Inside Coinbase's data breach: Indian customer service center and teenage hacker gang
TechFlow Selected TechFlow Selected
Inside Coinbase's data breach: Indian customer service center and teenage hacker gang
"In this world, their score is how much money they've stolen."
Navigating Web3 tides with focused insightsBy Ben Weiss, Jeff John Roberts
Translated by Luffy, Foresight News
Coinbase co-founder and CEO Brian Armstrong speaks at an event in Bangalore, India, in 2022
On May 15, 2025, Coinbase disclosed that personal data of tens of thousands of its customers had been stolen—an unprecedented security incident in the company's history expected to cost up to $400 million. The breach stands out not only for its scale but also for the hackers' method: bribing overseas customer service agents to obtain confidential client information.
Coinbase publicly offered a $20 million reward for information leading to the arrest and conviction of those responsible, yet has revealed little about the attackers or specific details of the hack.
A recent investigation by Fortune, including a review of emails between Coinbase and one hacker, reveals new details suggesting a loose network of English-speaking young hackers was partially responsible. Meanwhile, the findings highlight so-called BPOs (business process outsourcing firms) as weak links in tech companies’ security operations.
Insider Threat: Outsourced Customer Service as the Entry Point
The story begins with TaskUs, a small publicly traded company based in New Braunfels, Texas. Like other BPOs, it provides customer support services to large tech firms by hiring overseas workers at low cost. According to a company spokesperson, in January this year, TaskUs terminated 226 employees working for Coinbase at its Indore, India service center.
Since 2017, TaskUs has provided customer service staff to Coinbase, a partnership that has saved the U.S. crypto giant significant labor costs, according to filings with the U.S. Securities and Exchange Commission. But the issue is this: when customers emailed inquiries about their accounts or new Coinbase products, they were likely speaking with TaskUs employees abroad. Because these agents are paid less than their U.S. counterparts, they are more susceptible to bribery.
"Earlier this year, we identified two individuals who improperly accessed information belonging to one of our clients," a TaskUs spokesperson told Fortune, referring to Coinbase. "We believe these two were involved in a broader, organized criminal campaign targeting Coinbase that also affected many other vendors serving Coinbase."
TaskUs fired the employees in January, less than a month after Coinbase discovered the data theft (note: Coinbase first detected the breach in December 2024). On Tuesday, a federal class-action lawsuit filed in New York on behalf of Coinbase customers accused TaskUs of negligence in protecting customer data. "While we can't comment on the litigation, we believe these allegations are without merit, and we will defend ourselves," said the TaskUs spokesperson. "We prioritize the protection of customer data above all else and will continue strengthening our global security protocols and training programs."
A source familiar with the security incident said hackers also successfully breached several other BPO firms, with varying types of data stolen in each case.
The stolen data wasn't enough to break into Coinbase’s encrypted vaults, but it provided rich information enabling criminals to impersonate legitimate Coinbase support agents, contact customers, and persuade them to hand over their crypto assets. The company said hackers stole data from more than 69,000 customers but did not specify how many fell victim to so-called "social engineering scams." In such scams, criminals use stolen data to pose as Coinbase employees and trick victims into transferring their cryptocurrency.
In a statement, Coinbase said: "As we have previously disclosed, we recently identified a threat actor who sought customer account information dating back to December 2024 through overseas customer service representatives. We have notified affected users and regulators, severed ties with the involved TaskUs personnel and other overseas agents, and enhanced our controls." The statement added that the company is compensating customers who lost funds in the fraud.
Social engineering scams involving impersonation of corporate representatives are nothing new, but the scale of attacks targeting BPO firms is rare. While no one has definitively identified the perpetrators, several clues strongly point to a loose network of English-speaking young hackers.
Youth Hacker Gang: 'They Come From Video Games'
Days after Coinbase disclosed the data breach in mid-May, Fortune communicated via Telegram with a man who identified himself as "puffy party" and claimed to be one of the hackers.
Two other security researchers who separately spoke with this anonymous hacker told Fortune they found him credible. One said: "Based on what he shared with me, I carefully examined his claims and could find no evidence they were false." Both researchers requested anonymity, fearing subpoenas due to their conversations with alleged hackers.
During the exchanges, the man shared numerous screenshots, claiming they were email communications with Coinbase’s security team. He used the name "Lennard Schroeder" when communicating with Coinbase. He also shared a screenshot of an account belonging to a former Coinbase executive, showing cryptocurrency transactions and extensive personal details.
Coinbase did not deny the authenticity of the screenshots.
The self-proclaimed hacker shared emails containing threats to extort 20 million dollars worth of Bitcoin (which Coinbase refused to pay), along with mocking comments about using part of the proceeds to buy hair for the company's bald CEO, Brian Armstrong. "We’re willing to sponsor a hair transplant so he can travel the world in style," wrote the hacker.
In Telegram messages, this individual (whose existence Fortune learned of from a security researcher) expressed contempt for Coinbase.
Many cryptocurrency heists are carried out by Russian crime syndicates or North Korean military units, but this attack is allegedly the work of a loose alliance of teenagers and people in their twenties known as "Comm" or "Com."
Over the past two years, reports about the Comm group have surfaced in media coverage of other hacking incidents, including a report earlier this month in The New York Times where a suspect accused of multiple crypto thefts claimed affiliation with the group. According to The Wall Street Journal, in 2023 investigators linked hackers from this group to attacks on several online-operated casinos in Las Vegas, who attempted to extort $30 million from MGM Resorts.
Unlike typical Russian or North Korean crypto hackers focused solely on profit, members of Comm often seek attention and revel in mischief. They sometimes collaborate on hacks but also compete against each other to see who can steal more.
"They come from video games and bring their high scores into the real world," said Josh Cooper-Duckett, Director of Investigations at Cryptoforensic Investigators, a crypto forensics firm. "In this world, their score is how much money they steal."
In Telegram messages, the alleged hacker said Comm members specialize in different phases of robbery. His team bribed customer service agents and collected client data, then passed it to others outside the team who specialized in social engineering scams. He added that different affiliated groups within Comm coordinate across social platforms like Telegram and Discord to execute various parts of operations and distribute proceeds.
Sergio Garcia, founder of cryptocurrency investigation firm Tracelon, told Fortune the hacker’s description of the Coinbase attack aligns with his understanding of how Comm operates and conducts other crypto-related social engineering scams. Sources said recent perpetrators in social engineering attacks spoke fluent North American English.
According to a source familiar with BPO employee wages, monthly salaries for TaskUs workers in India range from $500 to $700. TaskUs declined to comment. Garcia told Fortune that while this exceeds India’s per capita GDP, the relatively low pay makes customer service agents particularly vulnerable to bribery. "Clearly, they are the weakest link because they have economic incentives to accept bribes," he added.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@FortuneMagazine
