Coinbase Faces Backlash Over Delayed Disclosure of $400M Data Breach—Dumps Vendor
Silence isn’t golden when it costs customers $400 million.
Coinbase—the crypto giant that loves preaching ’transparency’—quietly sat on a data breach disclosure for weeks before going public. Now they’re cutting ties with a third-party vendor, but the damage is done.
Security? More like ’see-you-later’.
The exchange claims no customer funds were stolen, but trust doesn’t rebound as fast as a meme coin pump. And in classic crypto fashion, the ’post-mortem’ report will probably drop just in time for the next bull run distraction.
Wall Street would’ve fined them. Crypto? They’ll just tweet ’lesson learned’ and mint an NFT about it.
A four-month disclosure gap
Under the U.S. Securities and Exchange Commission’s new cyber-incident rule, publicly traded companies must file an 8-K within four business days of determining an incident is material. Coinbase’s May filing noted “prior months” of unauthorised activity but did not specify the January alert.
Such inaction could be considered to be a textbook case of material non-compliance. The SEC may ask for confirmation as to why the clock didn’t start in January.
A securities-fraud class action filed Monday in the Eastern District of Pennsylvania alleges Coinbase “withheld adverse information” that WOULD have moved its share price. A separate negligence suit targets TaskUs in Manhattan federal court on behalf of affected users.
Court filings describe a small criminal ring that paid support agents to photograph Coinbase’s screens with personal identifiers visible. By March, the scheme had widened, with stolen credentials sold on Telegram channels tied to “pig-butchering” crypto scams. Onthe hackers, emboldened by their haul, emailed Coinbase demandingin exchange for deleting the data.
Coinbase refused, instead offering afor information leading to arrests.
| Dec 2024 | Earliest unauthorized access allegedly begins (court filings) |
| Jan 2025 | TaskUs agent in Indore caught photographing Coinbase data; Coinbase alerted the same day; TaskUs fires >200 staff |
| Mar 2025 | Breach spreads internally; plaintiffs say nearly 100k records compromised |
| 11 May 2025 | Hackers email Coinbase demanding $20 M ransom |
| 14 May 2025 | Coinbase files Form 8-K, admits “prior months” contractor abuse |
| 15 May 2025 | Public blog post + $20 M bounty; users learn of breach |
| 21 May 2025 | Maine AG notice lists 69,461 victims |
| 28 May 2025 | Class action against TaskUs (S.D.N.Y.) |
| 2 Jun 2025 | Reuters exposes Coinbase’s earlier knowledge; company severs TaskUs ties |
| 3 Jun 2025 | Stock volatility and regulatory scrutiny mount |
Why TaskUs matters
TaskUs, founded in 2008 and now valued at around $1.5 billion, counts Meta and DoorDash among its clients. Crypto exchanges like Coinbase have leaned on the firm to provide 24/7 customer support at a lower cost than U.S. hires through its 61,400 full-time staff. Security consultants warn that offshoring sensitive identity documents to low-wage environments creates the perfect storm for insider bribery.
Human-layer attacks are increasingly outpacing technical exploits, as buying an underpaid agent is far cheaper than breaking robust encryption.
The breach occurs as Coinbase and other crypto stakeholders wage a public campaign for lighter U.S. crypto rules. Rival exchanges Kraken and Gemini, who also use business-process outsourcing shops, will now rush to audit their own vendor controls, according to people familiar with those reviews.
Meanwhile, affected Coinbase customers report continued phishing attempts and SIM-swap attacks. The company has offeredbut has not committed to reimbursing any downstream crypto losses.
What’s next
- Regulatory scrutiny – The SEC and Federal Trade Commission can assess potential disclosure-timing violations.
- Discovery trove – Plaintiffs will seek January-dated board minutes that could show executives debated, then deferred, disclosure.
- Vendor shake-up – Industry analysts expect fintechs to diversify away from single-provider support models and adopt screen-capture-blocking tools.
For Coinbase, the incident threatens balance-sheet costs and its narrative as the most compliant brand in crypto. Trust is the only hard currency an exchange has. Losing it, even for four months, can be fatal.
