Coinbase Scam Nabs $4 Million Via Phishing

Christian Nieves, also known by his aliases Daytwo and PawsOnHips, orchestrated a sophisticated social engineering scam that targeted Coinbase users, resulting in the theft of over $4 million. The scam involved impersonating customer support agents and tricking victims into setting up Coinbase wallets using compromised seed phrases via phishing websites. The stolen funds were quickly siphoned into casinos or converted into privacy coins like Monero (XMR) to cover his tracks. Nieves reportedly bought luxury goods and lost most of the funds gambling at casinos.

The investigation, led by top investigator ZachXBT, revealed that Nieves ran a small call center operation to execute the scam. One notable incident involved a worker named Paranoia (Justin), who stole $240,000 from an elderly victim in November 2024. The stolen funds were traced to an online crypto casino, Roobet, where Nieves frequently gambled, and the rest were converted to XMR. Nieves' gambling habit was a recurring theme, with his casino deposits shrinking over time as he consistently lost money. In the end, he resorted to stealing portions of funds from his accomplices.

Nieves' blatant disregard for anonymity made this an unusually easy case for law enforcement to pursue. He publicly flaunted stolen funds on social media, bought a Corvette with proceeds from his scams, and even branded the car with a sticker displaying his Instagram handle ‘daytw00000,’ directly linking his real-life identity to his online scam persona. In a bizarre escalation, Nieves taunted ZachXBT by posting a photo of himself flipping off Zach’s X (formerly Twitter) account and later setting it as a cover image on his Instagram memory.

The investigation also revealed that Nieves' Roobet deposit address was linked to at least 30 other suspected thefts, suggesting a wider web of victims. Nieves regularly went on Discord calls with his group, where they openly talked about laundering funds and regularly showed their faces. Their identity has now been revealed, making it easier for law enforcement to pursue the case. The on-chain data and selfies directly linked the scammer to the thefts, making a law enforcement case now likely.

Victims were instructed to create what they thought were legitimate Coinbase wallets. Unbeknownst to them, these wallets were hosted on phishing websites. These sites came preloaded with malicious seed phrases—secret phrases that allow full access to the wallet. Once victims transferred funds, Nieves and his team quickly drained them away.

The scam unraveled once authorities traced over $4 million in stolen crypto. Much of this illicit gain was immediately converted and sent to Roobet, a well-known gambling platform. This pattern of quick laundering via gambling sites helped obscure the trail of stolen funds.

Always verify support channels: Genuine Coinbase support will never call unsolicited; always go through official channels. Never enter seed phrases from links: Always generate your own securely. Use two-factor authentication (2FA): Adds essential protection to your accounts.