Coinbase data breach victims mull legal strategy

As more details about Coinbase’s recent data breach emerge, victims are divided on legal strategy.

In May, Coinbase revealed that personal information, including government ID images and partial social security numbers, from more than 69,000 users had been stolen. Attorneys representing victims allege in court filings that Coinbase and a third party discovered the hack in January, but waited until May to alert customers and regulators.

In a regulatory filing, Coinbase asserted that it learned about the data breach in May 2025 when a hacker demanded a $20 million ransom payment from the exchange. The breach itself took place in December 2024, Coinbase said in the filing.

The incident spurred numerous lawsuits against Coinbase. Most cases have been pushed into arbitration, likely due to a clause in the exchange’s user agreement. Coinbase updated its terms in March.

After the breach was revealed, class action law firm Greenbaum Olbrantz filed suit against TaskUs, a third-party service Coinbase used for customer support services. In an amended complaint filed last week, attorneys say they have identified a suspect in the hack and found a cooperating whistleblower.

The suspect is former TaskUs employee Ashita Mishra, the complaint alleges. Mishra started stealing and selling confidential customer information to hackers in September 2024. Other TaskUs employees were recruited into the bribery scheme, which continued until January 2025, per the complaint.

Newsletter

Subscribe to The Breakdown

Victims pursuing legal action against Coinbase and TaskUs are now divided on how to proceed.

One group wants a single, consolidated complaint against Coinbase and TaskUs, effectively combining suits against the two companies. The group proposes having 15 law firms, including Scott Kantrowitz Arnold, coordinate on the case and lead the strategy.

Greenbaum Olbrantz, along with two other firms, disagree. Naming Coinbase as a co-defendant in the case all but guarantees the exchange will file a motion to compel arbitration. Arbitration, which happens privately, generally offers companies a less-public and less-expensive way to settle legal disputes.

If Coinbase were to succeed in this motion, the cases would be forced into individual arbitration, making the process lengthier and more expensive for victims. On the other hand, if the motion were to be denied, Coinbase could appeal, which could trigger an automatic stay in all proceedings. It’s a lose-lose, Greenbaum argues.

The group led by Scott Kantrowitz Arnold argues that a motion for arbitration wouldn’t be an issue. They have the experience necessary to navigate arbitration clauses in user agreements, attorneys wrote in a Sept. 11 court filing.

The Greenbaum team maintains that focusing on TaskUs, where they say the criminal conspiracy took place, is the right course of action. They plan to coordinate with those pursuing arbitration against Coinbase while keeping the cases themselves separate, the team noted in Thursday’s filing.

Greenbaum’s amended complaint notes that this is not the first time TaskUs has been involved in a customer data breach.

In a 2022 class action lawsuit relating to a Ledger data breach, plaintiffs made similar allegations against TaskUs, claiming that employees stole customer data. The suit, filed against Shopify and TaskUs, settled in 2025 for an undisclosed amount.

The judge will now decide which team and strategy is in the best interest of the class.

In May, Coinbase said it would reimburse customers who were tricked into sending funds to the hackers. The exchange also set up a $20 million reward fund for information on the hackers. The incident will cost Coinbase up to $400 million, the exchange said.

TaskUs has three weeks to respond to the amended complaint.

Coinbase did not immediately respond to Blockworks’ request for comment.

Get the news in your inbox. Explore Blockworks newsletters:

The Breakdown: Decoding crypto and the markets. Daily.
0xResearch: Alpha in your inbox. Think like an analyst.