The Great Coinbase Scam: Over 500 Users Swindled in $20M Scheme

In a collaborative investigation by 404 Media and the independent analytical center Court Watch, a massive cyber-fraud scheme was uncovered, affecting over 500 users of the cryptocurrency exchange Coinbase, with losses exceeding $20 million.

Fraud Pattern

Ricardo, a victim of the fraudsters, encountered a breach of his Coinbase account in 2021. Attempting to access the Coinbase Pro trading platform, he was confronted with a notification about the compromise of his account and the urgent need to contact customer service by phone. The fraudsters convinced Ricardo to enter a verification code, sent via SMS, into a chat on a counterfeit website masquerading as Coinbase, leading to the theft of funds.

According to the investigation, the fraudsters used phishing sites, including coinbasepro[.]com, to redirect victims to fake Coinbase pages.

The phishing page visited by Ricardo (above) and the counterfeit login form and support chat (below)

Indian Criminal Arrested

Chirag Tomar, a 30-year-old Indian citizen, was arrested by the United States Secret Service (USSS) in connection with this case. Tomar is allegedly one of the scheme’s participants, though it’s unclear if he was the one who spoke with Ricardo on the phone.

Each theft, as detailed in written testimonies, left digital traces that USSS investigators could follow to track down the criminals. After the stolen funds were transferred to a Binance account, investigators obtained a warrant to “search” the email address associated with this account. The email address contained identity documents used for Binance verification and sent from another address (chirag.tomar). Officers believe that these documents were either stolen or obtained fraudulently.

Inside the discovered email (chirag.tomar) were txt files containing phone numbers, names, and amounts of funds stolen from victims. Information from the mailbox helped identify the suspect. Data included several photos of his Indian passport, bank statements in his name, and photos sent as part of his application for a trip to the USA.

Investigators compared the photo on Tomar’s US tourist visa with the photos in the email account and confirmed that it was the same person. In his visa application, Tomar used a specific phone number, which authorities then linked to a specific account on the cryptocurrency exchange MEXC under a fictitious name. Investigators believe the use of a fictitious name in MEXC indicates an attempt to conceal the true identity of the account owner and obscure the nature and source of cryptocurrency transactions. However, officers traced some of the stolen funds to the MEXC account, despite Tomar allegedly performing chain-hopping – converting one cryptocurrency to another several times in a short period on different exchanges to obscure the trail.

Multifaceted Activities

The investigation sheds light on a wide range of fraudulent activities, including cryptocurrency theft, attempts at money laundering through accounts registered under fake identities, and conversion of funds into other types of cryptocurrency. Court documents also mention other victims who lost hundreds of thousands of dollars, including one user who lost over $250,000.

Coinbase, in collaboration with law enforcement, emphasized the priority of user security and the use of hardware keys for verification instead of codes that can be intercepted. The company also gained control of the domain coinbasepro[.]com in June 2022, almost 2 years after the phishing attack began.

Ricardo, who lost his funds and contacted the FBI and Coinbase, was left devastated by the incident. Fraudsters, operating anonymously and with impunity, continue to pose a serious threat in the world of cryptocurrencies.