Coinbase customers watched helplessly as a New York con artist, unmasked by blockchain sleuth ZachXBT, siphoned more than $4 million from their wallets and gambled it away. A June 23 X thread from ZachXBT revealed a phone-based support scam that preyed on basic human trust, spotlighting a wider surge in crypto phishing schemes. The tale of Christian Nieves, a flashy social-media braggart turned alleged thief, raises urgent questions about exchange security, law enforcement reach, and user vigilance. Phishing Scam Playbook: Posing as ‘Coinbase Support’ Posing as calm, professional “Coinbase Support” representatives, Christian Nieves and his small New York call-center team allegedly cold-called customers with an urgent warning: their accounts faced “suspicious activity” and required immediate safeguarding. 2/ Daytwo operates a small call centre group and also works as a caller. His group primarily coerced targets into setting up Coinbase wallet with a compromised seed on phishing sites. Below is a video of his panel used and a sample of his voice when calling. https://t.co/9zJGfQmLPh pic.twitter.com/wkuP5Ir0GE — ZachXBT (@zachxbt) June 23, 2025 The fraudsters then directed targets to create a supposedly secure wallet built on seed phrases the scammers themselves supplied while walking them through the process on Discord or by phone. Because funds moved at the user’s instruction, Coinbase’s automated defenses logged each transfer as legitimate, giving the criminals a window to empty every wallet they touched. Victims were instructed to paste a pre-generated seed phrase , instantly handing the attackers full control. More than 30 customers fell for the script, losing over $4 million combined . One recorded call captured an elderly man forfeiting $240,000 after believing he was securing his holdings. Transactions were cleared within minutes, leaving no time for chargebacks or exchange-side intervention. Cybersecurity Gaps Exploited in the $4M Crypto Scam The operation thrived by exploiting a gray zone between platform security and personal vigilance. Coinbase’s backend systems remained uncompromised, yet the absence of real-time behavioral checks on large, user-initiated transfers left an opening big enough for the scammers to do their work. ZachXBT’s blockchain analysis later stitched together the scams’ on-chain footprints, revealing how the attackers laundered victim assets once they left Coinbase’s ecosystem . Social engineering over code: no malware, just persuasive phone etiquette. User-authorized withdrawals: bypassed withdrawal delays and triggered no fraud flags. Seed-phrase control: lets scammers redirect funds through multiple addresses before tracing could begin. The breach demonstrates a wider cybersecurity challenge: technical safeguards can crumble when a well-crafted phishing scam tricks users into acting against their own interests. By mapping each hop the stolen crypto took, from freshly drained wallets to offshore betting sites, ZachXBT exposed the human weaknesses cybercrooks prize, setting the stage for the crackdown that followed. The Unmasked Scammer Behind the Coinbase Phishing Scheme Investigators didn’t need a sophisticated traceback to uncover the human face behind the Coinbase phishing scam . On-chain footprints allegedly led directly to Christian Nieves , a New York resident who operated online as “Daytwo” and “PawsOnHips.” Unlike most cybercriminals, Nieves didn’t hide—he broadcast. Luxury-brand selfies, open-mic Discord chats, and even video calls during the scam gave blockchain sleuth ZachXBT a trove of breadcrumbs that linked real-world vanity to digital theft. 11/ It’s rare we see a social engineering scammer with such blatant disregard to mask their identity while flexing stolen funds all over social media. As Daytwo is not a minor it’s a rather easy case for law enforcement to pursue. Sadly any recovery for victims is likely a… pic.twitter.com/QUTPD7s1nu — ZachXBT (@zachxbt) June 23, 2025 Nieves routinely showed his face while walking victims through wallet “migrations,” a glaring op-sec lapse. Instagram posts displayed designer clothing and high-end gadgets that on-chain analysis traced back to stolen crypto. Alias reuse—“Daytwo” in Discord, “PawsOnHips” on betting sites—connected the digital persona to a single real identity. From Coinbase Heist to Roobet Roulette: How $4M Vaporized Once Nieves allegedly gained control of each hijacked wallet, the money moved fast. Deposits funneled into a Roobet casino account bearing the same “pawsonhips” handle, where—according to blockchain tracers— nearly the entire $4 million haul was gambled away . 