September 2024. A Tuesday night.

David was on his couch in suburban Pennsylvania, half-watching a Phillies game he'd already lost interest in. His wife was upstairs reading. The dog was out cold by the back door. One of those nothing evenings where the day is basically over and you're running out the clock before bed.

David was 54. Commercial real estate. He'd gotten into crypto about six years earlier after a colleague at work wouldn't shut up about Bitcoin. David finally put in twenty thousand dollars just to see what would happen. It went up. Then it went up more. Over the years he added to his position, spread into a few other coins, and watched his holdings grow into something that actually mattered. About four hundred thousand dollars in his Coinbase account. Not his whole retirement, but a meaningful piece of it. He checked it maybe once a week. He wasn't a day trader. He was a buy-and-hold guy who'd gotten lucky with timing.

His phone buzzed on the coffee table.

He glanced down. A text from Coinbase. "Suspicious login detected on your account. If this was not you, reply STOP."

He picked it up.

Another one came in. Google this time. "New sign-in to your Google account from an unrecognized device. If this was not you, secure your account immediately."

Then another from Coinbase. Then another from Google. They started stacking up, one every few seconds, his phone buzzing in his hand like something was happening to his accounts in real time.

David sat up. The Phillies game was gone.

Then his phone rang.

The caller ID said Coinbase. The voice on the other end was calm and direct. He said his name was Fred Wilson, Coinbase security team.

"Mr. Kessler, we've detected unauthorized access to your account. We've been monitoring it for the last few minutes and we believe someone is attempting to drain your holdings. I need to walk you through securing your assets before they complete the transfer."

David's chest went tight. "What do I need to do?"

Fred told him they needed to move his assets to a secure cold wallet. One that only David would control. He'd walk him through every step. But they needed to move now, because the unauthorized access was still active.

David asked if he could hang up and call Coinbase directly.

Fred didn't flinch. He said of course. But he should know that by the time he gets through the phone tree, waits on hold, gets transferred, and explains the situation from the beginning, the attacker could have already completed the withdrawal. "I'm telling you right now, your account is actively being accessed. If we don't move in the next few minutes, your assets may not be there when you get through to the general line."

David thought about four hundred thousand dollars disappearing while he sat on hold.

He stayed on the line.

Fred walked him through it. Step by step. Calm. Patient. He never rushed. He explained every action before asking David to take it. He used Coinbase's real terminology. He referenced David's account by name.

Then he asked for David's seed phrase.

David stopped. He knew you weren't supposed to give that to anyone. Fred explained it was a verified internal process. The seed phrase would let Coinbase's security team migrate his assets to a protected vault. Once the migration was complete, David would get a new seed phrase that only he would have.

David read it out loud. Twelve words. His entire financial position, in twelve words.

Fred thanked him. Said the transfer was processing. Said to expect a confirmation email within the hour. Told him to change his passwords and call the general line in the morning to make sure everything looked clean.

The line went dead.

David sat on his couch and waited for the confirmation email.

It never came…

Thank you to our sponsor, Proton:

Proton Mail offers what others won’t:

We don’t scan your emails. We don’t sell your data. And we don’t make you dig through settings to find basic security. Proton is built for people who want control, not compromise.

Simple, secure, and free.

Explore Proton’s benefits

Two hours later, David logged into Coinbase.

His balance read zero.

He refreshed. Zero.

He closed the app. Reopened it. Zero.

He called Coinbase's real support number. He sat on hold for forty-five minutes. When he got through, the representative pulled up his account and told him there had been a series of outbound transfers earlier that evening. All authorized from his credentials. All sent to external wallet addresses that Coinbase had no control over.

David told her about Fred Wilson. About the phone call. About the seed phrase.

There was a long pause.

She told him there was no one named Fred Wilson at Coinbase.

The person who called David that night was not named Fred Wilson.

His name was Ronald Spektor. Twenty-three years old. He lived with his father in a small apartment in Sheepshead Bay, at the southern end of Brooklyn, down near the water. Quiet neighborhood. The kind of place where old Russian women push grocery carts down the sidewalk and guys fish off the pier on weekday afternoons. Not where you'd picture a multimillion-dollar operation running out of.

But that's where it ran. Ronald's bedroom. No office. No call center. No crew. A kid with a phone, a laptop, and a list of names he should never have had.

His days had a rhythm. He'd get up sometime in the afternoon. Eat whatever was in the kitchen. Sit down at his laptop and start working through the list. Pick a name. Pull up their details. Launch the bots to flood their phone with fake security alerts. Wait a few minutes for the panic to build. Then call.

He'd been doing it since April 2023. Almost two years. David wasn't his first. He wasn't close to his first. By September 2024, Ronald had stolen millions from dozens of people across the country, running the same script every time. Same calm voice. Same Coinbase security story. Same urgency. It worked because he knew things about his targets that a stranger shouldn't know. Their names. Their emails. What they were holding and roughly how much. Where that information came from is part of the story we'll get to later. It's worse than you think.

