Secret knowledge, sudden split: the crypto exchange faces mounting legal and regulatory heat for a four-month silence over a breach affecting at least 69,000 customers.
Coinbase said it discovered evidence of contractor misconduct, moved quickly to cut access, and is enhancing controls across all third-party vendors.
TaskUs confirmed it fired more than 200 employees in Indore after Coinbase raised alarms in January, but it insisted it “immediately escalated” the issue to its client. A TaskUs spokesperson said the company is “cooperating with law enforcement agencies in India and the United States.”
Under the U.S. Securities and Exchange Commission’s new cyber-incident rule, publicly traded companies must file an 8-K within four business days of determining an incident is material. Coinbase’s May filing noted “prior months” of unauthorised activity but did not specify the January alert.
Such inaction could be considered to be a textbook case of material non-compliance. The SEC may ask for confirmation as to why the clock didn’t start in January.
Court filings describe a small criminal ring that paid support agents to photograph Coinbase’s screens with personal identifiers visible. By March, the scheme had widened, with stolen credentials sold on Telegram channels tied to “pig-butchering” crypto scams. On 11 May, the hackers, emboldened by their haul, emailed Coinbase demanding $20 million in exchange for deleting the data.
Coinbase refused, instead offering a $20 million bounty for information leading to arrests.
The breach occurs as Coinbase and other crypto stakeholders wage a public campaign for lighter U.S. crypto rules. Rival exchanges Kraken and Gemini, who also use business-process outsourcing shops, will now rush to audit their own vendor controls, according to people familiar with those reviews.
For Coinbase, the incident threatens balance-sheet costs and its narrative as the most compliant brand in crypto. Trust is the only hard currency an exchange has. Losing it, even for four months, can be fatal.
