Inside a $20 Million Coinbase Phishing Ring

This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records.
When Ricardo saw the message that his Coinbase account had been hacked in 2021, he panicked. He had gone to log into Coinbase Pro, the company’s trader-focused service, and received the ominous message: your account is compromised, please call this 1-800 number as soon as possible.
Ricardo thought the worst. His cryptocurrency investments, which weren’t massive but still represented hard earned money, were gone, he assumed. Ricardo called the number and a man on the other end instructed him to open the chat in the lower right-hand corner of the website. You’ll get help, the man said. But Ricardo had to move quickly; the man said someone was logged into Ricardo’s account at right that moment from Ohio. That “took the panic up a notch,” Ricardo told 404 Media.
Ricardo would be receiving a Coinbase verification code via SMS. He needed to then type that into the chat box, the man explained. That way, Coinbase would know Ricardo was the real owner of the account and kick the hacker out. “We’re going to make sure nothing happens,” Ricardo recalled the man saying. “Don’t worry about it.”
Ricardo typed in the code and the man walked him through the next step: this attack might be due to malware on your computer, so you should clear your browsing history, he explained. That’s when a tinge of suspicion entered Ricardo’s mind. Why am I doing this, he thought to himself, as he completed the request. The man said he would contact Ricardo again, and then hung up.
Then “my brain started thinking for once,” Ricardo said. He went back and checked the Coinbase page he had logged into. It wasn’t the real site. He had gone to coinbasepro[.]com, which had redirected him to another site, where he used the chatbox. Coinbase’s actual domain was pro.coinbase.com. Ricardo also found someone had converted his Dogecoin into Bitcoin, and then transferred those funds to an external wallet. His money was gone.
Ricardo called back and asked the man “how could you live with yourself doing these things to people?” The man only had one response: he burped loudly into the phone and hung up.
Do you work at Coinbase? Do you know about any similar schemes? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at joseph@404media.co.
Ricardo’s story is but a small cog of a massive cybercrime machine. The domain that duped Ricardo was used by a hacking crew that has stolen more than $20 million from more than 500 Coinbase users, many of them in the U.S., according to recently unsealed court records. Last month, the Secret Service quietly arrested Chirag Tomar, a 30-year-old Indian man in the Northern District of Georgia, who is allegedly part of the scheme. It’s not clear if Tomar was the man Ricardo spoke to on the phone.
notion image
A screenshot from the court record.
The news provides a clearer picture of what usually happens to individual victims in isolation and in the shadows. While one Coinbase phishing incident may result in the theft of a few thousand or a hundred thousand dollars, the court records show the true scale at which some phishing groups operate. It also raises questions about why Coinbase, a multi-billion dollar cryptocurrency giant, wasn’t quicker to counteract a domain that was obviously putting its users at risk. Coinbase only filed a complaint against the domain in 2022, a year after Ricardo and others were hacked.
404 Media found other domains coinbasepro[.]com shared an IP address with at one point, some of which are still live and are still misrepresenting themselves as belonging to Coinbase and which redirect visitors to sketchy sites as of the time of writing.
Now, “I’m very skeptical when someone contacts me,” Ricardo said.
Tomar and others allegedly started their scheme as late as August 2020 when coinbasepro[.]com was first registered, according to an affidavit written by Secret Service Special Agent Michael S. Hackney. The group targeted at least 542 victims, including people from Tennessee, North Carolina, and Florida, it adds. After stealing the cryptocurrency, Tomar’s group tried to launder the funds through accounts created with fake or stolen identities and converted them to other forms of cryptocurrency, the affidavit says.
As the court record explains, the Secret Service identified a “family” of domains, including coinbasepro[.]com, which redirected visitors to Coinbase phishing pages. Other domains mentioned in the document include “fastsupport.gotoassist[.]com,” “primetoyking[.]com,” and “cimdrazeprogogicsecure[.]com.”
“Your account has been temporarily Disabled! To Reactivate your account call now at +1-805-298-7143,” a screenshot of one of the phishing pages included in the affidavit reads. In the screenshot, the chat interface in the lower right-hand corner tells the user “Enter the 6-digit code from your authenticator app.”
notion image
notion image
Left: a screenshot of the phishing page Ricardo saw. Right: a screenshot included in the court record.
