The recent Coinbase data breach has taken a dramatic turn as the attacker behind the hack moved $42.5 million worth of Bitcoin into Ethereum, leaving a taunting message aimed at on-chain investigator ZachXBT. The incident, which initially surfaced earlier this month, has now developed into one of the most significant security failures in the crypto exchange’s history, prompting federal investigations and a potential $400 million fallout.

Hacker Swaps Millions and Sends a Mocking On-Chain Message

According to blockchain sleuth ZachXBT, the hacker behind the Coinbase breach carried out a substantial swap on Thorchain, converting approximately $42.5 million in BTC to ETH. What stood out wasn’t just the scale of the movement but the hacker’s brazen attitude. An on-chain message reading “L bozo” was embedded into the transaction, directly mocking ZachXBT. The term, derived from internet slang, combines “L” for “loss” and “bozo,” meaning a foolish person — a clear attempt to ridicule the investigator and demonstrate the hacker’s defiance.

Breach Details: Bribed Agent and 97,000 Compromised Accounts

Coinbase first acknowledged the incident last week, revealing that the breach stemmed from a social engineering attack. A rogue customer support agent, allegedly bribed by the hacker, granted unauthorized access to internal tools. This allowed the attacker to retrieve sensitive data from roughly 97,000 user accounts, including government-issued IDs and possibly email addresses.

Fortunately, Coinbase clarified that no passwords, private keys, or wallet access credentials were compromised. Still, the loss of identity documents presents serious risk, particularly as such information can be weaponized for phishing or further social-engineering attacks.

$20M Ransom Demand Rejected

After securing the data, the attacker reportedly demanded a $20 million ransom from Coinbase in exchange for not leaking or selling the stolen user information. Coinbase refused to comply, standing by a zero-tolerance policy for extortion. Instead, the company responded by offering a $20 million bounty for information leading to the identification and capture of the hacker.

The attacker’s subsequent actions — including the $42.5M BTC-to-ETH swap and the sale of 8,698 ETH for $22.12 million in DAI — were tracked in real time by blockchain analysts. The taunt to ZachXBT seems to be a retaliatory move following the growing pressure from on-chain detectives and federal investigators.

DOJ Starts Investigation, Insider Risk in Focus

In response to the breach, the U.S. Department of Justice (DOJ) has starts a formal probe into Coinbase’s internal controls and hiring practices. According to internal sources, the breach occurred in December 2024 but only came to light in early May 2025, raising concerns over the timeliness of the company’s threat detection and response protocols.

Coinbase has since confirmed that 69,461 users had their data compromised. The remaining users were notified as a precautionary measure. The company has begun strengthening its internal systems, with a particular focus on:

• Enhanced employee background screening

• Real-time transaction monitoring for suspicious activity

• Stricter access control to customer records

• Staff re-training on social engineering threats

$400 Million in Potential Costs

While no direct customer losses have been reported, Coinbase has warned that the total financial impact of the breach could exceed $400 million. This figure includes potential legal costs, compensation, security upgrades, and revenue losses from damaged user trust.

Coinbase CEO Brian Armstrong issued a statement calling the attack a “wake-up call” for the industry. “No amount of technical security can compensate for insider threats. This breach emphasizes the need for continuous vigilance and better safeguards, even within our own teams.”

Industry Implications: Social Engineering a Persistent Threat

This breach highlights a growing vulnerability within the cryptocurrency sector: social engineering attacks. Unlike technical hacks that exploit software bugs, social engineering targets human behavior, often manipulating employees into inadvertently granting unauthorized access.

Security experts warn that exchanges and crypto platforms need to invest more in human-factor risk mitigation, including better vetting of customer service agents, implementation of zero-trust architecture, and improved employee education on cyberthreats.

What’s Next?

With federal authorities involved and the on-chain community tracking every move, the hacker’s options are narrowing. The large-scale conversion of assets into DAI suggests an attempt to obscure funds through decentralized finance (DeFi) channels — a tactic commonly used to complicate law enforcement tracing.

However, blockchain transparency offers a unique advantage in such cases. As investigators and analysts monitor Ethereum and other networks for signs of movement, the hacker may face mounting pressure to launder the funds without triggering alerts.