ZachXBT Traces Portion of $6.5 Million Stolen from Coinbase Client

In October, a client of the cryptocurrency exchange Coinbase in the United States fell victim to a scammer who used social engineering to steal $6.5 million. On-chain detective ZachXBT assisted the victim in tracing part of the assets.

1/ An investigation into the social engineering scammer Ronaldd (Ronald Spektor) who allegedly helped steal $6.5M last month from a single victim by impersonating Coinbase support. pic.twitter.com/8kmLR5Y3cv

— ZachXBT (@zachxbt) November 20, 2024

A hacker using the alias Ronaldd (Ronald Spektor) impersonated Coinbase support over the phone and tricked the user into visiting a phishing site.

After gaining access to the victim’s assets, the perpetrator exchanged them for Bitcoin and Ethereum. He then converted everything into Litecoin and distributed it across numerous services.

3/ An initial tracing of the theft saw all of the stolen funds flow to eXch on Ethereum and Bitcoin where funds were converted to Litecoin and transferred to numerous services. pic.twitter.com/4UQRODtW76

— ZachXBT (@zachxbt) November 20, 2024

“A few days after the theft, Ronald began showcasing his Ledger Live via Discord, revealing that he received $3.1 million on October 8, 2024,” said ZachXBT.

During the investigation, the detective discovered the hacker’s now-deleted Telegram channel, which contained screenshots of a wallet involved in the movement of the stolen funds.

The wallet linked to the account was funded from several exchanges.

6/ When reviewing the TON address which owns Ronald’s Telegram number you can see it was funded from multiple exchanges.

You can perform a timing analysis to trace through the exchange and find the funding address.

That address is tied to multiple other Coinbase withdrawals… pic.twitter.com/g8UvG3q7HR

— ZachXBT (@zachxbt) November 20, 2024

“This address is linked to several other Coinbase withdrawals, indicating a larger number of potential phishing victims,” the researcher added.

Thanks to numerous data leaks, ZachXBT identified the perpetrator’s email, IP address in New York, and his alleged name.

The story did not progress further as the victim deleted the X-account used to communicate with the detective. It also remains unclear whether Ronald had accomplices or where the remaining $3.4 million of the stolen funds went.

According to ZachXBT’s estimates, over the past year, users of the Bitcoin exchange Coinbase have lost between $100 million and $150 million due to phishing and social engineering scams.