A recent investigation by Fortune, including a review of email messages between Coinbase and one of the hackers, has uncovered new details about the incident that strongly suggest a loose network of young English-speaking hackers are partly responsible. Meanwhile, the findings also highlight the role of so-called BPOs, or business process outsourcing units, as a weak link in tech firms’ security operations.
The story starts with a small but publicly traded company based in New Braunfels, Texas, called TaskUs. Like other BPOs, it provides customer services to big tech at a low cost by employing staff overseas. In January, TaskUs laid off 226 staff members working for Coinbase from its service center in Indore, India, according to a company spokesperson.
“Early this year we identified two individuals who illegally accessed information from one of our clients,” a TaskUs spokesperson told Fortune, in reference to Coinbase. “We believe these two individuals were recruited by a much broader, coordinated criminal campaign against this client that also impacted a number of other providers servicing this client.”
A person familiar with the security incident, who asked not to be identified in order to speak candidly, said the hackers had also targeted other BPOs, in some cases successfully, and that the nature of the data stolen varied according to each incident.
This stolen data was not enough for the hackers to break into Coinbase’s crypto vaults. But it did provide a wealth of information to help criminals pose as fake Coinbase agents, who contacted customers and persuaded them to hand over their crypto funds. The company says the hackers stole the data of over 69,000 customers, but did not say how many of these had been victims of so-called social engineering scams.
The social engineering scams in this case involved criminals who used the stolen data to impersonate Coinbase employees and persuade victims to transfer their crypto funds.
“As we’ve already disclosed, we recently discovered that a threat actor had solicited overseas agents to capture customer account information dating back to December of 2024. We notified affected users and regulators, cut ties with the TaskUs personnel involved and other overseas agents, and tightened controls,” said Coinbase in a statement, adding it is reimbursing customers who lost funds in the scams.
While social engineering scams that revolve around impersonation of company representatives are hardly new, the scale at which hackers targeted BPOs does appear to be novel. And while no one has definitively identified the perpetrators, a number of clues point strongly to a loosely affiliated network of young English-speaking hackers.
In the days following the disclosure of the Coinbase breach in mid-May, Fortune exchanged messages on Telegram with an individual who called himself “puffy party” and who claims to be one of the hackers.
Two other security researchers who spoke with the anonymous hacker told Fortune they found the individual to be credible. “Based on what he shared with me, I took his statements seriously and was unable to find evidence that his statements were false,” said one. Both researchers requested anonymity because they were afraid of receiving subpoenas for speaking with the purported hacker.
In the exchanges, the individual shared numerous screenshots of what they said were emails with Coinbase’s security team. The name they used to communicate with the company was “Lennard Schroeder.” They also shared screenshots of a Coinbase account belonging to a former executive of the company that displayed crypto transactions and extensive personal details.
Coinbase did not deny the authenticity of the screenshots.
The emails shared by the purported hacker include the blackmail threat for $20 million in Bitcoin, which Coinbase refused to pay, and mocking comments about how the hacking group would use some of the proceeds to purchase hair for Brian Armstrong, the company’s bald CEO. “We’re willing to sponsor a hair transplant so that he may graciously traverse the world with a fresh set of hair,” wrote the hackers.
In the Telegram messages, the person—whose existence Fortune learned of from a security researcher—expressed contempt for Coinbase.
Many crypto robberies are carried out by Russian criminal gangs or the North Korean military, but the alleged hacker says the job was pulled off by a loose affiliation of teenagers and 20-somethings alternatively called the “Comm” or “Com” —shorthand for the Community.
Unlike the Russian and North Korean crypto hackers, who are typically seeking only money, members of the Comm are often motivated by attention seeking or the thrill of mischief as well. They sometimes collaborate on hacking attacks but also compete with each other to see who can steal more.
“They come from video games, and then they bring their high scores into the real world,” said Josh Cooper-Duckett, director of investigations at Cryptoforensic Investigators. “And their high score in this world is how much money they steal.”
In the Telegram messages, the purported hacker said that members of the Comm specialize in different parts of a heist. The hacker’s team bribed the customer support agents and gathered the customer data, which they gave to others outside of their group who are well-versed in carrying out social engineering scams. They added that different Comm-affiliated groups coordinated on social platforms like Telegram and Discord about how to carry out different portions of the operation and agreed to split the proceeds.
Sergio Garcia, founder of the crypto investigations company Tracelon, told Fortune that the hacker’s description of the Coinbase exploit mirrors his observations of how the Comm operates and other crypto social engineering scams. The person familiar with the security incidents said those who targeted customers in recent social engineering scams spoke in unaccented North American English.
“Obviously that’s the weakest point in the chain, because there is an economic reason for them to accept the bribe,” he added.
