A recent court filing has detailed the involvement of an employee from the business process outsourcing firm TaskUs in a significant data breach targeting cryptocurrency exchange Coinbase that occurred in December 2024. Coinbase revealed the breach on May 15, 2025, when it disclosed that cybercriminals had bribed and recruited rogue overseas support agents to steal customer data for social engineering attacks.
Coinbase reportedly stated that the incident exposed the personal data of nearly 70,000 customers. The attackers aimed to leverage the stolen information to impersonate Coinbase, tricking customers into unwittingly handing over their cryptocurrency assets. Following the breach, the attackers demanded a ransom of $20 million to cease their malicious activities. Coinbase, however, publicly refused to pay and initiated a $20 million reward fund for information that could lead to the arrest and conviction of the perpetrators.
On September 16, 2025, a class action lawsuit was filed in the U.S. District Court for the Southern District of New York. The legal documentation identifies five Coinbase customers as plaintiffs and lists TaskUs along with an unnamed individual as defendants. TaskUs, a Delaware-registered company operating from Texas and owned by private equity firm Blackstone, provides outsourced customer service support, which allowed it access to sensitive customer information.
The filing indicated that Coinbase had contracted TaskUs to manage customer support from India, wherein TaskUs employees had been providing services and handling data for Coinbase users. In a revelation from June 2025, Coinbase acknowledged that the rogue agents implicated in the earlier statement were indeed employed by TaskUs. Subsequently, Coinbase severed ties with those involved and tightened security measures.
One TaskUs employee, named Ashita Mishra, is alleged to have been a central figure in the wrongdoing, reportedly beginning to sell sensitive Coinbase user data as early as September 2024. Allegations note that Mishra systematically stole and documented sensitive data, reportedly obtaining up to 200 records daily, including crucial personal details such as names, addresses, and Social Security numbers. It is claimed that she sold this information to hackers for $200 per record, accumulating data on more than 10,000 customers prior to her arrest in January 2025.
Investigators assert that Mishra did not act alone; she purportedly recruited supervisors and team leaders, transforming an insular theft into a large-scale conspiracy. Moreover, allegations against TaskUs suggest an attempt to cover up the breach. Prosecutors claim that they terminated in-house HR investigators who had uncovered extensive security lapses just months before the public announcement of the breach.
The lawsuit argues that TaskUs had been negligent regarding cybersecurity protocols, failing to safeguard sensitive customer information adequately. They prioritize profit over security, leaving customers susceptible to exploitation and fraud. Coinbase estimates the losses from stolen cryptocurrency could reach as high as $400 million due to this breach.
Plaintiffs in the class action lawsuit are seeking financial compensation for their losses, which include stolen cryptocurrency and associated expenses, alongside an order for TaskUs to enforce stricter security measures to prevent such incidents in the future. The plaintiffs contend that the absence of effective changes leaves exposed data vulnerable to ongoing threats such as identity theft and financial exploitation.
Several Coinbase users have reported fears for their safety, with some taking measures like hiring bodyguards in response to potential risks related to the breach. As of the time of reporting, attempts to reach TaskUs for a comment have gone unanswered.
