Key Highlights
- Coinbase CEO Brian Armstrong has announced that a former customer service agent in India was arrested
- The breach occurred when hackers bribed low-wage, outsourced support personnel at third-party contractor TaskUS to steal sensitive customer data
- The stolen information included personal details, IDs, and account histories for many users, which was then used for targeted phishing scams
Coinbase Chief Executive Officer (CEO), Brian Armstrong, has announced a major update in the major security case from earlier this year.
On December 26, Armstrong stated in a post on X (formerly Twitter) that a former customer service agent in India has been arrested in connection with a data breach.
In his statement, Armstrong said, “We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice. Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested. Another one down and more still to come.”
A spokesperson from Coinbase has also confirmed that the arrest is directly linked to a security incident where cybercriminals bribed outsourced support staff to gain access to private customer information.
The breach itself began earlier, with suspicious activity detected as early as late 2024 or January of 2025. Investigators found that hackers targeted Coinbase’s overseas customer support operations. These operations were primarily handled by contractors in India working for a third-party outsourcing company named TaskUs.
The attackers identified customer service agents who were earning relatively low wages, reported to be between $500 and $700 per month, in locations like the city of Indore. These agents were then approached and offered bribes in exchange for extracting sensitive customer data.
The methods used were simple but effective, as agents would either photograph their computer screens or directly share records from the company’s internal support tools.
Coinbase’s security team detected unusual activity and alerted TaskUs. This led to a large wave of dismissals, with over 200 agents fired at one time. Additional specific individuals implicated in the scheme were also terminated.
The Ransom Demand and Nature of the Stolen Data of Coinbase Users
The situation was triggered in May when the attacker sent an email to Coinbase. They demanded a payment of $20 million in Bitcoin to prevent the stolen customer data from being released or sold. The information taken was extensive and sensitive.
According to reports, the stolen data included customer names, email addresses, physical addresses, phone numbers, and partial bank details. It also concluded masked Social Security numbers, images of government-issued identification documents, account balances, and transaction histories.
A huge point highlighted by the company is that the breach did not compromise the most secure elements of user accounts. Passwords, two-factor authentication codes, private keys, or direct access to user funds were not obtained. Instead, the goal of hackers appeared to be enabling highly targeted social engineering scams.
Using the detailed personal information, they could convincingly impersonate Coinbase support staff to trick victims into voluntarily transferring their cryptocurrency.
After this incident, Coinbase refused to pay the ransom. On May 15, CEO Brian Armstrong publicly rejected the demand. In the same announcement, he declared a matching $20 million reward fund for information leading to the arrest and conviction of those responsible.
The company also took several other major measures. It pledged to fully reimburse any customer who lost funds as a direct result of scams enabled by the breach. It relocated sensitive support operations, restricted the level of data access given to agents, and enhanced its overall security protocols.
Such cases show a growing vulnerability of insider threats in the cryptocurrency industry. Sophisticated technical defenses can be bypassed when criminals bribe employees with access to data.