5/ Daytwo likes to gamble on Discord calls with friends. The recording below shows his Roobet username ‘pawsonhips’ where he leaks his deposit address in a browser tab. 0x940970549037634c517deb741b16112b52e0ced1 pic.twitter.com/i38XVbocUu — ZachXBT (@zachxbt) June 23, 2025 Details: Large wagers were placed while scammers chatted on Discord , effectively betting with victims’ life savings. “Lost most of the funds gambling at casinos,” ZachXBT concluded after examining transaction flows. The remaining balances were hopped through Monero (XMR) to obscure trails, yet Roobet’s visible deposit address still tied the funds back to Nieves. The episode demonstrates a blunt cybersecurity truth: converting ill-gotten gains into casino chips can be just as traceable as leaving them on-chain, especially when usernames overlap across platforms. By pinning a real name to flamboyant aliases and a Roobet bankroll, ZachXBT turned what began as a low-friction phishing scam into a case study in self-inflicted exposure—one that now places Nieves squarely in the crosshairs of law enforcement. New Safeguards and Bounty Programs Seek to Shore Up Cybersecurity Coinbase’s risk and security teams rolled out layered countermeasures intended to choke off future phishing scams while reassuring shaken customers. Among the steps: Enhanced customer education : prompts urging clients to verify support contacts and never share seed phrases, even under “urgent” pressure. Stricter withdrawal controls : flagged high-risk accounts now require extra ID checks and face-time delays on large transfers. Address allowlisting and Vault-style approval delays promoted as default settings for higher balances. Reimbursement pledge for victims of a May 2025 insider data-leak scam, indicating the exchange will share financial responsibility when fraud exploits its ecosystem. $20 million bounty for information leading to the arrest of criminals behind that insider breach—an aggressive escalation rarely seen in the industry. Whether those reforms can staunch a phishing scam wave that has already siphoned hundreds of millions is still unclear. However, the heightened focus on transparent cybersecurity protocols—and on holding exchanges accountable alongside users—indicates a new phase in the fight against social engineering in crypto. Why the Coinbase, ZachXBT Crypto Scam Saga Should Change Your Security Habits A single phone call was all it took for Christian Nieves to vaporize millions, yet the fallout stretches far beyond 30 unlucky Coinbase users. His brazen phishing scam, laid bare by ZachXBT’s on-chain detective work, spotlights an uncomfortable truth: the riskiest vulnerability in cryptocurrency isn’t faulty code—it’s human trust. Every voice that urges you to “secure” your wallet, every spoofed support number, is a reminder that cybersecurity relies on skepticism as much as software. Exchange-level reforms suggest the sector is finally treating social engineering as a systemic threat, not a customer blunder. Still, no amount of backend fortification can protect assets once a seed phrase slips out in a moment of panic. The lasting lesson from the Coinbase, ZachXBT crypto scam isn’t merely to guard credentials; it’s to recognize that in a decentralized sector, you alone stand between your holdings and the next persuasive imposter. The question, then, is whether the community will treat that responsibility as seriously as clever criminals already do.Coinbase customers watched helplessly as a New York con artist, unmasked by blockchain sleuth ZachXBT, siphoned more than $4 million from their wallets and gambled it away. A June 23 X thread from ZachXBT revealed a phone-based support scam that preyed on basic human trust, spotlighting a wider surge in crypto phishing schemes. The tale of Christian Nieves, a flashy social-media braggart turned alleged thief, raises urgent questions about exchange security, law enforcement reach, and user vigilance. Phishing Scam Playbook: Posing as ‘Coinbase Support’ Posing as calm, professional “Coinbase Support” representatives, Christian Nieves and his small New York call-center team allegedly cold-called customers with an urgent warning: their accounts faced “suspicious activity” and required immediate safeguarding. 2/ Daytwo operates a small call centre group and also works as a caller. His group primarily coerced targets into setting up Coinbase wallet with a compromised seed on phishing sites. Below is a video of his panel used and a sample of his voice when calling. https://t.co/9zJGfQmLPh pic.twitter.com/wkuP5Ir0GE — ZachXBT (@zachxbt) June 23, 2025 The fraudsters then directed targets to create a supposedly secure wallet built on seed phrases the scammers themselves supplied while walking them through the process on Discord or by phone. Because funds moved at the user’s instruction, Coinbase’s automated defenses logged each transfer as legitimate, giving the criminals a window to empty every wallet they touched. Victims were instructed to paste a pre-generated seed phrase , instantly handing the attackers full control. More than 30 customers fell for the script, losing over $4 million combined . One recorded call captured an elderly man forfeiting $240,000 after believing he was securing his holdings. Transactions were cleared within minutes, leaving no time for chargebacks or exchange-side intervention. Cybersecurity Gaps Exploited in the $4M Crypto Scam The operation thrived by exploiting a gray zone between platform security and personal vigilance. Coinbase’s backend systems remained uncompromised, yet the absence of real-time behavioral checks on large, user-initiated transfers left an opening big enough for the scammers to do their work. ZachXBT’s blockchain analysis later stitched together the scams’ on-chain footprints, revealing how the attackers laundered victim assets once they left Coinbase’s ecosystem . Social engineering over code: no malware, just persuasive phone etiquette. User-authorized withdrawals: bypassed withdrawal delays and triggered no fraud flags. Seed-phrase control: lets scammers redirect funds through multiple addresses before tracing