As investigations continue into Coinbase’s recent data breach, users affected by the incident are facing conflicting legal strategies. The breach, disclosed by Coinbase in May, compromised sensitive information, including government ID images and partial Social Security numbers, affecting over 69,000 users. Lawyers representing the victims claim that both Coinbase and a third-party service, TaskUs, were aware of the breach as early as January but failed to inform customers and regulators until May.
According to a regulatory filing, Coinbase stated it first became aware of the breach in May 2025, when a hacker allegedly demanded a ransom of $20 million. The company clarified that the actual breach occurred in December 2024. This timeline has prompted numerous lawsuits against Coinbase, with many cases likely headed for arbitration due to a clause in the user agreement that was updated in March.
In response to the breach, the class action law firm Greenbaum Olbrantz filed a lawsuit against TaskUs, which Coinbase used for customer support services. An amended complaint submitted last week claims that a suspect has been identified in connection with the hack, along with a cooperating whistleblower. Allegedly, Ashita Mishra, a former TaskUs employee, began stealing and selling confidential customer information to hackers in September 2024, with other employees involved in a bribery scheme lasting until January 2025.
Victims of the data breach are now split on how to pursue legal action. One faction advocates for a collective complaint against both Coinbase and TaskUs, suggesting coordination among 15 law firms, including Scott Kantrowitz Arnold, to guide the strategy.
Conversely, the Greenbaum Olbrantz team, along with two other firms, contends that including Coinbase as a co-defendant may lead the exchange to file a motion to compel arbitration. Such arbitration, which typically occurs privately, might provide Coinbase with a more cost-effective and less public resolution to the disputes. If the motion is successful, cases would shift to individual arbitration, potentially complicating and prolonging the legal process for victims. Should Coinbase’s motion be denied, the company could still appeal, creating the risk of delays in the case proceedings.
In response, the group led by Scott Kantrowitz Arnold asserts that navigating the arbitration clauses is well within their capabilities, emphasizing that this would not pose a significant challenge. Meanwhile, the Greenbaum team insists that their focus should remain on TaskUs, pointing to the alleged criminal activities that originated there. They aim to collaborate with those seeking arbitration against Coinbase while keeping the cases distinct.
The amended complaint also highlights that this isn’t TaskUs’s first encounter with such scrutiny. A prior data breach involving Ledger in 2022 saw similar accusations against TaskUs, culminating in a settlement for an undisclosed amount in 2025.
The judge overseeing the case will ultimately decide which legal strategy best serves the interests of the affected users. In light of the breach, Coinbase has stated that it will reimburse customers who lost funds to the hackers and has established a $20 million reward fund for leads on the perpetrators. The financial implications of the breach for Coinbase could reach up to $400 million.
TaskUs has been given three weeks to respond to the amended complaint, while Coinbase has yet to issue a statement regarding the ongoing situation.
