually only pursue money, members of the Comm gang often want to attract attention and pursue the pleasure of prank. They sometimes collaborate on hacking, but they also compete with each other to see who steals more.

"They come from video games and then bring high scores to the real world," said Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators, a cryptoforensic investigation firm. "In this world, their scores are just how much money they stole."

In Telegram messages, the so-called hacker said Comm members were specifically responsible for different aspects of the robbery. His team bribed customer service and collected customer data, and handed over the data to others outside the team who were proficient in social engineering scams. They added that different Comm affiliate groups coordinate different parts of how to execute actions on social platforms such as Telegram and Discord and allocate stolen money.

Sergio Garcia, founder of crypto-investigation firm Tracelon, told Fortune that hackers’ descriptions of the Coinbase attack match his observations on how the Comm gang works and other crypto-social engineering scams. People who recently attacked customers in social engineering scams spoke authentic North American English, people familiar with the matter said.

According to a source who knows the salary of BPO employees, Indian TaskUs employees have a monthly salary of between $500 and $700. TaskUs declined to comment. Garcia told Fortune that although this figure is higher than India’s GDP per capita, the low wages of customer service tend to make them more likely to accept bribes. "Obviously, this is the weakest link in the chain because they have financial incentives to accept bribes," he added.