A significant development in the Coinbase data breach case has emerged, revealing the involvement of an employee from the outsourcing firm TaskUs as a key conspirator. An amended complaint filed in the Southern District of New York highlights allegations against Ashita Mishra, an employee at TaskUs’s Indore office, who is accused of masterminding a scheme that compromised the data of over 69,000 users of the cryptocurrency exchange.
Mishra is alleged to have engaged in the illicit activity beginning in September 2024, capturing sensitive customer information, including names, addresses, email addresses, partial bank details, account balances, and Social Security numbers. Remarkably, she reportedly photographed up to 200 images daily and then sold this data to hackers at a staggering price of $200 per photo. When arrested in January 2025, authorities discovered more than 10,000 customers’ data stored on her personal device.
The legal filings assert that Mishra did not act alone; she allegedly involved supervisors and team leaders in the operation, further indicating a broader scheme that extended beyond individual misconduct.
In addition to directly implicating Mishra, the amended complaint raises serious accusations against TaskUs itself. Plaintiffs claim the company engaged in a “pattern of concealment” regarding the breach, which included firing internal investigators and downplaying the incident in regulatory disclosures. This alleged effort to obscure the breach took place during a critical period when TaskUs was finalizing a $1.6 billion acquisition by Blackstone, raising concerns about corporate ethics and accountability.
As for the financial repercussions, damages in the case are estimated to exceed $400 million, although Coinbase maintains that less than 1% of its active user base was affected by the breach.
In response to the situation, Coinbase has publicly stated that it acted swiftly to notify customers and regulators once the breach came to light in May 2025. The company claims it has since reimbursed the affected users and severed its ties with TaskUs. Furthermore, Coinbase announced a $20 million bounty for information that leads to arrests and convictions related to the breach, emphasizing its commitment to bolstering its security measures.
“We refused to pay the criminals, we strengthened our vendor and insider controls, and we cut ties with TaskUs,” Coinbase reaffirmed in a statement, signaling its determination to address the fallout from the incident and prevent future breaches. The case continues to unfold, shedding light on the potential vulnerabilities within outsourcing practices in the tech and crypto industries.
