Original author: Ben Weiss, Jeff John Roberts
Original translation: Luffy, Foresight News
Coinbase co-founder and CEO Brian Armstrong speaks at an event in Bengaluru, India, in 2022
On May 15, 2025, Coinbase disclosed that the personal data of tens of thousands of its customers had been stolen, the largest security incident in the companys history, and an estimated loss of up to $400 million. The data breach was not only notable for its scale, but also for the hackers attack method: bribing overseas customer service staff to obtain confidential customer information.
Coinbase has publicly stated that it will pay a $20 million reward to whistleblowers who provide information that leads to the arrest and conviction of criminals, but has disclosed little about the identity of the attackers or the details of the hack.
A recent Fortune investigation, which included a review of emails between Coinbase and one of the hackers, revealed new details about the incident, suggesting that a loose network of young, English-speaking hackers was partly responsible. At the same time, the findings also highlighted so-called BPOs (business process outsourcing units) as a weak link in tech companies security operations.
Insider crime: Outsourcing customer service becomes a breakthrough
The story begins with TaskUs, a small public company in New Braunfels, Texas. Like other BPOs, the company provides customer service to large technology companies at a low cost by hiring overseas employees. In January, TaskUs laid off 226 employees from its service center in Indore, India, to work for Coinbase, according to a company spokesperson.
According to documents filed with the U.S. Securities and Exchange Commission, TaskUs has been providing customer service staff for Coinbase since 2017, a partnership that has saved the U.S. crypto giant a lot of labor costs. But here’s the problem: When customers send emails asking about their accounts or new Coinbase products, they’re likely talking to TaskUs employees overseas. Because these agents are paid less than U.S. employees, they’re more likely to be bribed.
“Earlier this year, we discovered that two individuals had illegally accessed information from one of our customers,” a TaskUs spokesperson told Fortune, referring to Coinbase. “We believe these individuals were employed by a broader, organized criminal operation that targeted Coinbase and affected many other vendors that Coinbase provides services to.”
According to Coinbases regulatory filings, TaskUs fired employees in January, less than a month after Coinbase discovered that customer data had been stolen (Note: Coinbase discovered the data breach in December 2024). On Tuesday, a federal class-action lawsuit filed in New York on behalf of Coinbase customers accused TaskUs of negligence in protecting customer data. While we cannot comment on the lawsuit, we believe the allegations are without merit and we will defend ourselves, said a TaskUs spokesperson. We place the highest priority on protecting customer data and continue to strengthen our global security protocols and training programs.
A person familiar with the security incident said the hackers had also successfully attacked a number of other BPO companies and the nature of the stolen data varied in each incident.
The stolen data wasn’t enough to allow hackers to break into Coinbase’s crypto vault, but it did provide a wealth of information that helped criminals pose as fake Coinbase customer service representatives, contact customers and convince them to hand over their crypto assets. The company said hackers stole data on more than 69,000 customers, but did not say how many of them fell victim to a so-called “social engineering scam.” In this case, the social engineering scam involved criminals using stolen data to impersonate Coinbase employees and convince victims to transfer their crypto assets.
Coinbase said in a statement: As we have disclosed, we recently discovered that a threat actor had asked overseas customer service to obtain customer account information dating back to December 2024. We have notified affected users and regulators, cut off contact with the TaskUs personnel and other overseas customer service involved, and strengthened controls. The statement also added that compensation is being paid to customers who lost funds in the scam.
Social engineering scams impersonating company representatives are not new, but the scale of the attacks on BPO companies by hackers is rare. Although no one has yet to clearly identify the perpetrators, some clues strongly point to a loose group of young English-speaking hackers.
Teenage hacker gang: They came from video games
In the days following the disclosure of the Coinbase data breach in mid-May, Fortune spoke on Telegram with a man calling himself “puffy party,” who claimed to be one of the hackers.
Two other security researchers who spoke with the anonymous hacker told Fortune that they found him credible. I have carefully considered his statements based on what he shared with me and have been unable to find evidence that his statements are false, said one of them. Both researchers requested anonymity because they feared receiving subpoenas for speaking with the alleged hacker.
In the exchange, the man shared many screenshots, saying that these were email exchanges with the Coinbase security team. The name he used when communicating with Coinbase was Lennard Schroeder. He also shared a screenshot of an account belonging to a former Coinbase executive, which showed crypto transactions and a large number of personal details.
Coinbase did not deny the authenticity of the screenshots.
The emails shared by the self-proclaimed hacker included a threat of extortion for $20 million in Bitcoin (which Coinbase refused to pay) and a snide comment about the hacker group using some of the stolen money to buy hair for the company’s bald CEO, Brian Armstrong. “We are willing to sponsor a hair transplant so he can travel the world in style,” the hacker wrote.
In Telegram messages, the individual (whose existence Fortune learned of from a security researcher) expressed disdain for Coinbase.
Many cryptocurrency heists are carried out by Russian criminal gangs or the North Korean military, but the hack was allegedly carried out by a loose alliance of teenagers and 20-somethings known as “Comm” or “Com.”
Reports of the Comm group have appeared in media reports of other hacking incidents over the past two years, including a New York Times report earlier this month in which a suspect in a string of cryptocurrency thefts identified himself as a member of the group. In 2023, hackers identified by investigators as the group attacked several online casinos in Las Vegas and attempted to extort $30 million from MGM Resorts, according to the Wall Street Journal.
Unlike Russian and North Korean crypto hackers, who are usually after money alone, Comm gang members often seek both attention and the thrill of mischief. They sometimes collaborate on hacking attacks, but also compete with each other to see who can steal more.
“They come from video games and bring their high scores into the real world,” said Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators, a crypto-forensic investigation firm. “In this world, their score is how much money they stole.”
In a Telegram message, the alleged hacker said that members of Comm were responsible for different aspects of the heist. His team bribed customer service and collected customer data, which was then handed over to others outside the team who were well-versed in social engineering scams. They added that different Comm-affiliated groups coordinated on social platforms such as Telegram and Discord how to execute different parts of the operation and distribute the stolen money.
Sergio Garcia, founder of crypto investigation firm Tracelon, told Fortune that the hacker’s description of the Coinbase attack matches his observations of how the Comm gang operates and other crypto social engineering scams. People familiar with the matter said the person who recently attacked customers in the social engineering scam spoke authentic North American English.
According to a source with knowledge of BPO worker salaries, TaskUs employees in India make between $500 and $700 a month. TaskUs declined to comment. Garcia told Fortune that while that number is higher than India’s GDP per capita, customer service workers’ low salaries often make them more vulnerable to bribes. “Obviously, that’s the weakest link in the chain because they have a financial incentive to accept bribes,” he added.
