Coinbase postponed revealing information breach that might cost approximately $400M, drops third-party vendor

Secret understanding, abrupt split: the crypto exchange faces mounting regulatory and legal heat for a four-month silence over a breach affecting at least 69,000 customers. Coinbase was alerted as early as January 2025 that hackers had siphoned tens of thousands of customer records from one of its overseas support vendors, however, the exchange waited until 14 May to notify users and regulators, according to internal emails reviewed by Reuters and interviews with three people briefed on the event. The discovery comes as Coinbase suddenly terminated its relationship with TaskUs, the Texas-based outsourcing firm whose India call center staff were allegedly bribed to leak screenshots and KYC files. At least 69,461 customers’ names, addresses, partial Social Security numbers, and ticket histories were exposed. Coinbase has warned investors that the breach could cost $180 million to $400 million in remediation and potential claims. Coinbase stated it found evidence of professional misconduct, moved quickly to cut access, and is enhancing controls across all third-party vendors. TaskUs confirmed it terminated more than 200 employees in Indore after Coinbase raised alarms in January but insisted it “immediately escalated” the issue to its customer. A TaskUs spokesperson said the company is “cooperating with law enforcement agencies in India and the United States.” A four-month disclosure gap Under the U.S. Securities and Exchange Commission’s new cyber-incident rule, publicly traded companies must file an 8-K within four business days of determining an event is material. Coinbase’s May filing mentioned “prior months” of unauthorized activity but did not specify the January alert. Such inaction could be deemed a textbook case of material non-compliance. The SEC may request clarification as to why the clock didn’t start in January. A securities-fraud class action filed Monday in the Eastern District of Pennsylvania alleges Coinbase “withheld adverse information” that would have impacted its share price. A separate negligence suit targets TaskUs in Manhattan federal court on behalf of affected users. Court filings describe a small criminal ring that paid support agents to photograph Coinbase’s screens with personal identifiers visible. By March, the scheme had expanded, with stolen credentials sold on Telegram channels linked to “pig-butchering” crypto scams. On 11 May, the hackers, emboldened by their haul, emailed Coinbase demanding $20 million in exchange for deleting the data. Coinbase declined, instead offering a $20 million bounty for information leading to arrests. Why TaskUs matters TaskUs, founded in 2008 and now valued at around $1.5 billion, counts Meta and DoorDash among its clients. Crypto exchanges like Coinbase have relied on the firm to provide 24/7 customer support at a lower cost than U.S. hires through its 61,400 full-time staff. Security experts caution that offshoring sensitive identity documents to low-wage environments creates the perfect storm for professional bribery. Human-layer attacks are increasingly surpassing technical exploits, as bribing an underpaid agent is far cheaper than bypassing robust encryption. The breach comes as Coinbase and other crypto stakeholders advocate for looser U.S. crypto regulations. Rival exchanges Kraken and Gemini, which also utilize business-process outsourcing providers, will now rush to scrutinize their own vendor controls, according to sources familiar with those assessments. Meanwhile, affected Coinbase customers report ongoing phishing attempts and SIM-swap attacks. The company has offered two years of identity-theft monitoring but has not committed to reimbursing any downstream crypto losses. What’s next Regulatory scrutiny– The SEC and Federal Trade Commission may investigate potential disclosure-timing violations. Discovery trove– Plaintiffs will seek January-dated board minutes that could reveal executives debated, then delayed, disclosure. Vendor reshuffle– Industry analysts anticipate fintechs to diversify away from single-provider support models and adopt screen-capture-blocking tools. For Coinbase, the incident jeopardizes balance-sheet expenses and its reputation as the most compliant brand in crypto. Trust is the only hard currency an exchange possesses. Losing it, even for four months, can be fatal. Liam ‘Akiba’ Wright Also known as “Akiba,” Liam Wright is a reporter, podcast producer, and Editor-in-Chief at CryptoSlate. He believes that decentralized technology has the potential to bring widespread positive change. News Desk CryptoSlate is a comprehensive and contextualized source for crypto news, insights, and data. Focusing on Bitcoin, macro, DeFi, and AI. Justin Sun Takes Spotlight at Bitcoin Vegas 2025 with TRON DAO as Top Sponsor of Code + Country and Co-Host of Kraken’s Oceanic Night Follow us on X for your essential dose of daily crypto news and deep dives. India’s Supreme Court calls for clear crypto guidelines, not outright ban Maldives bets $8.8 billion on blockchain to counter economic and debt challenges Binance introduces stricter compliance measures for South African users WazirX exchange sets sights on mid-May resurgence amid legal considerations Trust Wallet Launches Buy+, Powered by Binance Link, to Simplify Crypto Access Zircuit Enables Non-Custodial Wallet Top-Ups for Crypto.com Visa Cards Inside FinchTrade’s Role in Powering CoinsPaid’s EUR875M Crypto Payment Engine Bet20 Launches Premium Casino Platform with Trusted Licensing, Instant Crypto Withdrawals, and Elite Gaming Disclaimer: Our writers’ opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Investing and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.