On May 15, 2025, Coinbase filed an 8-K disclosure with the US Securities and Exchange Commission revealing that overseas customer-support contractors had been bribed to access and exfiltrate customer data over a sustained period beginning in September 2024. Coinbase identified the incident in December 2024, terminated the contractors involved, and refused a $20 million extortion demand — instead announcing a $20 million reward fund for information leading to the attackers' identification. By late May 2025, US court filings and Fortune reporting confirmed that the bribed contractors worked for TaskUs, a Texas-headquartered business-process outsourcing firm with major operations in India that handles support for Coinbase and dozens of other technology and crypto-exchange customers. Approximately 70,000 Coinbase customers had personal data exposed, and the social-engineering campaigns enabled by the data were ultimately linked by court filings to roughly $400 million in cryptocurrency theft. The case is the cleanest insider-threat-as-supply-chain incident of 2025, and a particularly uncomfortable one for any enterprise that has outsourced customer support to a BPO with broad-access tooling. The fact that the original insider operation ran undetected for four months indicates that even high-trust BPOs at major technology customers can host monetisable insider behaviour without internal anomaly detection catching it.
Who got hit and how did the breach work?
Coinbase outsources tiered customer support to multiple BPO providers, with TaskUs operating teams in India that handle account questions, KYC verification, and dispute resolution. Per the New Jersey US District Court filings in the unsealed indictment, a TaskUs employee photographed up to 200 sensitive customer-account records per day from internal support tooling, beginning in September 2024 and continuing until the employee's arrest in January 2025. The court filings describe a coordinated scheme in which the bribed insider sold each customer record for approximately $200 to a broker, who then aggregated lists and sold them onward to social-engineering operators who impersonated Coinbase support to trick customers into transferring crypto to attacker-controlled wallets. The total customer roster compromised by the insider exceeded 10,000 records on the employee's personal device at the time of arrest, with additional records reportedly transferred to brokers throughout the operation.
What did the attackers actually access?
The exposed data included customer names, postal addresses, email addresses, partial bank-account references, current Coinbase account balances, and Social Security numbers — exactly the dataset needed for a credible impersonation. Crucially, the data did not include private keys, two-factor authentication seeds, or password hashes; the social-engineering campaigns that followed exploited the combination of correct personal identifiers and pretextual account-recovery scripts to convince victims to disable security controls voluntarily. Coinbase emphasised that no customer credentials or private keys were stolen directly. The downstream financial impact, however, was estimated at roughly $400 million in cryptocurrency siphoned from victims who fell for the follow-on phishing.
How long were they inside?
The insider operation began in September 2024 and continued for approximately four months before Coinbase detected anomalous internal-tool access patterns in December 2024. The dwell time of four months is consistent with insider-threat patterns at high-trust BPO operations: detection typically comes from anomaly correlation rather than account-level alerting, because each individual support agent's queries fall within their job function. The successor extortion attempt — the $20 million demand received by Coinbase in early May 2025 — sat outside the original insider window and used data that had previously been exfiltrated. Coinbase paid for the public disclosure on May 15, 2025 rather than yielding to the extortion.
What did existing controls miss?
Three failures explain the duration. First, support-tool access controls were too coarse: agents could retrieve full customer records including SSN content rather than redacted views fit-for-purpose for the specific support inquiry. Second, behavioural analytics on agent query patterns either did not exist or did not catch the abnormal rate of full-record retrievals across unrelated customer accounts. Third, the BPO contract did not include sufficient liability flow-through or audit rights to put TaskUs on the hook financially for the insider's actions; Coinbase ended up bearing remediation cost while suing TaskUs for indemnification. The fourth, less-discussed failure is the absence of a customer-side anti-impersonation layer that prevented victims from trusting an incoming call simply because the caller cited correct personal details.
# BPO support-tool access control baseline
bpo_support_access:
data_views:
default_view_redacts_ssn: true
default_view_redacts_account_balance: true
full_record_access_requires_justification_text: true
full_record_access_logged_with_video_capture: true
rate_limits:
full_record_views_per_agent_per_hour: 5
full_record_views_per_agent_per_day: 20
cross_account_pattern_alert_threshold: 10
behavioural:
user_query_outside_assigned_ticket_alert: high
queries_during_off_shift_hours_alert: high
photograph_or_screenshot_dlp: required
contractual:
bpo_liability_for_insider_actions: required
breach_notification_hours: 24
customer_data_export_to_bpo_minimised: required
customer_side:
inbound_call_verification_token: required
cannot_initiate_2fa_disable_via_phone: enforced
What should crypto and fintech defenders do now?
Six steps. First, redact by default. Support agents at every BPO should see ticket-specific redacted views of customer data; full-record access must require justification text and a managerial approval workflow, and must be logged with screen-capture evidence. Second, rate-limit full-record views per agent and alert on cross-account query patterns; the bribed TaskUs employee's behaviour would have been visible within a week under proper anomaly detection. Third, build customer-side anti-impersonation: a Coinbase-style customer should never be asked to disable MFA over the phone, and inbound support contact should use signed deep links in the customer app rather than callback flows. Fourth, push insider-action liability into BPO contracts with audit rights and indemnification, and verify that the BPO carries cyber insurance with coverage for insider events. Fifth, run insider-threat tabletop scenarios with the BPO, including red-team-style bribery simulations. Sixth, share IOCs and behavioural patterns through the Crypto-ISAC and the FS-ISAC so that a successor insider operation at any BPO surfaces faster than four months.
What legal and regulatory follow-on has the case triggered?
Three threads remain active. First, Coinbase filed civil litigation against TaskUs in 2025 seeking indemnification and damages tied to the insider's actions; the case will test the enforceability of BPO insider-action liability clauses and is being watched closely across the financial-services and crypto sectors. Second, the US Department of Justice unsealed the federal indictment of multiple individuals linked to the social-engineering operation that monetised the stolen data, with charges including computer fraud, wire fraud, and aggravated identity theft. Third, the US Securities and Exchange Commission opened an inquiry into Coinbase's disclosure timeline given the 8-K filing in May 2025 covered an event that began in September 2024 — a question that intersects the SEC's December 2023 cybersecurity disclosure rules requiring four-business-day disclosure of material incidents. Coinbase has maintained that the materiality threshold was not met until the May 2025 extortion attempt, a position the SEC has not publicly disputed but also not publicly endorsed. Industry observers expect the case to become a teaching example in the SEC's enforcement portfolio for years.
How Safeguard Helps
Safeguard inventories every BPO and outsourced support vendor that touches customer data, and continuously scores each against contractual breach-notification SLAs, insider-action liability terms, and SOC 2 Type II evidence. Griffin AI reachability analysis surfaces which BPO accounts can retrieve full unredacted customer records, which rate-limit policies are enforced versus declared, and which agents exhibit query patterns inconsistent with their assigned tickets. TPRM workflows score BPO vendors against ISO 27001 Annex A.5.20 supplier management and require attestations on background checks, monitoring, and insider-action investigation procedures. Policy gates block new BPO integrations that lack redaction-by-default support tooling and behavioural analytics, and ingest insider-threat patterns from the FS-ISAC and Crypto-ISAC so that a successor TaskUs-class incident raises an alarm across peer fintechs within minutes — not the four months it took to detect.