The Inside Story of the Coinbase Data Breach: Indian Call Centers and a Teen Hacker Gang

Coinbase co-founder and CEO Brian Armstrong speaking at an event in Bangalore, India, in 2022.

On May 15, 2025, Coinbase disclosed that tens of thousands of its customers' personal data had been stolen—marking the company's largest security incident in history, with estimated losses reaching up to $400 million. What makes this breach particularly notable is not just its scale but the hackers' method: bribing overseas customer service agents to obtain confidential client information.

While Coinbase publicly offered a $20 million bounty for tips leading to the arrest and conviction of those responsible, it revealed little about the attackers' identities or the specifics of the hack.

A recent investigation by Fortune (including a review of emails between Coinbase and one of the hackers) uncovered new details, pointing to a loose network of young, English-speaking hackers as partially responsible. The findings also highlight how business process outsourcing (BPO) units have become a weak link in tech companies' security operations.

Insider Job: Outsourced Customer Service as the Entry Point

The story begins with TaskUs, a small publicly traded company in New Braunfels, Texas. Like other BPOs, it provides low-cost customer support for major tech firms by employing overseas staff. According to a company spokesperson, TaskUs fired 226 employees from its Indore, India, service center in January for working on behalf of Coinbase.

SEC filings show that TaskUs has been supplying customer service personnel to Coinbase since 2017, a partnership that has saved the U.S. crypto giant significant labor costs. But the problem is this: When customers email Coinbase with questions about their accounts or new products, they’re likely speaking to a TaskUs employee abroad. Because these agents earn far less than their U.S. counterparts, they’re more susceptible to bribes.

"Earlier this year, we identified two individuals who improperly accessed information for one of our clients," a TaskUs spokesperson told Fortune, referring to Coinbase. "We believe these individuals were employed as part of a larger, organized criminal effort targeting Coinbase, which also impacted many other vendors serving the company."

According to Coinbase’s regulatory filings, TaskUs fired the employees in January—less than a month before Coinbase discovered the data theft (Note: Coinbase detected the breach in December 2024). A federal class-action lawsuit filed Tuesday in New York on behalf of Coinbase customers accuses TaskUs of negligence in safeguarding client data. "While we can’t comment on litigation, we believe the claims are without merit and will defend ourselves," the TaskUs spokesperson said. "We prioritize protecting client data and continue to strengthen our global security protocols and training programs."

A source familiar with the incident said the hackers also successfully targeted several other BPO firms, with the nature of the stolen data varying in each case.

While the compromised data didn’t grant access to Coinbase’s crypto vaults, it provided enough information for criminals to impersonate customer support, convincing victims to hand over their digital assets. The company confirmed that hackers stole data from over 69,000 customers but didn’t specify how many fell victim to the ensuing "social engineering scams." In this case, the scams involved criminals using the stolen data to pose as Coinbase employees and persuade victims to transfer their crypto.

Coinbase stated: "As we’ve disclosed, we recently identified a threat actor soliciting overseas support agents for customer account information dating back to December 2024. We’ve notified affected users and regulators, severed ties with the implicated TaskUs personnel and other overseas agents, and enhanced controls." The company added that it is reimbursing customers who lost funds in the scams.

Social engineering scams impersonating company representatives aren’t new, but the scale of this BPO-focused attack is rare. While no one has officially identified the perpetrators, strong clues point to a loose collective of young, English-speaking hackers.

The Teen Hacker Gang: "They Came from Video Games"

In the days following Coinbase’s mid-May breach disclosure, Fortune communicated via Telegram with a man calling himself "puffy party," who claimed to be one of the hackers.

Two security researchers who also spoke with the anonymous hacker told Fortune they found him credible. One said, "Based on what he shared with me, I scrutinized his claims and found no evidence they were false." Both researchers requested anonymity, fearing subpoenas for engaging with an alleged hacker.

During exchanges, the man shared screenshots purportedly showing emails with Coinbase’s security team. He used the alias "Lennard Schroeder" in communications with the company and also shared a screenshot of an account belonging to a former Coinbase executive, displaying crypto transactions and extensive personal details.

Coinbase did not deny the screenshots' authenticity.

The self-proclaimed hacker’s emails included a $20 million Bitcoin ransom demand (which Coinbase refused) and mocking comments about the gang using part of their haul to buy hair implants for the company’s bald CEO, Brian Armstrong. "We’d happily sponsor a transplant so he can travel the world in style," the hacker wrote.

In Telegram messages, the individual (whose existence Fortune corroborated with a security researcher) expressed disdain for Coinbase.

While many crypto heists are carried out by Russian crime syndicates or North Korean operatives, this attack was allegedly the work of "Comm" (or "Com"), a loose alliance of teens and twenty-somethings.

Over the past two years, the Comm gang has been linked to other high-profile hacks, including a New York Times report earlier this month featuring a suspect who claimed membership while allegedly stealing crypto. The Wall Street Journal reported in 2023 that hackers tied to the group targeted Las Vegas online casinos and attempted to extort $30 million from MGM Resorts.

Unlike Russian or North Korean hackers, who are purely profit-driven, Comm members often seek attention and the thrill of chaos. They sometimes collaborate but also compete to see who can steal more.

"They came from video games, bringing high scores into the real world," said Josh Cooper-Duckett, investigative director at Cryptoforensic Investigators. "Here, their score is how much they’ve stolen."

In Telegram messages, the alleged hacker explained that Comm members specialize in different stages of heists. His team bribed customer service agents and collected data, then passed it to others skilled in social engineering. He added that various Comm-affiliated groups coordinate on platforms like Telegram and Discord, dividing tasks and loot.

Sergio Garcia, founder of crypto investigation firm Tracelon, told Fortune that the hacker’s description aligns with his observations of Comm’s operations and other crypto social engineering scams. A source noted that recent social engineering scammers spoke flawless North American English.

According to someone familiar with BPO wages, TaskUs employees in India earn $500 to $700 monthly. TaskUs declined to comment. Garcia noted that while this is above India’s per capita GDP, low salaries make agents more vulnerable to bribes. "Clearly, they’re the weakest link because they have financial incentives to comply," he said.