The affidavit includes stories from other victims similar to Ricardo. One called MB lost around $170,000 worth of cryptocurrency in September 2021. MF lost .3396 Bitcoin in January 2022, worth around $13,000 at the time. In April 2022, the group stole around $132,000 from PC. Then in June 2022, another victim called PAC lost more than $250,000 after not only providing the hackers with an authentication code but also a copy of his Driver’s License into the chat box as instructed. Ricardo is not included in the affidavit; 404 Media identified them as a victim independently and contacted them for comment. 404 Media also found other victims online complaining of falling for a scam related to the coinbasepro[.]com domain.
Each of the thefts in the affidavit left behind digital footprints for the Secret Service investigators to follow. After following MB’s stolen funds to an account on the cryptocurrency exchange Binance, investigators obtained a search warrant for the email address linked to the account. They found it contained identification documents seemingly used as part of the Binance verification purpose, and which had been emailed from another address. Hackney writes he believes the documents were stolen or fraudulently obtained.
Investigators then pivoted to the address which had emailed the identification document. The email address started with “chirag.tomar.” Inside that email account were .txt files which contained MB and MF’s phone number, name, and the amount of funds stolen. A handy piece of bookkeeping for investigators.
With access to those email records, the Secret Service identified their suspect. They included multiple photos of his Republic of India passport, bank statements in his name, and photos sent as part of his application to travel to the U.S. Investigators compared the photo on Tomar’s U.S. travel visa to photos in that email account and confirmed they were the same person, the court document says. On that visa application, Tomar used a particular phone number, which authorities then linked to a specific account on the cryptocurrency exchange MEXC under a fake name. “Investigators believe that Tomar’s use of a fictitious name for the Tomar MEXC account is indicative of an attempt to conceal the true identity of the account holder and obfuscate the nature and source of the cryptocurrency transactions that took place therein,” the court record reads. Investigators traced the movement of some of the stolen funds to this MEXC despite Tomar allegedly performing “chain hopping,” where someone converts one cryptocurrency into another, according to the affidavit.
notion image
A screenshot from the court record showing how investigators traced the cryptocurrency.
Authorities also found Tomar performed a series of cryptocurrency fraud related Google searches, such as “Fake coinbase page,” “Coinbase scam,” and “How to take money from coinbase without OTP,” with OTP referring to a one time passcode which may be needed to move funds. I’ve previously covered the boom in automated bots that let hackers trick people into handing over their OTPs.
Authorities arrested Tomar on December 20. The court docket does not list a lawyer representing him. The Western District of North Carolina did not immediately respond to a request for comment. The Secret Service did not respond either.
Coinbase accounts are a common target for hackers. Fraudsters advertise access to Coinbase “panels” across multiple Telegram group chats 404 Media monitors. With these, even inexperienced hackers can streamline the process of phishing login credentials, with some even coming with dedicated settings for receiving a target’s identification documents. Developers sometimes sell access to these tools for a flat fee or for a cut of the stolen funds.
Coinbase told 404 Media in a statement that it worked with law enforcement on this investigation. “At Coinbase, we prioritize user security by employing a team of expert investigators who analyze and counteract cyber threats. Our collaborative investigative efforts in coordination with law enforcement resulted in the arrest of one of the individuals responsible for a large-scale phishing scheme,” the statement read. It also recommended customers use Yubikeys, which are pieces of hardware users can plug into their devices to verify their identity, rather than codes which can be phished.
Coinbase now appears to be in control of coinbasepro[.]com. In May 2022, nearly two years after the phishing started, Coinbase filed a complaint seeking ownership of the domain. On June 20, a panel responsible for handling such complaints ordered that the domain be transferred over to Coinbase. That was too late, not just for Ricardo, but also for PAC who lost around a quarter of a million dollars that same month.
At the time of the theft, Ricardo reported his own story to IC3, the FBI’s Internet Crime Complaint Center, and Coinbase itself. He was shaking with anger when typing up his complaints. “How can I be this stupid to fall for something?” he recalled thinking. He realized he wasn’t going to get his money back.
The man on the phone burping has stuck with Ricardo. To him, that says “I don’t fucking care.”
Update: This piece has been updated to include a statement from Coinbase.