ZachXBT’s investigation reveals that hacker Daytwo stole $4M from Coinbase users by impersonating support. They partially laundered the funds through Roobet and Monero and mostly spent them on luxury goods. His scheme used classic social engineering methods that coerced users into creating wallets already controlled by the attacker. Most notably, the attacker didn’t even hide their identity, and according to the investigation, US citizen Christian Alfonso Nieves was behind the hack.
More on the Crypto Scam Targeting Coinbase Users
It seems Coinbase is going through a rough patch when it comes to security. This time, however, it wasn’t a failure on Coinbase’s part – and it wasn’t even a third-party vulnerability.
By the way, I highly recommend taking a look at how, even with the highest level of platform security, a third-party incident can still cause issues, as shown by the Bybit case. Yes, the fact that the service itself wasn’t breached, enabling them to restore balance and even liquidity at record speed, but it still delivered an extremely important lesson for the entire industry.
Score Up to $30,050 on Bybit — Just for Trading
Start Trading
Now, returning to the Coinbase incident, the details of which were, as expected, shared by ZachXBT.
1/ An investigation into how the New York based social engineering scammer Daytwo/PawsOnHips (Christian Nieves) stole $4M+ from Coinbase users by impersonating customer support, bought luxury goods, and lost most of the funds gambling at casinos. pic.twitter.com/7PsP8ymPtO
— ZachXBT (@zachxbt) June 23, 2025
This is not a case of a technical vulnerability but a textbook example of social engineering. Specifically, the hacker using the aliases Daytwo and Pawsonhips ran a small call center and personally made calls, posing as Coinbase support staff. Under the pretext of compromised seed phrases, they persuaded users to create new wallets. They used phishing links and fake sites, resulting in wallets that were under their control right after the creation.
They then partially laundered the funds through Roobet and Monero – for example, a $240,000 theft was documented in November 2024. After that, the funds were split into three directions, and further movements were linked to over 30 separate addresses involved in similar thefts. The attacker spent the stolen funds on luxury goods, such as expensive cars and more, which they showcased on their socials.
However, that turned out to be their undoing, as the attacker made little effort to hide. During Discord calls with accomplices, they didn’t conceal their face and openly discussed laundering schemes. In one instance, they accidentally showed a Roobet deposit tied to the alias pawsonhips, as well as a sticker with their Instagram handle daytwo00000 on a Corvette purchased with stolen funds. They also exposed his identity through a New York State ID card with the name Christian Alfonso Nieves.
Conclusion
A very overconfident approach, especially considering that even far more cautious hackers eventually get caught for much smaller mistakes. We may learn how the attacker explains this if criminal charges are filed.
One thing that cannot go unmentioned is the fact that people are often the weakest link, and social engineering is becoming increasingly common and sophisticated in the era of well-secured blockchain systems.
Always stay alert, double-check addresses, and never share personal information. Stay tuned to keep up with the latest in crypto, blockchain, and tech.
