The cybercriminal responsible for a theft campaign against Coinbase users has taunted on-chain investigator ZachXBT through an input data message on the Ethereum blockchain, Wednesday evening. The incident comes ten days after Coinbase disclosed the security breach, which reportedly compromised over 69,000 accounts.
The mocking message was embedded in an Ethereum transaction, in which the attacker used the blockchain to send a short taunt, writing, “L bozo,” a slang phrase intended to ridicule ZachXBT by implying he had taken a loss.
The message also included a link to a YouTube meme video featuring NBA Hall of Fame James Worthy smoking a cigar to provoke the crypto sleuth.
The interaction was first revealed by ZachXBT himself through his Telegram channel “Investigations.” He identified the attacker as the same entity behind a major breach at Coinbase, which exposed the personal data of thousands of users.
Hacker identified in Coinbase breach
As reported by Cryptopolitan on May 21, Coinbase acknowledged that the December 2024 security incident had affected approximately 69,461 customers. The breach was discovered on May 11, 2024.
According to a filing submitted to the Maine Attorney General’s office, the company confirmed that personal data was exfiltrated.
ZachXBT’s analysis connected the hacker behind the Ethereum taunt with the perpetrators of the Coinbase hack. Shortly after the breach disclosure, the attackers reportedly demanded a $20 million ransom in Bitcoin, threatening to release the stolen data on the dark web unless their terms were met.
Coinbase refused to pay, opting instead to offer the same amount as a bounty for information leading to the arrest of the attackers.
If you or someone you know were affected by this hack, please read my post to find a template you can use to start gathering information to build your case.
— Ibrahim Ahmed (@atbeme) May 17, 2025
Crypto gets a bad name from events like this, so we need to stand up for our friends and family and help make things… https://t.co/DIteoCHE1N
Meanwhile, unconfirmed sources have revealed that the individual also began liquidating stolen assets, converting 17,800 Ether (ETH) into $44.94 million worth of DAI stablecoins within a two-hour window, on Tuesday.
The transactions were funneled through THORChain, a decentralized exchange protocol that allows cross-chain swaps without relying on centralized intermediaries.
According to blockchain data, the hacker executed the swaps at an average price of $2,528 per ETH. One transaction saw 9,080 ETH exchanged for approximately $22.82 million in DAI.
Coinbase struggles with financial and reputational damage
The fallout from the breach has thrown Coinbase’s security reputation into question, clouding its entry into the S&P 500 index last Monday. The company is now facing a potential financial impact estimated between $180 million and $400 million.
The costs are expected to arise from remediation efforts, infrastructure upgrades, and possible compensation to affected customers.
COIN shares closed at $258.97 on Wednesday, a downtick of $2.41, or 0.92%, from the previous trading session. The stock has also fallen steeply in recent weeks, posting a 36.3% loss over the past month.
Users are blaming Coinbase for its “sluggish” internal security protocols, particularly after revisiting chatter about the early warnings it received last year. Cybersecurity experts reportedly alerted the crypto exchange in December about suspicious activity targeting its clients.
Similar threats target Binance and Kraken
Five days after Coinbase filed their data breach report, Binance and Kraken, two other cryptocurrency exchanges, were also recently targeted in similar social engineering campaigns. These attacks also involved threat actors posing as users and attempting to bribe customer support agents.
According to a May 16 Bloomberg insight, the attackers provided detailed instructions for further contact via Telegram. Both Binance and Kraken successfully thwarted the attempts.
At Binance, artificial intelligence systems detected suspicious messages related to bribery. The exchange enforced policies that restricted access to customer information unless initiated by the client to prevent any exposure of user data. Kraken similarly reported no loss of customer data from the incident.
