Coinbase Bracing for $400 Million Hit After Insider’s "Screen-Shot" Security Breach

In a nondescript office in Indore, India, Ashita Mishra spent her shifts at TaskUs capturing photos of her computer screen. One by one, she documented the private lives of Coinbase users, allegedly selling images of their passports and account balances to cybercriminals for roughly $200 a pop. This wasn't a sophisticated hack; it was a manual, daily grind that began in September 2024 and bypassed every high-tech defense in Coinbase’s arsenal.

By the time the scheme unraveled in January 2025, Mishra had reportedly compromised 69,461 customers. Newly unsealed court filings reveal that police found over 10,000 sensitive records on her personal device alone at the time of her arrest.

Beyond Basic Data: The Depth of the Theft

The breach didn't just leak emails or usernames. Because Mishra worked within the exchange’s support ecosystem, she had access to the full suite of "Know Your Customer" (KYC) documentation. The stolen cache includes residential addresses, dates of birth, and, most damagingly, clear photos of government-issued IDs like driver’s licenses and passports.

Armed with these documents and real-time transaction histories, the buyers of this data have launched a wave of targeted social engineering attacks. While the "keys to the vault"—passwords and seed phrases—remain secure on Coinbase’s servers, the attackers are using the stolen personal details to trick users into handing over their assets voluntarily.

The $20 Million Gamble

The aftermath of the theft took an aggressive turn when the perpetrators demanded a $20 million Bitcoin ransom to keep the data off the dark web. Coinbase didn't just refuse; they flipped the script. In a move that signals a shift in how Silicon Valley handles extortion, the exchange put that same $20 million into a reward fund for information leading to the arrest of the syndicate.

This "bounty over ransom" strategy is a calculated middle finger to the hackers, prioritizing long-term deterrence over short-term damage control. However, the defiance comes at a steep price.

A $400 Million Bill for 70,000 Victims

Coinbase is bracing for a massive financial hit. In a recent 8-K filing with the SEC, the company projected remediation and reimbursement costs between $180 million and $400 million.

The math here is staggering. At the high end, Coinbase is preparing to spend nearly $5,700 per victim. This isn't just for credit monitoring or legal fees; the figure suggests the company is prepared to swallow the cost of direct losses for users who were scammed as a result of the leak. It is a massive admission of liability and an attempt to maintain trust in a market where reputation is everything.

The Clean Room Myth

Coinbase has since cut ties with the specific support staff involved and handed their files to federal investigators. They are now urging customers to stay on high alert for "vishing" (voice phishing) and text scams, reiterating that the company will never call to request account transfers.

The real failure, however, lies in the physical environment of third-party outsourcing. For years, vendors like TaskUs have touted "clean room" policies where phones are banned and surveillance is constant. Mishra’s ability to photograph up to 200 screens a day for months suggests those policies were either non-existent or ignored in the Indore office. When a low-wage contractor can dismantle a multi-billion dollar security perimeter with a smartphone camera, the problem isn't the software—it's a fundamental breakdown in basic operational oversight.