What he did with the money was almost as reckless as how he got it. He'd run the stolen crypto through mixing services and swapping platforms, convert pieces of it to cash, buy gift cards, and gamble. Constantly. Online crypto casinos and betting platforms. Millions of dollars fed into gambling sites the same week he stole them.

And he couldn't stop talking about it.

He operated under the handle @lolimfeelingevil. It wasn't a carefully guarded alias. He used it in the open. He ran a Telegram channel called "Blockchain Enemies" where he posted about his scores. He was on Discord telling people he'd been robbing Coinbase users through social engineering. Not in code. He talked about specific heists. He joked about how easy it was.

Twenty-three. Living in his dad's apartment. Stealing millions. Gambling it away. Telling the internet about it like nothing could touch him.

October 2024. Ronald made the call that would end everything.

A man in California. Big portfolio. Ronald ran the playbook. The bots. The call. The urgency. The seed phrase.

The California man lost over six million dollars in a single phone call.

Ronald didn't invest it. Didn't leave the country. Didn't buy property or open offshore accounts or do any of the things you'd expect from someone who'd just come into six million dollars.

He gambled it. Sat in his father's apartment in Sheepshead Bay and fed it into online gambling platforms until it was gone. When people on Discord asked about it, he told them. Said he'd lost six million through gambling. Said it like it was a bad beat at a poker table.

But the California victim didn't disappear. He went looking for help. And he found it.

There's a person on the internet who goes by ZachXBT. Nobody knows his real name. He's a pseudonymous blockchain investigator who tracks crypto scams and publishes his findings. Not law enforcement. Not affiliated with any company. Just a guy with a laptop who's very good at following money across a public ledger.

The California victim found ZachXBT and told him everything. The phone call. The fake alerts. The six million.

ZachXBT started pulling the thread. He traced wallet addresses. Followed the money through the mixers and swaps and gambling platforms. Cross-referenced transaction patterns with publicly available information. Piece by piece, he built a map of who was on the other end.

In November 2024, he published his investigation. He didn't use Ronald's real name. But the wallet addresses were there. The transaction patterns were laid out. The timeline was mapped. Anyone who knew what Ronald had been doing would read that report and see themselves in it.

Including Ronald.

After the investigation went public, Ronald went quiet.

The Telegram channel stopped updating. The Discord activity dried up. He read ZachXBT's report on his phone, probably in that same bedroom where he'd made all those calls. His name wasn't in it. But the wallet addresses were. The transaction patterns were mapped. The timeline matched. Anyone who knew what Ronald had been doing would read that report and see him staring back at them from between the lines.

He texted his father. The messages, recovered later from his phone, show them discussing what prosecutors would describe as "concealing the financial proceeds of the Coinbase scheme." He asked his father to destroy his hardware wallets. He asked his mother to buy him a new one. Clean.

He moved $600,000 in crypto to a contact in the country of Georgia. He looked into routes to Mexico. He looked into Canada.

Then he bought a Greyhound ticket. Cash. One way.

He traveled for months. City to city. Station to station. No reservations, no pattern, no return trips. He kept his hood up in terminals and sat near the back of the bus where he could see the whole aisle. He used different names when he had to talk to anyone, which he avoided when he could. He paid cash for food at whatever was near the station. Gas station coffee. Vending machine sandwiches. The kind of meals you eat because you're not going inside a restaurant where someone might remember your face.

He kept his phone close. Checked it constantly. Refreshing the same pages, scanning for any sign that the wallet addresses in ZachXBT's report had been tied to a name and an apartment in Sheepshead Bay. Every time he opened a new browser tab, he was looking for himself.

This was the same kid who'd been posting on Telegram about million-dollar heists two months earlier. Who'd gambled away six million dollars and told people about it like it was a bad beat at a poker table. Now he was riding overnight buses through cities he'd never been to, carrying everything he had in one bag, trying not to be noticed by anyone.

But the blockchain doesn't ride a bus. It doesn't lose your trail at a station in Virginia at three in the morning. Every transaction Ronald had ever made was still sitting on a public ledger, timestamped and permanent, waiting for someone with the patience to follow it home.

December 4th, 2024.

The Brooklyn District Attorney's Virtual Currency Unit had been building the case for over a year. Quietly. Serving warrants, tracing transactions, interviewing victims while Ronald was building a Telegram following. ZachXBT's published research gave them a boost, but they'd already been closing in. More than 70 victims told investigators the same story. The phone call. The fake alerts. The calm voice. The seed phrase. The empty account.

They traced stolen funds to Ronald's home IP address. His own messages on Telegram and Discord read like a signed confession.

He'd done their job for them.

Ronald was arrested. The months of Greyhound buses, the fake names, the hood up in the back of the terminal. All of it ended with handcuffs.

They seized about $105,000 in cash and $400,000 in cryptocurrency.

Out of $16 million stolen from roughly a hundred people, they got back half a million. The rest was gone. Gambled. Laundered. Scattered across mixing services and betting platforms and gift card purchases and cash-outs stretching across the country and beyond it.

December 19th. Ronald was brought into a Brooklyn courtroom and arraigned before Supreme Court Justice Danny Chun. Thirty-one counts. First-degree grand larceny. First-degree money laundering. Scheme to defraud. Possession of stolen property. The top charges each carry a maximum of 25 years.

