The company allegedly at the heart of a huge data breach affecting Coinbase customers is facing a class action lawsuit — with a court filing making explosive claims about how the incident unfolded.
At least 70,000 people were affected when sensitive data entrusted to the exchange fell into the hands of criminals, in what has been described as “one of the largest and most damaging security breaches involving cryptocurrency to date.”
Lawyers claim TaskUs, the outsourcing firm contracted by Coinbase, failed to safeguard the names, addresses, phone numbers, email addresses, bank account details and government IDs of millions — with “catastrophic” consequences.
“Coinbase estimates that its customers have lost up to $400 million to criminals working with — and in some cases, indeed, for — TaskUs. Plaintiffs have, collectively, lost millions of dollars in cryptocurrency assets. Some have lost substantially all of their retirement savings as a result of defendants’ negligence and wrongful conduct.”
The filing goes on to highlight the devastating impact that the breach continues to have on victims — with many “bombarded by daily text messages and phone calls” from criminals pretending to be Coinbase employees, and others having to spend vast amounts of money to protect themselves. Some have even resorted to hiring bodyguards.
“Plaintiffs are fearful that they may be targeted for physical attacks based on criminals’ knowledge of their cryptocurrency holdings.”
Here are eight of the most damning allegations made in the lawsuit.
1. ‘A Coordinated Criminal Campaign’
While TaskUs claims just two people were involved in the data breach, this court filing begs to differ.
“In reality, TaskUs’ public statements belie a far broader and coordinated criminal campaign that involved dozens, if not hundreds of TaskUs employees, and stretched into the supervisory level of TaskUs’ operations, including managers.”
It alleges that up to 300 employees ended up being terminated. Why? Because the conspiracy was so endemic that the company couldn’t identify everyone involved. Every single person working at two sites in India ended up losing their jobs. HR staff who later investigated the incident were also “suddenly terminated,” in what lawyers believe was an effort to “silence those with knowledge of the breach.”
2. ‘Victims Weren’t Notified’
Elsewhere in the court filing, the plaintiffs claim that the data breach was first identified in January 2025 — four months before it was eventually made public when Coinbase made a statement.
It’s alleged that this meant victims didn’t have the opportunity to take necessary precautions to protect themselves, with one victim suffering “a substantial loss of his cryptocurrency assets” because the incident wasn’t disclosed in a timely way.
3. ‘The Breach Was Preventable’
The lawsuit accuses TaskUs of failing to monitor the computer network that was responsible for storing sensitive information belonging to victims — and says “this present harm will continue for the course of their lives.”
“Had the defendant properly monitored these electronic systems, they would have discovered the data breach sooner or prevented it altogether. The security of plaintiffs’ and class members’ identities is now at risk because of the defendant’s wrongful conduct, as the PII that defendant collected and maintained is now in the hands of data thieves.”
Further context on this is provided further down in the document. The filing alleges that there were policies and procedures introduced that were designed to protect this data, but they were “largely unenforced and entirely deficient.”
For example, TaskUs had allegedly failed to introduce key logging software that could have been used to monitor the activity of employees at their desks — and assess whose information was being accessed at any given moment. Claiming some workers were downloading and viewing “large batches” of sensitive data, it added:
“Its failure to implement such policies … set the stage that allowed criminal actors to exfiltrate data belonging to tens of thousands — if not more — customers of Coinbase.”
4. How Stolen Data Can Be Abused
An especially alarming allegation relates to how the sensitive information can be exploited once it falls into the hands of criminals.
The filing claims that victims have already been exposed to a “present and imminent risk of fraud, identity theft and physical attacks” — with the exchange itself estimating that up to $400 million may have been lost so far. Lawyers fear this number could rise in the years to come as more cases come to light.
Describing the potential threats customers now face, the document says:
“Data thieves can commit a wide range of crimes including, for example, converting plaintiffs’ cryptocurrency assets, opening new financial accounts in class members’ names, taking out loans in their names, using their identities to obtain government benefits, filing fraudulent tax returns using their information, obtaining driver’s licenses in Class Members’ names, and giving false information to police during an arrest.”