could begin. The breach demonstrates a wider cybersecurity challenge: technical safeguards can crumble when a well-crafted phishing scam tricks users into acting against their own interests. By mapping each hop the stolen crypto took, from freshly drained wallets to offshore betting sites, ZachXBT exposed the human weaknesses cybercrooks prize, setting the stage for the crackdown that followed. The Unmasked Scammer Behind the Coinbase Phishing Scheme Investigators didn’t need a sophisticated traceback to uncover the human face behind the Coinbase phishing scam . On-chain footprints allegedly led directly to Christian Nieves , a New York resident who operated online as “Daytwo” and “PawsOnHips.” Unlike most cybercriminals, Nieves didn’t hide—he broadcast. Luxury-brand selfies, open-mic Discord chats, and even video calls during the scam gave blockchain sleuth ZachXBT a trove of breadcrumbs that linked real-world vanity to digital theft. 11/ It’s rare we see a social engineering scammer with such blatant disregard to mask their identity while flexing stolen funds all over social media. As Daytwo is not a minor it’s a rather easy case for law enforcement to pursue. Sadly any recovery for victims is likely a… pic.twitter.com/QUTPD7s1nu — ZachXBT (@zachxbt) June 23, 2025 Nieves routinely showed his face while walking victims through wallet “migrations,” a glaring op-sec lapse. Instagram posts displayed designer clothing and high-end gadgets that on-chain analysis traced back to stolen crypto. Alias reuse—“Daytwo” in Discord, “PawsOnHips” on betting sites—connected the digital persona to a single real identity. From Coinbase Heist to Roobet Roulette: How $4M Vaporized Once Nieves allegedly gained control of each hijacked wallet, the money moved fast. Deposits funneled into a Roobet casino account bearing the same “pawsonhips” handle, where—according to blockchain tracers— nearly the entire $4 million haul was gambled away . 5/ Daytwo likes to gamble on Discord calls with friends. The recording below shows his Roobet username ‘pawsonhips’ where he leaks his deposit address in a browser tab. 0x940970549037634c517deb741b16112b52e0ced1 pic.twitter.com/i38XVbocUu — ZachXBT (@zachxbt) June 23, 2025 Details: Large wagers were placed while scammers chatted on Discord , effectively betting with victims’ life savings. “Lost most of the funds gambling at casinos,” ZachXBT concluded after examining transaction flows. The remaining balances were hopped through Monero (XMR) to obscure trails, yet Roobet’s visible deposit address still tied the funds back to Nieves. The episode demonstrates a blunt cybersecurity truth: converting ill-gotten gains into casino chips can be just as traceable as leaving them on-chain, especially when usernames overlap across platforms. By pinning a real name to flamboyant aliases and a Roobet bankroll, ZachXBT turned what began as a low-friction phishing scam into a case study in self-inflicted exposure—one that now places Nieves squarely in the crosshairs of law enforcement. New Safeguards and Bounty Programs Seek to Shore Up Cybersecurity Coinbase’s risk and security teams rolled out layered countermeasures intended to choke off future phishing scams while reassuring shaken customers. Among the steps: Enhanced customer education : prompts urging clients to verify support contacts and never share seed phrases, even under “urgent” pressure. Stricter withdrawal controls : flagged high-risk accounts now require extra ID checks and face-time delays on large transfers. Address allowlisting and Vault-style approval delays promoted as default settings for higher balances. Reimbursement pledge for victims of a May 2025 insider data-leak scam, indicating the exchange will share financial responsibility when fraud exploits its ecosystem. $20 million bounty for information leading to the arrest of criminals behind that insider breach—an aggressive escalation rarely seen in the industry. Whether those reforms can staunch a phishing scam wave that has already siphoned hundreds of millions is still unclear. However, the heightened focus on transparent cybersecurity protocols—and on holding exchanges accountable alongside users—indicates a new phase in the fight against social engineering in crypto. Why the Coinbase, ZachXBT Crypto Scam Saga Should Change Your Security Habits A single phone call was all it took for Christian Nieves to vaporize millions, yet the fallout stretches far beyond 30 unlucky Coinbase users. His brazen phishing scam, laid bare by ZachXBT’s on-chain detective work, spotlights an uncomfortable truth: the riskiest vulnerability in cryptocurrency isn’t faulty code—it’s human trust. Every voice that urges you to “secure” your wallet, every spoofed support number, is a reminder that cybersecurity relies on skepticism as much as software. Exchange-level reforms suggest the sector is finally treating social engineering as a systemic threat, not a customer blunder. Still, no amount of backend fortification can protect assets once a seed phrase slips out in a moment of panic. The lasting lesson from the Coinbase, ZachXBT crypto scam isn’t merely to guard credentials; it’s to recognize that in a decentralized sector, you alone stand between your holdings and the next persuasive imposter. The question, then, is whether the community will treat that responsibility as seriously as clever criminals already do.