ZachXBT Exposes $45M Coinbase Drain—Week’s Second Major Crypto Heist
Another week, another nine-figure crypto bloodbath. Blockchain sleuth ZachXBT just flagged $45M siphoned from Coinbase users—because apparently ’not your keys, not your coins’ applies even on regulated exchanges.
Security theater crumbles: The exploit follows last week’s $90M breach, proving institutional custody solutions might be just as fallible as that shady DeFi protocol you’re too embarrassed to admit you used.
Wall Street’s favorite ’safe’ exchange now sports more holes than a yield-farming Ponzi. But hey—at least the hackers are sticking to tradition while institutions play catch-up.
ZachXBT discovered ten new addresses that moved BTC, ETH, and DAI, sending the funds to THORChain or mixers. | Source: ZachXBT Telegram
On the Ethereum addresses, the exploiters received ETH and DAI funds, immediately emptying the destination wallet. In similar scams, the attackers used anonymous DEX and DeFi services, as well as coin mixers.
Previous investigations LINK the scams to spoof verification messages. Targets were called personally by Coinbase Support impersonators. Then, they use a spoofed site and copied email templates to convince users to send all funds to a new address. This also explains the transaction pattern, which emptied entire accounts in one large transfer.
Coinbase users suffer significant losses from personal scams
ZachXBT reported a nine-figure loss from scams targeting Coinbase customers. Most of the outflows were not flagged, as they were signed and sent by users in bulk, even without a test transaction.
Data from previous months showed that scammers have been busy with Coinbase customers. In March, ZachXBT noted $46M in outflows, and as much as $65M in December 2024 and January 2025.
None of the destination addresses were flagged by Coinbase security tools.
In total, ZachXBT estimates the size of scams at $300M on a yearly basis. Other exchanges have not shown similar withdrawals. One of the reasons pointed out by the investigator is that Coinbase panels are sold through Telegram, allowing multiple scammers to impersonate the exchange. No such panels and toolsets are available for other markets.
ZachXBT received some of the addresses in calls for investigation. The on-chain investigator also noted that some Coinbase users report directly to authorities. Scammers can create new wallets almost constantly, but the old wallets are still not blacklisted by Coinbase.
The outflows follow a period where Coinbase was extremely strict with suspicious activity from user accounts, often leading to freezes based on minor suspicions. However, there are no mitigation tools for sending funds to possible scammers. ZachXBT has urged for more account protections and community outreach to warn against social engineering techniques.
Coinbase hosts a higher percentage of US-based traders, who are often targeted in ‘pig butchering’ scams. The discovery arrives after a recent event, where scammers convinced a BTC holder to transfer their entire wallet of 3,520 BTC.
Targeting US-based investors taps into a pool of wallets with an average value of just $300, but with the chance to scam large-scale retail owners. US-based wallets hold an estimated $8B of total retail crypto wealth.
The transactions from personal accounts were then sent to THORChain, swapped into Ethereum-based assets and mixed. Decentralized anonymous swaps serve to hide the origin of the funds. Some of the coins were swapped for DAI, a stablecoin that can also be easily mixed with Tornado Cash.
KEY Difference Wire helps crypto brands break through and dominate headlines fast
