Inside the Coinbase Data Breach: Indian Customer Service Center and Teenage Hacker Gang

Original authors: Ben Weiss, Jeff John Roberts

Original compilation: Luffy, Foresight News

Coinbase co-founder and CEO Brian Armstrong speaks at an event in Bangalore, India, in 2022

On May 15, 2025, Coinbase disclosed that the personal data of tens of thousands of its customers had been stolen, marking the largest security incident in the company's history, with losses expected to reach up to $400 million. This data breach is notable not only for its scale but also for the hackers' method of attack: bribing overseas customer service personnel to obtain confidential customer information.

Coinbase publicly stated that it would pay a $20 million reward to whistleblowers who provide leads that help capture and convict the criminals, but it has disclosed very little about the attackers' identities or the details of the hacking incident.

A recent investigation by Fortune magazine (including a review of emails between Coinbase and a hacker) revealed new details about the incident, suggesting that a loose network of English-speaking young hackers is partially responsible. Meanwhile, the findings also highlight that so-called BPOs (Business Process Outsourcing units) are a weak link in the security operations of tech companies.

Insider Job: Outsourced Customer Service as a Breach Point

The story begins with a small publicly traded company, TaskUs, based in New Braunfels, Texas. Like other BPOs, the company provides customer service for large tech companies at a low cost by hiring overseas employees. According to a company spokesperson, in January of this year, TaskUs fired 226 employees working for Coinbase at its service center in Indore, India.

According to documents submitted to the U.S. Securities and Exchange Commission, TaskUs has been providing customer service personnel for Coinbase since 2017, a partnership that has saved the American crypto giant significant labor costs. The problem is that when customers email to inquire about their accounts or new Coinbase products, they are likely speaking with TaskUs employees overseas. Because these agents are paid less than their U.S. counterparts, they are more susceptible to bribery.

"Earlier this year, we discovered that two individuals had illegally accessed information about one of our clients," a TaskUs spokesperson told Fortune regarding Coinbase. "We believe these two were employed as part of a broader, organized criminal activity targeting Coinbase, which also affected many other vendors that Coinbase works with."

According to Coinbase's regulatory filings, TaskUs fired employees in January, less than a month before Coinbase discovered that customer data had been stolen (note: Coinbase discovered the data breach in December 2024). On Tuesday, a federal class-action lawsuit filed in New York on behalf of Coinbase customers accused TaskUs of negligence in protecting customer data. "While we cannot comment on the lawsuit, we believe these allegations are unfounded, and we will defend ourselves," a TaskUs spokesperson stated. "We prioritize the protection of customer data and will continue to strengthen our global security protocols and training programs."

A source familiar with the security incident indicated that hackers also successfully attacked several other BPO companies, and the nature of the stolen data varied in each incident.

The stolen data was not enough for hackers to breach Coinbase's crypto vaults, but it did provide rich information that helped criminals impersonate fake Coinbase customer service representatives, contacting customers and persuading them to hand over their crypto assets. The company stated that hackers stole data from over 69,000 customers but did not specify how many fell victim to the so-called "social engineering scams." In this case, the social engineering scam involved criminals using the stolen data to impersonate Coinbase employees and persuade victims to transfer their crypto assets.

In a statement, Coinbase said: "As we have disclosed, we recently discovered that a threat actor had requested customer account information traceable to December 2024 from overseas customer service. We have notified affected users and regulators, severed ties with the involved TaskUs personnel and other overseas customer service, and strengthened controls." The statement also added that compensation is being provided to customers who lost funds in the scam.

Impersonation scams by company representatives are not new, but the scale of attacks targeting BPO companies is quite rare. While no one has explicitly identified the criminals, some clues strongly point to a loose organization of English-speaking young hackers.

Teenage Hacker Gang: "They Come from Video Games"

In the days following the disclosure of the Coinbase data breach in mid-May, Fortune magazine communicated on Telegram with a man who claimed to be one of the hackers, calling himself "puffy party."

Two other security researchers who spoke with this anonymous hacker told Fortune that they found him credible. One said, "Based on what he shared with me, I seriously scrutinized his statements and could not find evidence to prove his claims false." Both researchers requested anonymity due to concerns about receiving subpoenas for speaking with the alleged hacker.

In the exchange, the man shared numerous screenshots, claiming they were emails with Coinbase's security team. The name he used when communicating with Coinbase was "Lennard Schroeder." He also shared a screenshot of an account belonging to a former Coinbase executive, showing crypto transactions and a wealth of personal details.

Coinbase did not deny the authenticity of these screenshots.

The self-proclaimed hacker shared emails that included threats to extort $20 million in Bitcoin (which Coinbase refused to pay) and mocking comments about the hacker gang using part of the stolen funds to buy hair for the company's bald CEO, Brian Armstrong. "We are willing to sponsor a hair transplant so he can travel the world in style," the hacker wrote.

In Telegram messages, this individual (whose existence was revealed to Fortune by a security researcher) expressed contempt for Coinbase.

Many cryptocurrency heists are carried out by Russian crime syndicates or North Korean military units, but this hacker is reportedly part of a loose alliance of teenagers and young adults known as "Comm" or "Com."

In the past two years, reports about the Comm gang have appeared in media coverage of other hacking incidents, including a New York Times article earlier this month, where one suspect accused of carrying out a series of cryptocurrency thefts claimed to be a member of the organization. According to the Wall Street Journal, in 2023, investigators linked the group to hacks against several online casinos in Las Vegas and attempted to extort $30 million from MGM Resorts.

Unlike Russian and North Korean crypto hackers, who typically pursue only money, members of the Comm gang often seek attention and the thrill of mischief. They sometimes collaborate on hacking attacks but also compete with each other to see who can steal more.

"They come from video games and then bring high scores into the real world," said Josh Cooper-Duckett, investigation director at the crypto forensics firm Cryptoforensic Investigators. "In this world, their score is how much money they steal."

In Telegram messages, the alleged hacker stated that members of Comm are responsible for different aspects of the heists. His team bribes customer service and collects customer data, which is then handed over to others in the team who are skilled in social engineering scams. They added that different Comm affiliates coordinate how to execute various parts of the operation and distribute the loot on social platforms like Telegram and Discord.

Sergio Garcia, founder of the crypto investigation firm Tracelon, told Fortune that the description of the attack on Coinbase aligns with his observations of how the Comm gang operates and other crypto social engineering scams. Insiders say that those recently attacking customers in social engineering scams speak fluent North American English.

According to a source familiar with BPO employee salaries, Indian TaskUs employees earn between $500 and $700 per month. TaskUs declined to comment. Garcia told Fortune that although this figure is higher than India's per capita GDP, the low wages for customer service often make them more susceptible to bribery. "Clearly, this is the weakest link in the chain because they have the economic incentive to accept bribes," he added.