Unlike Russian and North Korean crypto hackers who typically only pursue money, Comm group members often seek attention and the thrill of mischief.
Original:Inside the $400 million Coinbase breach: An Indian call center and teenage hackers (Fortune)
Author:Ben Weiss, Jeff John Roberts
Translated by: Luffy, Foresight News
Coinbase co-founder and CEO Brian Armstrong speaking at an event in Bangalore, India in 2022
On May 15, 2025, Coinbase disclosed a theft of personal data from tens of thousands of customers, the largest security incident in the company's history, with estimated losses of up to $400 million. This data breach was notable not only for its scale but also for the hackers' method: bribing overseas customer service representatives to obtain confidential customer information.
Coinbase publicly stated it would pay a $20 million reward to informants who provide clues that help arrest and convict the criminals, but revealed little about the attackers' identities or hack details.
A recent investigation by Fortune magazine (including reviewing emails between Coinbase and a hacker) revealed new details, suggesting a loose network of young English-speaking hackers was partially responsible. Meanwhile, the investigation also highlighted that BPO (Business Process Outsourcing) units are a weak point in tech companies' security operations.
Inside Job: Outsourced Customer Service as an Entry Point
The story begins with TaskUs, a small public company in New Braunfels, Texas. Like other BPOs, the company provides customer service for large tech companies at low costs by employing overseas workers. According to the company spokesperson, in January this year, TaskUs fired 226 employees working for Coinbase from its service center in Indore, India.
According to documents submitted to the U.S. Securities and Exchange Commission, TaskUs has been providing customer service personnel for Coinbase since 2017, a partnership that has saved the American crypto giant significant labor costs. The problem is that when customers send emails inquiring about their accounts or Coinbase's new products, they are likely communicating with TaskUs employees overseas. Because these agents are paid less than domestic employees, they are more susceptible to bribery.
"Earlier this year, we discovered two individuals illegally accessing information of one of our customers," the TaskUs spokesperson told Fortune magazine, "We believe these two were part of a broader, organized criminal activity targeting Coinbase that also affected many other service providers for Coinbase."
According to Coinbase's regulatory filings, TaskUs fired employees in January, less than a month before Coinbase discovered the customer data theft (Note: Coinbase discovered the data breach in December 2024). On Tuesday, a federal class action lawsuit was filed in New York on behalf of Coinbase customers, accusing TaskUs of negligence in protecting customer data. "While we cannot comment on the lawsuit, we believe these allegations are unfounded, and we will defend ourselves," the TaskUs spokesperson said, "We prioritize customer data protection and will continue to strengthen our global security protocols and training programs."
A source familiar with the security incident said hackers also successfully attacked some other BPO companies, with the nature of stolen data varying in each incident.
The stolen data was insufficient to break into Coinbase's crypto vault but provided rich information to help criminals impersonate fake Coinbase customer support, contact customers, and persuade them to hand over crypto assets. The company stated that hackers stole data from over 69,000 customers but did not specify how many became victims of the so-called "social engineering scam". In this case, the social engineering scam involved criminals using stolen data to pose as Coinbase employees and convince victims to transfer their crypto assets.
Coinbase stated in a declaration: "As we have disclosed, we recently discovered a threat actor requesting customer account information from overseas customer support, traceable to December 2024. We have notified affected users and regulators, cut ties with the involved TaskUs personnel and other overseas customer support, and enhanced controls." The statement added that they are compensating customers who lost funds in the fraud.
Impersonation social engineering scams are not new, but the scale of hacker attacks on BPO companies is rare. While no one has definitively identified the perpetrators, some clues strongly point to a loose organization of young English-speaking hackers.
Teenage Hacker Group: "They Come from Video Games"
In the days following the Coinbase data breach disclosure in mid-May, Fortune magazine communicated on Telegram with a man calling himself "puffy party" who claimed to be one of the hackers.
Two other security researchers who had spoken with this anonymous hacker told Fortune magazine that they found him credible. One of them said: "Based on what he shared with me, I carefully examined his statements and could not find evidence to prove his statements were false." Both researchers requested anonymity because they feared being subpoenaed for talking to the alleged hacker.
In the communication, the man shared many screenshots, claiming they were email exchanges with the Coinbase security team. The name he used when communicating with Coinbase was "Lennard Schroeder". He also shared a screenshot of an account belonging to a former Coinbase executive, which showed crypto transactions and extensive personal details.
Coinbase did not deny the authenticity of these screenshots.
The emails shared by the self-proclaimed hacker included threats of Bitcoin ransom for $20 million (which Coinbase refused to pay), and mocking comments about a hacker group sponsoring a hair transplant for the company's bald CEO Brian Armstrong. "We are willing to sponsor a hair transplant so he can travel the world stylishly," the hacker wrote.
In Telegram messages, this person (whose existence was learned by Fortune from a security researcher) expressed contempt for Coinbase.
While many cryptocurrency robberies are carried out by Russian criminal groups or North Korean military, this hack is allegedly by a loose alliance of teenagers and people in their 20s known as "Comm" or "Com".
Over the past two years, reports about the Comm group have appeared in other hacker incident media coverage, including a New York Times report earlier this month where a suspect in a series of cryptocurrency thefts claimed to be a member of the organization. According to the Wall Street Journal, in 2023, investigators determined that hackers from this organization attacked several online casinos in Las Vegas and attempted to extort $30 million from MGM Resorts.
Unlike Russian and North Korean crypto hackers who typically only pursue money, Comm group members often seek attention and the thrill of mischief. They sometimes collaborate on hacks but also compete to see who can steal more.
"They come from video games, and then bring high scores into the real world," said Josh Cooper-Duckett, investigation director at Cryptoforensic Investigators, "In this world, their score is how much money they've stolen."
In Telegram messages, the alleged hacker stated that Comm members specialize in different stages of robbery. His team bribes customer service and collects customer data, then passes the data to others outside the team who are skilled in social engineering scams. They added that different Comm affiliate groups coordinate the different parts of their actions on social platforms like Telegram and Discord, and distribute the stolen goods.
Sergio Garcia, founder of crypto investigation company Tracelon, told Fortune magazine that the hacker's description of the Coinbase attack matches his observations of the Comm group's operations and other crypto social engineering scams. Insiders said that those recently attacking customers in social engineering scams spoke very authentic North American English.
According to a source familiar with BPO employee wages, TaskUs employees in India earn between $500 and $700 per month. TaskUs declined to comment. Garcia told Fortune magazine that while this figure is above India's per capita GDP, customer service's low wages often make them more susceptible to bribes. "Clearly, this is the weakest link in the chain because they have economic motivation to accept bribes," he added.
Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests, and are not related to the Web3Caff stance. The information in the article is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.