He stood in front of the judge. Twenty-three years old. The kid who called himself @lolimfeelingevil. The kid who ran "Blockchain Enemies." The kid who gambled away six million dollars and laughed about it on Discord.

He pleaded not guilty.

His attorney, Todd Spodek, told reporters the allegations were "speculative and based on incomplete information." He said the case would look very different once the full picture came out.

The judge set bail at $500,000 cash or $1 million bond.

Ronald's father came to court to post it. The judge asked him one question. Where did this money come from?

His father couldn't answer.

The judge refused to accept it.

Ronald's father walked out of the courtroom. Ronald didn't. He was transported to Rikers Island, where he remains today.

His father is now an active suspect in the investigation.

There's a piece of this story we haven't gotten to. The piece that makes it bigger than one kid in Brooklyn with a phone and a gambling habit.

How did Ronald know who to call?

How did he have their names, their phone numbers, their email addresses? How did he know which people had Coinbase accounts and what they were holding? A 23-year-old in his dad's apartment in Sheepshead Bay doesn't have access to that kind of information. Coinbase is one of the largest crypto exchanges in the world. Publicly traded. Billions in assets under management. Security teams. Compliance departments. The kind of infrastructure you'd expect from a company that holds people's money.

So where did the data come from?

It came from inside Coinbase.

Starting in late December 2024, just weeks after Spektor's arrest, bribed customer service agents working overseas started feeding customer data to criminals. The agents worked in India. They were paid roughly $250,000 to pull up customer records and hand them over. Names. Phone numbers. Emails. Account balances. The kind of information that turns a cold call into a conversation. The kind of information that makes a scammer sound like he belongs.

The breach ran for five months before Coinbase caught it. By then, nearly 70,000 customer accounts had been compromised.

The attackers demanded $20 million in ransom. Coinbase refused. They offered a $20 million reward for information leading to arrests instead. The total cost to the company hit an estimated $355 million.

In December 2025, the first arrest came. A former customer support agent in Hyderabad.

This was the pipeline. This was how Ronald Spektor could call a stranger in Pennsylvania, use his real name, reference his account, and sound like someone who worked there. Not because Ronald was a brilliant hacker who'd cracked a firewall. Because somebody on the inside sold David's information for a piece of the take.

David never got his money back.

He filed reports with the FBI, with Coinbase, with local police who told him they didn't handle crypto cases. He spent weeks calling lawyers and investigators and support reps who were sympathetic but couldn't do anything. He learned that crypto transactions are irreversible by design. Once the money moves, it's gone. "Authorized from his credentials" means Coinbase has no obligation to reverse the transfer, even if the authorization was obtained through fraud.

He couldn't sleep. He'd lie in bed running the call back in his head. The moment Fred told him his account was being accessed. The moment Fred asked for the seed phrase. The moment David almost hung up, almost called Coinbase himself, but didn't. Because Fred made it sound like every second on hold was a second closer to losing everything.

The waiting would have cost him nothing. Staying on the line cost him everything.

He told his wife at the kitchen table. That was the hardest conversation. Not the money itself. Explaining that a voice on the phone talked him into reading twelve words out loud. That those twelve words were worth four hundred thousand dollars of their future.

She didn't yell. She didn't blame him. She sat there for a long time and then asked one question.

"How did they know your name?"

He didn't have an answer yet. He would, eventually. But not that night.

Ronald Spektor stole $16 million from about a hundred people. He's in Rikers right now facing decades in prison. His father might be next. Almost none of the money was recovered.

But Ronald Spektor was not a genius. He was a 23-year-old who lived with his dad and gambled away six million dollars and bragged about his crimes on Telegram. The only reason he pulled it off was because he had real customer data from inside Coinbase, and he was willing to pick up the phone.

No legitimate company will ever call you and ask for your seed phrase. They won't ask for your password. They won't ask you to transfer assets to a "safe wallet." If someone says that to you, it's a scam. Every time.

Urgency is the weapon. Every scam like this creates a crisis and demands you act right now. The reason they need you to act right now is because every second you spend thinking is a second you might hang up and call the real company. David almost did that. Fred talked him out of it. That one decision cost him four hundred thousand dollars.

Your move: Go to haveibeenpwned.com and check your email. Change your passwords. Use a password manager. Turn on two-factor authentication with an authenticator app, not SMS. If you hold crypto, use a hardware wallet, and understand that your seed phrase is the key to everything you own. Nobody needs it. Nobody should ask for it. Nobody legitimate ever will.

If you want stories like this in your inbox every week, you're already in the right place. Forward this to someone who needs to read it.

If you run a company or a team and you want your people to actually engage with security awareness, check out dontgetgot.co/training. We built it around stories like this one. The kind of thing people actually remember.

Listen to the full audio version of this story on the dontgetgot podcast page wherever you get your podcasts.

Editor's note: David is a composite character based on multiple victim reports and court documents. Ronald Spektor is a real person who has pleaded not guilty to all charges. Details about his daily routine, internal state, and Greyhound travel are dramatized based on court filings and verified reporting.