- Coinbase threat actors behind the May breach have become active again, transferring $5 million DAI.
- The hackers then swapped DAI to USDC using Circle’s CCTP bridge.
- The stolen funds sat in a USDC address for over 35 minutes, but Circle’s compliance norms failed to freeze it.
After five months, the May Coinbase exploit hacker has swiped $5 million of DAI stablecoins for USDC using Circle’s CCTP bridge.
The incident is linked to a breach in which Coinbase users had been tricked into sending funds to attackers after they gained access to personal information.
At the time, Coinbase had estimated that the losses could mount to $400 million.
88
-
Bitcoin
-
Ethereum
-
Tether
-
Litecoin
-
Bitcoin Cash
-
TRON
-
Binance Coin
-
XRP
-
Cardano
-
Binance USD
-
USD Coin
-
Polkadot
-
Shiba Inu
-
Basic Attention Token
-
Qtum
-
Ethereum Classic
-
Chainlink
-
Solana
-
Polygon Matic
-
Cosmos
-
Wrapped Bitcoin
-
PancakeSwap
-
The Sandbox
-
Storj
-
iExec RLC
-
Bancor
-
Uniswap
-
Enjin Coin
-
1inch Network
-
Chiliz
-
Aave
-
Synthetix
-
Maker
-
Compound
-
Theta Network
-
Celo
-
Curve DAO Token
-
Decentraland
-
JUST
-
Axie Infinity
-
Gala
-
Internet Computer
-
The Graph
-
Filecoin
-
dYdX
-
Mask Network
-
Lido DAO Token
-
Reserve Rights
-
Chromia
-
Ankr
-
Ocean Protocol
-
Adventure Gold
-
Origin Protocol
-
Celer Network
-
NKN
-
Bitget Token
-
Alchemix
-
Immutable
-
Ethereum Name Service
-
Avalanche
-
Zilliqa
-
JasmyCoin
-
Toncoin
-
Convex Finance
-
Spell Token
-
Holo
-
Render Token
-
SushiSwap
-
MetisDAO
-
Audius
-
Illuvium
-
ARPA Chain
-
Osmosis
-
Fantom
-
Neo
-
Arweave
-
Algorand
-
Kusama
-
XDC Network
-
APEcoin
-
MultiversX
-
THORChain
-
NEAR Protocol
-
Nexo
-
Amp
-
Livepeer
-
PAX Gold
-
TrueUSD
-
BitTorrent
-
Golem
-
FLUX
-
Helium
-
Dai
151
-
Bitcoin
-
Ethereum
-
Tether
-
Binance Coin
-
USD Coin
-
Solana
-
XRP
-
Dogecoin
-
Cardano
-
Toncoin
-
Shiba Inu
-
Avalanche
-
TRON
-
Chainlink
-
Polygon Matic
-
Polkadot
-
Wrapped Bitcoin
-
Litecoin
-
Dai
-
NEAR Protocol
-
Bitcoin Cash
-
Stellar
-
Cosmos
-
Filecoin
-
Ethereum Classic
-
Aptos
-
Hedera Hashgraph
-
Immutable
-
Optimism
-
Arbitrum
-
VeChain
-
The Sandbox
-
Decentraland
-
Axie Infinity
-
Injective Protocol
-
Render
-
The Graph
-
Maker
-
Aave
-
Chiliz
-
Helium
-
PAX Gold
-
Compound
-
Lido DAO Token
-
Sui
-
Conflux Network
-
Lido Staked ETH
-
OKB
-
Uniswap
-
Pepe
-
Ondo
-
Mantle
-
First Digital USD
-
XDC Network
-
Artificial Superintelligence Alliance
-
Jupiter
-
Quant
-
Worldcoin
-
Bonk
-
Tether Gold
-
JITO
-
JasmyCoin
-
Core
-
Floki Inu
-
Ethereum Name Service
-
SushiSwap
-
1inch Network
-
Tezos
-
Algorand
-
Flow
-
Trust Wallet Token
-
Curve DAO Token
-
MultiversX
-
Basic Attention Token
-
Enjin Coin
-
Ethena
-
Ethena Staked USDe
-
Audius
-
Alchemy Pay
-
Arkham
-
API3
-
Bounce Token
-
Altlayer
-
Aergo
-
Amp
-
Aevo
-
Ankr
-
Axelar
-
Alpaca Finance
-
Blur
-
Biconomy
-
Tranchess
-
Celer Network
-
Shentu
-
Civic
-
Convex Finance
-
Cartesi
-
Cyber
-
COTI
-
DIA
-
dYdX
-
ether.fi
-
FLUX
-
Ampleforth
-
Golem
-
Holo
-
IoTeX
-
Illuvium
-
JUST
-
Livepeer
-
Memecoin
-
Manta Network
-
Treasure
-
Mask Network
-
Origin Protocol
-
ORDI
-
Ontology
-
Phala Network
-
Pendle
-
Portal
-
Pyth Network
-
ConstitutionDAO
-
iExec RLC
-
Reserve Rights
-
Ravencoin
-
Storj
-
Status
-
Spell Token
-
Sun (New)
-
SuperVerse
-
Tellor
-
LayerZero
-
Scroll
-
Usual
-
Eigenlayer
-
Hamster Kombat
-
Catizen
-
Berachain
-
KAITO
-
Pudgy Penguins
-
Solayer
-
Bio Protocol
-
ChainGPT
-
Cookie DAO
-
Solv Protocol
-
Movement
-
DeXe
-
Nexo
-
Hyperliquid
-
STEPN
-
Synthetix
-
Neo
-
APEcoin
-
Gala
-
Internet Computer
-
Pi Network
ZachXBT Alerts Community
On-chain Seluth ZachXBT shared the incident in his Telegram group, which tracked the movement of funds on the blockchain after months of idleness.
The on-chain investigator said that the threat actor from the “Coinbase breach swapped ~5M DAI for ~5M USDC, which had been sitting as USDC for 35 minutes.”
Due to Circle’s compliance policies and slow response times in freezing suspicious addresses, the funds were successfully extracted via bridges, including Circle’s official Cross-Chain Transfer Protocol (CCTP).
ZachXBT called out Circle for being inactive and non-compliant
“Due to Circle not being compliant, the funds were just bridged away. A portion was bridged using the official Circle CCTP bridge.”
Circle’s policy allows blacklisting USDC addresses but requires manual review. The 35-minute idle was flagged in this case, but processing delays prevented a freeze. CCTP transfers are “validated” post-burn, so recovery is harder once they are minted at the destination.
Theat Actors and Social Engineering Technique
The May Coinbase breach was one of the largest in crypto exchange history. It exposed sensitive customer data for around 69,461 users and enabled social engineering attacks that led to direct thefts totaling $200–400 million.
Hackers bribed overseas customer support agents from Indian call centers like TaskUs to access internal Coinbase systems. These insiders stole data for <1% of monthly active users but targeted high-value accounts with 7–8 figure balances.
The threat actors managed to gain access to emails, phone numbers, the last four digits of SSNs, photo IDs, and physical addresses. This fueled phishing campaigns in which actors posed as Coinbase reps, tricking users into sending crypto.
The hackers behind the whole operation contacted Coinbase, demanding a $20 million bounty. However, the crypto exchange denied the ransom and converted it into a reward for anyone who could help them identify and recover funds.
