Scammer Poses As Coinbase Support And Drains $4 Million From Users’ Wallets
Victims of a sophisticated phone-based scam lost over $4 million in crypto after being tricked into handing over access to their wallets—under the belief they were speaking to Coinbase support staff.
The man behind the con, identified by blockchain investigator ZachXBT as Christian Nieves from New York, allegedly ran a small-scale call centre with a team posing as official exchange representatives.
Fake Calls And Stolen Wallets Behind The $4M Heist
The scam followed a simple but effective tactic.
Users received unsolicited phone calls warning them of “suspicious activity” on their Coinbase accounts.
The callers, acting calm and professional, claimed to be from Coinbase’s security team and walked victims through setting up a new “secure” wallet.
In reality, this wallet was already compromised—built on a seed phrase generated and held by the scammers.
Everything appeared legitimate.
Victims were guided step-by-step over Discord or the phone, unknowingly transferring their funds directly into wallets controlled by the fraudsters.
Because the transactions were approved by users themselves, Coinbase’s internal systems flagged nothing unusual.
More than 30 users fell victim to the same tactic.
One call, which was recorded, showed an elderly man losing $240,000 while trying to “secure” his Bitcoin, convinced he was speaking to a genuine Coinbase staffer.
No Malware, Just A Well-Rehearsed Script
ZachXBT described the operation as social engineering over software.
The scam didn’t rely on malware or code injection but instead used simple manipulation and pre-written phrases delivered over the phone.
Once a wallet was drained, the funds were rapidly moved through multiple addresses and eventually sent to online gambling platforms or privacy coins like Monero.
Because the thefts were authorised by users and occurred outside of any platform breach, Coinbase systems were never directly compromised.
However, the lack of real-time fraud detection or transaction delays made it easier for scammers to get away before victims realised what had happened.
How Blockchain Traces Led To A Real Name
Christian Nieves, who operated online under the aliases “Daytwo” and “PawsOnHips,” made little effort to hide.
According to ZachXBT, the scammer broadcasted himself openly on Discord, showed his face during support calls, and shared images of luxury items on social media that were allegedly purchased using stolen funds.
The blockchain analysis tied one deposit address on crypto casino Roobet, using the same “pawsonhips” handle, to over 30 related thefts.
ZachXBT wrote,
"Daytwo has a gambling problem and you’ll see onchain how casino deposits get smaller as he loses funds. Recently this escalated to the point where he started stealing cuts from accomplices.”
Stolen Funds Went Straight Into Casino Bets
Instead of hiding the funds, Nieves reportedly gambled away most of the stolen money on Roobet, using an account with the same alias linked to the scam.
The transactions were visible on-chain, making it possible for investigators to trace nearly every step.
According to ZachXBT, Nieves and his associates often discussed the scam openly in group chats while placing large bets using the stolen crypto.
The transparency of blockchain, combined with repeated use of the same online handles, helped tie digital evidence directly to a real-world identity.
Coinbase Responds With Security Upgrades And Bounty Programme
Following a rise in phishing scams targeting users, Coinbase has introduced new security measures.
These include enhanced user education about scams, stricter ID verification for large withdrawals, and the promotion of address allowlisting and delayed approval settings.
In a separate but related move, the exchange has pledged reimbursements to victims of a previous insider data breach in May 2025.
A $20 million bounty has also been offered for information leading to the arrest of those involved in that case.
As of now, Nieves and his known associates have not been formally charged, but ZachXBT believes the case should be “rather easy” for authorities to pursue, given the volume of evidence left behind on the blockchain.
Catherine
Kikyo
Alex