The threat actor behind the Coinbase customer breach resurfaced on October 2, moving fresh capital across stablecoin rails before bridging funds away within minutes, according to blockchain investigator ZachXBT.
He reported that roughly 5 million DAI was swapped into an equivalent amount of USDC and sat for only about 35 minutes before being bridged, with a portion routed through Circle’s Cross-Chain Transfer Protocol (CCTP).
This was not the first time the actor signaled activity on-chain. On May 21, the same wallet complex transferred more than $42.5 million from Bitcoin to Ethereum through THORChain. On the occasion, the hack left a message trolling ZachXBT.
A $300 Million Breach
Coinbase disclosed on May 15 that a data breach had occurred, affecting less than 1% of its monthly active users, according to the exchange.
A group of overseas support agents with privileged access was bribed and recruited by outside actors.
Those insiders exposed names, contact details, identity documents, and partially masked financial data, which was enough to supercharge impersonation campaigns.
Coinbase emphasized that core infrastructure, including authentication secrets, private keys, and Prime wallets, remained uncompromised, and it pledged to compensate affected users.
CEO Brian Armstrong stated that the attackers attempted to extort $20 million in Bitcoin.
However, the company refused the ransom and instead announced a $20 million reward fund for information leading to arrests and convictions.
The US Department of Justice initiated an investigation immediately afterward, and Coinbase’s preliminary estimate for remediation and reimbursements ranges from $180 million to $400 million.
That insider-enabled data trove became the raw material for industrial-grade social engineering. Alliance DAO’s Qiao Wang described a highly scripted playbook.
Impostors posing as Coinbase staff flagged “compromised” accounts, steering targets into “verification,” and then captured assets by supplying pre-generated seed phrases for supposed security wallets.
The con blended urgency, authenticity cues from stolen personal data, and technical theater to extract custody.
Meanwhile, market voices, such as Wintermute’s Evgeny Gaevoy, argued that rigid KYC/AML frameworks can paradoxically increase civilian exposure by centralizing sensitive identity data, which, once leaked, fuels more crime.
Normalized Thefts
The October 2 transfers also re-exposed how compliant, allowlisted infrastructures are used in flight.
ZachXBT said part of the funds moved through Circle’s official CCTP, a legitimate bridge that burns USDC on one chain and mints it on another.
That matters because it converts bridging into an issuance workflow rather than an asset swap, potentially complicating freeze-and-seize options if controls are not wired to fire rapidly.
ZachXBT vented recently about how the crypto industry is dependent on government agencies. He said:
“For an industry that was founded on principles of independence from the government it’s embarrassing how reliant we are on them to find a solution for victims.
There’s no other industry that has normalized thefts to the same extent.” In his statement, the investigator emphasized “major problems” without a solution, and these issues continue to worsen.
Among the problems listed, he questioned what would happen when the majority of law enforcement agents are incapable of tracking funds on-chain.
He further questioned when there are jurisdiction barriers, and when there is a lack of action from stablecoin issuers to freeze funds quickly.
Viewed narrowly, the latest movement from the Coinbase threat actor is a status update. Hackers remain active, opportunistic, and confident in outrunning asset-level controls.
Viewed broadly, it is a stress test of the “full stack.” Exchanges’ internal access controls, customer-support vendor management, data-handling hygiene, law enforcement speed, and the responsiveness of stablecoin issuers and bridges when red flags are triggered.
Source: https://www.thecoinrepublic.com/2025/10/02/coinbase-breach-actor-behind-the-300m-heist-shifts-5m-in-fresh-moves/
