Coinbase CEO Brian Armstrong says Hyderabad Police have arrested a former overseas customer-service agent in India in connection with the exchange’s May 2025 data extortion attack, the insider-driven breach that forced Coinbase to book up to $400 million in remediation costs. Armstrong disclosed the arrest on X and Bloomberg relayed the comments on Friday, while Coinbase stock slipped about 1.2% to $236.79 on the day.
Armstrong thanks Hyderabad Police as insiders face charges
Armstrong announced the development in an X post, thanking Hyderabad Police for the arrest of what he called an “ex-Coinbase customer service agent” and promising more actions against collaborators. NDTV Profit and Investing.com, both citing Bloomberg, reported that Coinbase later confirmed the arrest and tied it to the investigation into the May extortion scheme.
“We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice. Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested. Another one down and more still to come.”
Armstrong did not name the suspect or specify charges. Hyderabad Police have not yet published a detailed public statement linking the arrest to a particular case, and court filings in India have not surfaced in public databases at press time. For now, the only on-record description of the arrest comes from Armstrong’s X post and a Coinbase spokesperson’s confirmation reported by NDTV Profit and Bloomberg.
Macro crypto markets barely reacted. Bitcoin traded around $87,200 on Friday afternoon in New York, down roughly 1.1% on the day, while the move in COIN stayed contained to single digits.
Inside the May extortion attack
Coinbase first detailed the scheme in a May 15 company blog post, “Protecting Our Customers – Standing Up to Extortionists”. The exchange said cybercriminals bribed a “small group” of overseas support agents to pull data from internal customer-service tools for less than 1% of monthly transacting users. The attackers then used that data to run social-engineering scams and tried to extort Coinbase for $20 million to keep the breach quiet.
According to Coinbase’s own breakdown, insiders copied names, addresses, phone numbers, email addresses, masked Social Security digits, masked bank-account numbers, government-ID images and balance snapshots. The company stressed that insiders did not obtain passwords, two-factor codes, private keys, hot or cold wallet access, or any access to Coinbase Prime accounts. Instead, the risk sat squarely in highly tailored phishing and impersonation attempts aimed at retail users.
In an accompanying SEC filing and in coverage from Reuters and Bloomberg, Coinbase told investors it expected remediation and voluntary reimbursements to cost between $180 million and $400 million, making the incident one of the most expensive insider-enabled attacks ever disclosed by a listed crypto company. Coinbase refused the $20 million ransom and created a matching $20 million bounty for information that helps investigators identify and convict the attackers.
India outsourcing, TaskUs fallout and the insider trail
From the outset, Coinbase pointed to India-based support operations as the weak link. In the May blog, the company said criminals “targeted our customer support agents overseas” and used cash offers to convince insiders to pull data. A few days later, Coinbase’s chief security officer Philip Martin told Fortune that all compromised agents worked in India and that Coinbase had fired them, cut ties with the vendor involved and tightened controls on overseas support.
Subsequent reporting and litigation drew a straighter line. A class-action complaint in U.S. federal court and coverage in outlets such as Times of India and Infosecurity Magazine alleged that employees at a TaskUs customer-service center in Indore, India, photographed Coinbase account screens and sold them into a broader criminal network that fed the extortion plot and downstream impersonation scams. Those filings describe thousands of account images and a “hub-and-spoke” conspiracy inside the vendor’s India operations. TaskUs has denied liability and says it terminated the individuals it identified and self-reported to Coinbase.
Coinbase’s own May disclosure said it had already terminated the insiders, warned affected users, strengthened fraud monitoring, and referred the case to both U.S. and international law enforcement. Today’s acknowledgement of an arrest in Hyderabad shows at least part of that referral trail now looping back into concrete action on the ground in India.
Coordinated enforcement around social-engineering scams
The India arrest lands less than ten days after Coinbase highlighted a separate case with New York prosecutors. In a December 19 blog post, “Working with the Brooklyn DA to support victims and help bring an alleged scammer to justice”, Coinbase described how the Brooklyn District Attorney’s Office charged a local man who allegedly impersonated Coinbase support, convinced victims their accounts were at risk and drained nearly $16 million from about 100 users.
That Brooklyn case did not rely on the May insider breach, and prosecutors there said they saw no evidence of a Coinbase security failure. Instead, the indictment framed the scam as a pure social-engineering play that abused trust in Coinbase branding and user anxiety around security.
Put together, Coinbase now points to two concrete law-enforcement moves tied to its broader fraud fight. Prosecutors in Brooklyn are pursuing an alleged front-end scammer who tricked users into handing over funds. Hyderabad Police, according to Armstrong, have started to move on the back-end insider network that made the May extortion threat possible in the first place.
For traders and institutions, the arrest does not change the core technical takeaway from May. The extortion crew never touched Coinbase’s wallets or key material. The real risk sat in off-platform communication channels and in the human layer around outsourced support. The arrest does signal that the $20 million bounty and Coinbase’s push for cross-border cooperation are beginning to generate tangible arrests, not just blog posts.
