After five months, the May Coinbase exploit hacker has swiped $5 million of DAI stablecoins for USDC using Circle’s CCTP bridge.
The incident is linked to a breach in which Coinbase users had been tricked into sending funds to attackers after they gained access to personal information.
At the time, Coinbase had estimated that the losses could mount to $400 million.
On-chain Seluth ZachXBT shared the incident in his Telegram group, which tracked the movement of funds on the blockchain after months of idleness.
The on-chain investigator said that the threat actor from the “Coinbase breach swapped ~5M DAI for ~5M USDC, which had been sitting as USDC for 35 minutes.”
Due to Circle’s compliance policies and slow response times in freezing suspicious addresses, the funds were successfully extracted via bridges, including Circle’s official Cross-Chain Transfer Protocol (CCTP).
ZachXBT called out Circle for being inactive and non-compliant
“Due to Circle not being compliant, the funds were just bridged away. A portion was bridged using the official Circle CCTP bridge.”
Circle’s policy allows blacklisting USDC addresses but requires manual review. The 35-minute idle was flagged in this case, but processing delays prevented a freeze. CCTP transfers are “validated” post-burn, so recovery is harder once they are minted at the destination.
The May Coinbase breach was one of the largest in crypto exchange history. It exposed sensitive customer data for around 69,461 users and enabled social engineering attacks that led to direct thefts totaling $200–400 million.
Hackers bribed overseas customer support agents from Indian call centers like TaskUs to access internal Coinbase systems. These insiders stole data for <1% of monthly active users but targeted high-value accounts with 7–8 figure balances.
The threat actors managed to gain access to emails, phone numbers, the last four digits of SSNs, photo IDs, and physical addresses. This fueled phishing campaigns in which actors posed as Coinbase reps, tricking users into sending crypto.
The hackers behind the whole operation contacted Coinbase, demanding a $20 million bounty. However, the crypto exchange denied the ransom and converted it into a reward for anyone who could help them identify and recover funds.
Prashant Jha is a seasoned crypto journalist based in Delhi, India, with a Bachelor’s Degree in Computer Science Engineering. Passionate about the evolving world of blockchain and cryptocurrencies, he has been a dedicated voice in the industry since 2018. Prashant’s expertise lies in regulatory reporting, where he unravels complex legal and financial developments with clarity and precision. Before joining CCN in 2024, he honed his craft at Cointelegraph, establishing himself as a trusted name in crypto journalism.
His coverage spans major industry events, including the high-profile collapses of FTX, Three Arrows Capital (3AC), and LUNA, offering readers insightful analyses of their regulatory and market implications. Prashant’s technical background enables him to bridge the gap between intricate blockchain technology and its real-world applications, making his work accessible to novices and experts.
Beyond his professional pursuits, Prashant is an avid music enthusiast, often exploring diverse genres to unwind. A sports lover, he has a particular passion for cricket and frequently engages in discussions about the game. His multifaceted interests and sharp journalistic instincts make him a valuable contributor to CCN, where he continues shaping the crypto landscape's narrative.
You’re All Set!
Thanks for signing up. We’ll be in touch soon with the latest insights.
