Blockchain Investigator ZachXBT Exposes Coinbase Impersonator
A recent investigation by crypto analyst ZachXBT has exposed a sophisticated phishing operation led by Ronald Spektor, responsible for stealing at least $6.5 million last month.
Spektor impersonated Coinbase support to trick victims, including one who lost their life savings after being contacted by a fake support agent and clicking on a malicious link.
1/ An investigation into the social engineering scammer Ronaldd (Ronald Spektor) who allegedly helped steal $6.5M last month from a single victim by impersonating Coinbase support. pic.twitter.com/8kmLR5Y3cv
— ZachXBT (@zachxbt) November 20, 2024
The victim, who reached out to ZachXBT for help, prompted the investigation, which uncovered crucial on-chain data.
While overall crypto thefts have decreased, phishing scams are becoming increasingly complex, with Spektor's operation standing out due to the scale of the losses and the extensive measures taken to cover his tracks before the investigation was made public.
Scammer Flexed Gains on Discord
It was revealed that Spektor laundered his stolen funds through the trading platform eXch, using Bitcoin and Ethereum to move the illicit gains.
3/ An initial tracing of the theft saw all of the stolen funds flow to eXch on Ethereum and Bitcoin where funds were converted to Litecoin and transferred to numerous services. pic.twitter.com/4UQRODtW76
— ZachXBT (@zachxbt) November 20, 2024
Despite attempts to cover his tracks, Spektor allegedly flaunted a $3.1 million balance in his Ledger Live wallet on Discord and even exposed an address linked to the theft.
To further obscure his activities, he deleted multiple social media accounts, which had previously contained valuable incriminating evidence.
5/ Further strengthening the connection to Ronald, a now deleted Telegram channel in his bio associated with fraud shared screenshots of a wallet address only one hop from the $6.5M theft. pic.twitter.com/bgceqJl5kC
— ZachXBT (@zachxbt) November 20, 2024
While many scammers have abandoned the TON ecosystem, Spektor remained active on Telegram, where he used his profile's associated TON address to launder assets.
However, both his Telegram and X accounts have since been shut down.
A now-deleted Telegram channel revealed one of Spektor's on-chain wallets tied to several Coinbase withdrawals, suggesting there were likely additional victims.
This wallet, used to facilitate multiple transactions, points to a broader network of bad actors involved in the phishing campaigns.
Leaked data placed Spektor in New York as of 20 November, but the trail has since gone cold.
7/ Multiple databreaches have publicly exposed Ronald’s information such as the Flipd/OG User breaches leaking his email and New York IPs which link to other breaches containing his alleged full name.
— ZachXBT (@zachxbt) November 20, 2024
ZachXBT has not disclosed further details on the unaccounted funds or the identity of any accomplices.
Spektor quickly deactivated his Telegram account after the investigation went public, and the victim also deactivated their X (formerly known as Twitter) account for reasons still unclear.
Unfortunately, over half of the stolen funds remain untraced, along with the identities of his accomplices and other victims.
Update: Ronald just deleted his Telegram account. pic.twitter.com/YrDvh1ad9A
— ZachXBT (@zachxbt) November 20, 2024
This case highlights the persistent threat of social engineering attacks, reminding the crypto community of the growing security risks that continue to challenge blockchain’s widespread adoption.
