In May, Coinbase revealed that hackers had made off with the personal data of thousands of clients, which criminals used to trick customers into handing over their crypto. While the hack, which Coinbase says will cost it up to $400 million, stems from rogue employees at an outsourcing firm in India, the U.S.’s largest crypto exchange has offered few details about who specifically was responsible. Now, a new court filing provides a closer look at one suspect and how she helped carry out the breach, which is the worst in Coinbase history.
According to an amended complaint filed Tuesday by the class-action law firm Greenbaum Olbrantz, the hack is connected to Ashita Mishra, an employee of TaskUs, a publicly traded firm based in Texas that outsources customer service support for large tech companies to cheap labor markets. Mishra worked at a TaskUs service center in Indore, India.
In September 2024, she began stealing confidential customer data, including Social Security numbers and bank account information, alleges the lawsuit. Mishra agreed to sell the information to the hackers, who used it to impersonate Coinbase employees and lure victims into giving away their crypto.
From September through January, Mishra and another accomplice recruited other TaskUs employees to steal customer information in a “sophisticated hub-and-spoke conspiracy that funneled Coinbase customer data from TaskUs computers to criminals,” the putative class-action claim states. Even team leaders and operation managers were complicit, the complaint alleges, citing a former TaskUs employee.
When TaskUs eventually got wise to the breach, Mishra’s phone contained data for more than 10,000 Coinbase customers. She and others who were part of the conspiracy were paid $200 a picture, according to the complaint. Sometimes, Mishra took as many as 200 photos of Coinbase customer accounts a day. More than 69,000 customers were impacted, Coinbase said in regulatory filings.
The masterminds behind the bribery scheme appear to be teenagers and twenty-somethings who are part of a loose collective of criminal hackers called “the Comm,” Fortune previously reported.
The allegation that the data thefts began in September 2024 is significant since Coinbase has previously stated that the date the breach occurred was in late December.
In an other notable development, TaskUs alleged this month that Coinbase employees, not just outside vendors, were involved in the hack, but the outsourcer did not elaborate further.
Coinbase and TaskUs did not immediately respond to requests for comment on the amended complaint. Fortune was not able to immediately find contact information for Ashita Mishra.
“We place the highest priority on safeguarding the data of our clients and their customers and continue to strengthen our global security protocols and training programs,” a TaskUs spokesperson previously told Fortune.
“We notified affected users and regulators, cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls,” said a Coinbase spokesperson in a previous statement about the hack.
‘Pattern of concealment’
The narrative outlined in the complaint is the most detailed account yet of one of the biggest crypto hacks of the year and the largest breach that Coinbase has disclosed in its more-than-decade-long history.
Other plaintiffs’ lawyers have sued the crypto exchange for the hack. Coinbase has pushed for these lawsuits to enter arbitration, which is a process that has historically helped companies mitigate both financial damages and adverse publicity.
This likely explains in part why the class-action firm chose to sue the Coinbase outsourcer, TaskUs, rather than go after the crypto firm directly.
As part of its complaint, the law firm alleges that TaskUs “took steps to silence those with knowledge of the breach.” In January, the outsourcer fired 226 staff members working in Indore, Fortune previously reported. The company took the extreme measure because the conspiracy had “so pervasively infiltrated TaskUs’ systems that TaskUs could not identify all of the individuals involved,” alleges the complaint, citing a former employee at the outsourcer.
And, on Feb. 10, TaskUs decided to fire the human resource team it had assembled to investigate the breach, in what the lawsuit claimed was a “a pattern of concealment.”
The new court filing from Greenbaum Olbrantz amends an earlier complaint filed in May, about two weeks after Coinbase disclosed the hack. The firm has previously brought high-profile litigation, including a lawsuit that alleges airlines sold customers window seats, only to seat them next to windowless walls.
Coinbase has tried to include the lawsuit in a consolidation of all hack-related complaints against the crypto exchange. TaskUs has moved to both dismiss the lawsuit and block the case’s inclusion into the larger consolidated complaint.
“Our amended complaint provides an unprecedented accounting of how this data breach unfolded and we will continue to work towards holding all responsible parties accountable,” Carter Greenbaum, cofounder of Greenbaum Olbrantz, said in a statement.
