"In this world, their score is how much money they stole."
Written by: Ben Weiss, Jeff John Roberts
Translated by: Luffy, Foresight News
Coinbase co-founder and CEO Brian Armstrong speaks at an event in Bangalore, India, in 2022.
On May 15, 2025, Coinbase disclosed that the personal data of tens of thousands of its customers had been stolen, marking the largest security incident in the company's history, with losses expected to reach up to $400 million. This data breach is notable not only for its scale but also for the hackers' method of attack: bribing overseas customer service personnel to obtain confidential customer information.
Coinbase publicly stated that it would pay a $20 million reward to whistleblowers who provide leads that help capture and convict the criminals, but it disclosed very little about the attackers' identities or the details of the hack.
A recent investigation by Fortune magazine (including reviewing emails between Coinbase and a hacker) revealed new details about the incident, suggesting that a loose network of young English-speaking hackers is partially responsible. Meanwhile, the findings also highlight that so-called BPOs (Business Process Outsourcing units) are a weak link in the security operations of tech companies.
Insider Job: Outsourced Customer Service as a Breach Point
The story begins with a small publicly traded company, TaskUs, based in New Braunfels, Texas. Like other BPOs, the company provides customer service for large tech companies at low costs by hiring overseas employees. According to a company spokesperson, in January of this year, TaskUs fired 226 employees working for Coinbase from its service center in Indore, India.
According to documents submitted to the U.S. Securities and Exchange Commission, TaskUs has been providing customer service personnel for Coinbase since 2017, a partnership that has saved the American crypto giant significant labor costs. The problem is that when customers email to inquire about their accounts or Coinbase's new products, they are likely speaking with TaskUs employees overseas. Because these agents are paid less than domestic U.S. employees, they are more susceptible to bribery.
"Earlier this year, we discovered that two individuals had illegally accessed information from one of our clients," a TaskUs spokesperson told Fortune regarding Coinbase. "We believe these two were employed as part of a broader, organized criminal activity targeting Coinbase, which also affected many other vendors that Coinbase works with."
According to Coinbase's regulatory filings, TaskUs fired employees in January, less than a month before Coinbase discovered that customer data had been stolen (note: Coinbase discovered the data breach in December 2024). On Tuesday, a federal class-action lawsuit filed in New York on behalf of Coinbase customers accused TaskUs of negligence in protecting customer data. "While we cannot comment on the lawsuit, we believe these allegations are unfounded, and we will defend ourselves," a TaskUs spokesperson stated. "We prioritize the protection of customer data and will continue to strengthen our global security protocols and training programs."
A source familiar with the security incident indicated that hackers also successfully attacked several other BPO companies, and the nature of the stolen data varied in each incident.
The stolen data was not enough for hackers to breach Coinbase's crypto vault, but it did provide rich information that helped criminals impersonate fake Coinbase customer service representatives, contacting customers and persuading them to hand over their crypto assets. The company stated that hackers stole data from over 69,000 customers but did not specify how many fell victim to the so-called "social engineering scams." In this case, the social engineering scam involved criminals using the stolen data to impersonate Coinbase employees, convincing victims to transfer their crypto assets.
Coinbase stated in a release: "As we have disclosed, we recently discovered that a threat actor had requested overseas customer service to obtain customer account information traceable to December 2024. We have notified affected users and regulators, severed ties with the involved TaskUs personnel and other overseas customer service, and strengthened controls." The statement also added that compensation is being provided to customers who lost funds in the scam.
Impersonation scams conducted by company representatives are not new, but the scale of hackers targeting BPO companies is quite rare. While no one has explicitly identified the criminals, some clues strongly point to a loose organization of young English-speaking hackers.
Teenage Hacker Gang: "They Come from Video Games"
In the days following the disclosure of the Coinbase data breach in mid-May, Fortune magazine communicated on Telegram with a man who claimed to be one of the hackers, going by the name "puffy party."
Two other security researchers who had spoken with this anonymous hacker told Fortune that they found him credible. One said, "Based on what he shared with me, I seriously scrutinized his statements and could not find evidence to prove his claims were false." Both researchers requested anonymity due to concerns about receiving subpoenas for speaking with the so-called hacker.
In the exchange, the man shared numerous screenshots, claiming they were email correspondence with Coinbase's security team. The name he used when communicating with Coinbase was "Lennard Schroeder." He also shared a screenshot of an account belonging to a former Coinbase executive, showing crypto transactions and a wealth of personal details.
Coinbase did not deny the authenticity of these screenshots.
The self-proclaimed hacker shared emails that included threats to extort $20 million in Bitcoin (which Coinbase refused to pay) and mocking comments about the hacker group planning to use part of the stolen funds to buy hair for the company's bald CEO, Brian Armstrong. "We are willing to sponsor a hair transplant so he can travel the world in style," the hacker wrote.
In Telegram messages, this individual (whose existence was confirmed to Fortune by a security researcher) expressed disdain for Coinbase.
Many cryptocurrency heists are carried out by Russian crime syndicates or North Korean military units, but this hacker is reportedly part of a loose alliance of teenagers and young adults known as "Comm" or "Com."
In the past two years, reports about the Comm gang have appeared in media coverage of other hacking incidents, including a New York Times article earlier this month, where a suspect accused of carrying out a series of cryptocurrency thefts claimed to be a member of the organization. According to the Wall Street Journal, in 2023, investigators linked the group to hacks on several online casinos in Las Vegas and attempted to extort $30 million from MGM Resorts.
Unlike the typical Russian and North Korean crypto hackers who usually only pursue money, members of the Comm gang often seek attention and the thrill of mischief. They sometimes collaborate on hacking attacks but also compete with each other to see who can steal more.
"They come from video games and then bring their high scores into the real world," said Josh Cooper-Duckett, investigation director at the crypto forensics firm Cryptoforensic Investigators. "In this world, their score is how much money they stole."
In Telegram messages, the so-called hacker indicated that members of Comm are responsible for different aspects of the robbery. His team bribes customer service and collects customer data, then hands the data over to others in the team who are skilled in social engineering scams. They added that different Comm affiliates coordinate how to execute various parts of the operation and distribute the loot on social platforms like Telegram and Discord.
Sergio Garcia, founder of the crypto investigation firm Tracelon, told Fortune that the description of the attack on Coinbase aligns with his observations of how the Comm gang operates and other crypto social engineering scams. Insiders noted that those recently attacking customers in social engineering scams spoke fluent North American English.
According to a source familiar with BPO employee salaries, TaskUs employees in India earn between $500 and $700 per month. TaskUs declined to comment. Garcia told Fortune that although this figure is higher than India's per capita GDP, the low wages for customer service often make them more susceptible to bribery. "Clearly, this is the weakest link in the chain because they have the economic incentive to accept bribes," he added.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
