According to blockchain investigator ZachxBT, the threat actor behind Coinbase’s customer infringement resurfaced on October 2nd, moving fresh capital across Stablecoin Rails before filling in the funds within minutes.
He reported that around 5 million DAIs have been replaced with comparable amounts of USDC and only sat for about 35 minutes of bridging.
This was not the first time an actor had signalled activity with a chain. On May 21, the same wallet complex transferred more than $42.5 million from Bitcoin to Ethereum via Socaine. On that occasion, Hack left a message trolling Zachxbt.
Latest Movement by Coinbase Threat Actors | Source: Debank
300 million dollar violations
Coinbase revealed on May 15 that data breaches have occurred, affecting less than 1% of monthly active users, according to the exchange.
A group of foreign support agents with privileged access was funded and recruited by external actors.
These insiders have published their names, contact details, identification and partially masked financial data.
Coinbase emphasized that its core infrastructure, including authentication secrets, private keys and prime wallets, is maintained without compromise and has committed to compensate affected users.
CEO Brian Armstrong said the attacker attempted to force $20 million in Bitcoin.
However, the company refused the ransom and instead announced a $20 million compensation fund for information leading to arrests and convictions.
Coinbase response to data breach and theft | Source: x
The U.S. Department of Justice will soon begin an investigation, with Coinbase’s preliminary estimates for repairs and reimbursements ranging from $180 million to $400 million.
The insider-enabled datatrobe has become a raw material for industrial-grade social engineering. Qiao Wang from Alliance Dao described the highly scripted playbook.
The scammer pretending to be Coinbase staff captured the assets by flagging “compromised” accounts, manipulating the targets to “verify” and providing pre-generated seed phrases to the expected security wallet.
The fraud fused urgency, credibility cues from stolen personal data, and technical theatres to extract custody rights.
Meanwhile, market voices such as Wintermute’s Evgeny Gaevoy argued that a rigid KYC/AML framework can paradoxically increase civilian exposure by centralizing leaked confidentiality data.
Normalized Theft
The October 2nd transfer reexposed how compliant and how AllowListed infrastructure will be used on flights.
Zachxbt said some of the funds have passed Circle’s official CCTP. This is a legal bridge that burns USDC in one chain and covers it with another.
This is because it converts the bridge into an issue workflow rather than asset exchange, which can complicate the freezing and generation options if the control is not fired quickly.
Zachxbt recently came up with how the crypto industry relies on government agencies. He said:
“For an industry established on the principle of independence from government, it is embarrassing how dependent they are on them to find solutions for the victims.
No other industry has normalized theft to the same extent. In his statement, investigators highlighted “major issues” without a solution, and these issues continue to get worse.
Among the issues listed, he questioned what happens when the majority of law enforcement agents can’t track funds on the chain.
He further questioned the presence of jurisdictional barriers and the lack of litigation from the Stablecoin issuer when funds were quickly frozen.
Looking narrowly, the latest move from Coinbase threat actors is status updates. Hackers are still active, opportunistic, and confident in outfrantic asset-level control.
Looking at it broadly, it’s a “full stack” stress test. Internal access control for exchange, customer support vendor management, data processing hygiene, law enforcement speed, and responsiveness of the Stablecoin issuer and bridge when red flags are triggered.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