5. The Salaries of TaskUs Employees
Further down in the lawsuit, lawyers turn their attention to the potential financial motive for employees who were involved in this data breach campaign — and why Coinbase decided to outsource from the U.S. to India in the first place.
“The average salary for an entry level TaskUs employee in India ranges from approximately $4,000 to $6,000 a year, while the United States Bureau of Labor Statistics states that comparable customer support specialists in the United States earn approximately $43,000, or 10 times that amount.”
It is claimed that sensitive information was passed on to criminals by employees who used their cell phones to take photographs of data on their computer screens — even though TaskUs had a policy prohibiting these devices from being taken to their desks.
Sources with knowledge of the hack, quoted in the court filing, go on to claim that employees were paid a staggering $200 per image — meaning that, in theory, someone could double their income by sending just 20 or 30 pictures to the criminals masterminding this scheme. The document adds:
“Upon information and belief, TaskUs employees generated half-a-million dollars or more from bribes paid by criminals to exfiltrate Coinbase users’ sensitive PII. Even at the lowest range of that estimate, that amount represents the average annual salaries of more than 100 TaskUs employees — a staggering sum in India.”
6. When the Conspiracy Began
Through the 54 pages of allegations, we also begin to learn when this “criminal campaign” began — and the names of some of the suspects involved.
Worryingly, it appears malicious actors began to recruit TaskUs employees in 2024 — meaning the leak could have lasted for many, many months:
“As early as September 2024, TaskUs employee Ashita Mishra joined the conspiracy by agreeing to sell highly sensitive Coinbase user data to those criminals.”
It’s alleged that the scheme was blown wide open on Jan. 1 2025 when Mishra was found to have a phone on her person at her desk, which was then searched.
“TaskUs determined that Ms. Mishra’s phone contained data belonging to more than 10,000 Coinbase customers. TaskUs determined that Ms. Mishra had operated undetected … On some days, Ms. Mishra took as many as 200 pictures of Coinbase user data.”
Based on the going rate mentioned earlier, 200 images could potentially mean Mishra was being paid up to $40,000 — as much as 10 times her annual salary — for a single day’s work. However, the law firm behind this court filing goes on to stress that she did not act alone.
7. What an Attack Looks Like in Practice
Throughout the document, there’s evidence of how Coinbase customers embroiled in this data breach have been affected.
In a chilling incident, one described how he was called by someone masquerading as one of the exchange’s employees back in October 2024 — seven months before the breach became public.
The criminal on the phone won the victim’s confidence by discussing past transactions from a few weeks earlier and confirming their contact details, making it seem like the call was legitimate.
This caused them to open a new wallet and transfer funds into the criminals’ control — resulting in “significant financial damages.”
In its initial statement, Coinbase had stressed that anyone affected would be made whole.
8. Coinbase’s Statement Was ‘Misleading’
Focusing on the exchange’s announcement more closely, the filing describes it as “flawed or misleading” — alleging that Coinbase only chose to disclose it once threatened with a $20 million ransom. It’s claimed the trading platform was aware about the incident in January of this year, but waited until May to make it public.
“By January of 2025, TaskUs and Coinbase should have reasonably known the extent and massive scope of the data breach and should have promptly informed Coinbase users, including plaintiffs. In fact, for months leading up to TaskUs’ discovery of the breach, Coinbase had been receiving an increasing number of complaints that individuals posing as Coinbase personnel had caused Coinbase users to transfer funds from their Coinbase accounts.”
If that wasn’t enough, lawyers also believe that the exploit may have affected more customers than first thought. While Coinbase has previously forecast that about 1% of monthly active users were targeted, lawyers think this is a “vast underestimate” — especially considering the concerned messages shared on social media.
TaskUs is facing a total of nine counts, with the plaintiffs demanding compensation and reforms to the company’s infrastructure.
The post 8 Shocking Claims from Coinbase Data Breach Lawsuit appeared first on Cryptonews.
