A Phishing Attack, a Mixer, and $55 Million Gone
In August 2024, a crypto user from Puerto Rico fell victim to a precisely engineered phishing attack. Hackers used a spoofed DeFi Saver login page to seize control of the victim's wallet, rapidly moving over $55 million in DAI stablecoins before laundering the proceeds through a mixing service.
The victim subsequently hired multiple on-chain investigation firms to trace the stolen funds. The trail eventually led to Coinbase accounts. In December 2024, Coinbase froze the relevant assets in accordance with its AML compliance obligations—a legitimate and appropriate response.
After the Freeze: A Reasonable Start, an Unacceptable Ending
That's where the story took a troubling turn. Eighteen months later, Coinbase still refuses to return the frozen funds to the victim, stating that only a court order can authorize their release.
In May 2026, the victim filed an anonymous lawsuit against Coinbase in San Francisco federal court. The complaint makes a careful distinction: Coinbase's initial freeze was justified, but continued refusal to return funds after the victim submitted sworn proof of ownership goes beyond the reasonable scope of compliance obligations. As of the time of reporting, Coinbase has not publicly responded.
What This Case Reveals: Freezing Is Not the Same as Recovery
This case exposes the core dilemma in on-chain asset recovery: even when stolen funds are successfully identified and frozen, victims may still face a lengthy legal process before truly reclaiming their assets. The combined obstacles of mixer usage, multi-hop transfers, and exchange compliance procedures create multiple barriers on the road to recovery.
For crypto platforms and compliance teams, building robust suspicious fund identification and handling mechanisms is essential. Trustformer KYT provides real-time risk flagging before funds enter the platform, helping exchanges find a clearer line of action between compliance obligations and victim protection.