In Brief
- Hyderabad (India) police arrested a former Coinbase customer service agent in connection with the exchange’s customer-data breach that Coinbase disclosed earlier in 2025.
- The attackers later demanded $20 million to keep the stolen data from being released; Coinbase refused to pay and announced a $20 million reward for information leading to arrests/ convictions tied to the attack.
Indian authorities have arrested a former Coinbase customer service agent in Hyderabad, deepening an international investigation into a customer-data breach that the largest US crypto exchange disclosed earlier this year.
Brian Armstrong, Coinbase’s chief executive officer, confirmed the arrest in a post on X, thanking local police and hoping more enforcement actions could follow. “We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice,” Armstrong wrote. “Another one down and more still to come.”
The arrest is linked to the incident Coinbase revealed in May, when the company said attackers bribed and recruited overseas support agents to obtain customer information and then attempted to extort the exchange for $20 million to keep the stolen data from being released publicly. Coinbase rejected the demand and instead set up a $20 million reward fund for information leading to arrests and convictions.
Breach began months before disclosure
Coinbase earlier said the compromise began in late 2024, when criminals targeted customer-support operations outside the US and persuaded a “small group of insiders” to abuse access to support tools. The company said the incident affected “less than 1%” of its monthly transacting users.
The data accessed included customers’ names, addresses, phone numbers and email addresses, plus masked identifiers such as the last four digits of Social Security numbers and certain bank-account information, according to Coinbase’s own account. It also included government-ID images such as driver’s licenses or passports in some cases, and account-related information like balance snapshots and transaction history.
Coinbase said attackers did not obtain passwords, two-factor authentication codes, private keys, or any ability to directly move customer funds, and that Coinbase Prime accounts were not affected.
The company has framed the breach as primarily enabling social-engineering fraud — scammers impersonating Coinbase support to trick customers into transferring crypto. Coinbase pledged to reimburse customers who were deceived into sending funds to attackers.
Outsourcing and insider-risk scrutiny
The Hyderabad arrest also brings attention to the role of third-party support operations — a sensitive area for financial and crypto platforms that rely on large outsourced workforces for customer service and compliance support.
Reuters reported in June that Coinbase had been alerted as early as January to a customer-data leak at an outsourcing firm connected to the broader breach, citing people familiar with the matter. The report described an incident involving an employee at TaskUs in India who was allegedly caught photographing data on a work computer with a personal phone, and said Coinbase was notified immediately.
Coinbase’s May disclosure did not publicly name specific vendors or locations, but said the insiders were “overseas support agents” who abused legitimate access to support systems.
Potential costs and ongoing investigation
Coinbase previously estimated the breach could cost as much as $400 million to address, factoring in remediation and customer reimbursements. In a SEC filing, Coinbase put potential expenses in a range of $180 million to $400 million.
In a blog post, Coinbase said it had terminated personnel involved, reinforced controls, and was cooperating with law enforcement. The company’s decision to refuse the ransom demand and offer a reward was positioned as an effort to avoid incentivizing future extortion attempts.
Hyderabad arrest comes months after the company said hackers bribed contractors or employees outside the US to obtain sensitive customer data. Armstrong’s post suggests investigators are still pursuing additional suspects.
More Like This on BlockFirms
Disclaimer: This article is for informational purposes only and does not constitute investment advice.
AI Disclaimer: Parts of this article were drafted with the assistance of AI tools and subsequently reviewed, edited, and verified by the author and our editorial team to ensure accuracy and journalistic integrity. The final version reflects human editorial judgment and fact-checking.
