Everything you're about to read is based on verified reporting. We rely on court documents, indictments, blockchain analysis, and investigative journalism. The facts are all real. But to put you inside the experience, we've dramatized certain moments. Some of the people in this story were never publicly identified. So we've created characters to bring them to life. We do this because cybercrime isn't just about the data. Security awareness is about the people.

It was September 2024, and David was on his couch in suburban Pennsylvania, half-watching a Phillies game with the volume low enough that he could hear the dog snoring by the back door. His wife had gone upstairs to read an hour ago. The kind of Tuesday where the day is already over and you're just running out the clock before bed.

David was 54. He'd spent his career in commercial real estate, and he'd gotten into crypto about six years earlier after a colleague at work wouldn't stop talking about Bitcoin. David eventually put in a couple thousand dollars just to see what would happen. The price went up. Then it went up more. Over the years he added to his position, and by the fall of 2024, his Coinbase account held a little over $50,000. It wasn't his whole retirement, but it was real money. He checked it maybe once every other week. He wasn't a trader. He was a buy-and-hold guy who had gotten lucky with his timing.

His phone buzzed on the coffee table.

David sat up and looked at the screen. A text from Coinbase: Suspicious login detected on your account. If this was not you, reply STOP. He reached for the phone, and before he could pick it up, another message came in. This one was from Google. New sign-in to your Google account from an unrecognized device. If this was not you, secure your account immediately.

Then another from Coinbase. Then another from Google.

They started stacking up, one every few seconds. His phone was buzzing in his hand like something had gone wrong inside of it. David's heart started knocking against his chest. He stood up from the couch.

And then the phone rang. The caller ID said Coinbase.

He answered. "Hello?"

The voice on the other end was calm. Direct. Professional. The man said his name was Fred Wilson, and that he was calling from the Coinbase security team. He told David they'd been monitoring unauthorized access to his account for the last several minutes, and that someone was attempting to drain his holdings. He said he needed to walk David through securing his assets before the attacker completed the transfer.

David's chest went tight. "Yeah. What do you need me to do?"

Fred explained that they needed to move David's crypto to a secure cold wallet, one that only David would control. He said he'd walk him through every step, but that they needed to move now, because the unauthorized access was still active.

David asked if he could hang up and call Coinbase directly. Fred didn't flinch. He told David that of course he could, but that by the time he got through the automated phone tree and waited on hold and got transferred and had to explain the whole situation from the beginning, the attacker could have already completed the withdrawal. He said he was telling David right now, his account was being accessed in real time. If they didn't move in the next few minutes, the money might not be there by the time he got through the general call line.

David stood in his living room and thought about this. He had real money in that account. The idea of it disappearing while he sat on hold was more than he could take.

"All right," he said. "Tell me what I need to do."

Fred walked David through it step by step. He was calm the entire time, patient. He never rushed. He explained every action before he asked David to take it. He sounded like someone who had done this a hundred times and knew exactly what he was talking about.

And then he asked for David's seed phrase.

David hesitated. He knew you weren't supposed to give that to anyone. That was the one thing every crypto guide, every Reddit thread, every warning label on every hardware wallet told you never to do. Fred seemed to sense the pause. He explained that this was a verified internal process. The seed phrase would let Coinbase's security team migrate David's assets to a protected vault. Once the migration was complete, David would receive a new seed phrase that only he would have.

David had been on the phone for maybe fifteen minutes. His heart was still pounding. The texts were still coming in. He read the seed phrase out loud. Twelve words. His entire financial position compressed into twelve words spoken into a phone.

Fred thanked him. He said the transfer was processing and that David should expect a confirmation email within the hour. He told him to change his passwords and to call the general Coinbase line in the morning to make sure everything looked clean on their end.

And then the line went dead.

David sat back down on the couch. He waited for the confirmation email. He refreshed his inbox over and over. It never came.

A few minutes later, David opened the Coinbase app and looked at his balance.

Zero.

He refreshed. Zero. He closed the app and reopened it. Still zero. He stared at the screen like it might change if he gave it another second.

He called Coinbase's real support number and sat on hold for about 45 minutes. When a representative finally picked up, she pulled up his account and told him there had been a series of outbound transfers earlier that evening. All of them authorized with his own credentials. Everything had been sent to an external wallet address that Coinbase had no control over.

David told her about the phone call. He told her about Fred Wilson from the security team, about the texts, about the seed phrase. There was a long, uncomfortable pause on the other end of the line.

The representative told him “nobody from Coinbase called you. Thats not even how we operate”.

David sat on his couch in the dark. The Phillies game was still on, the sound barely audible. His dog hadn't moved from the back door. His wife was still upstairs reading. In shock, he just sat there, staring at his phone, replaying the entire interaction over and over.

The person who called David that night was not named Fred Wilson.

His name was actually Ronald Spektor. He was 23 years old and he lived with his father in a small apartment in Sheepshead Bay, at the southern end of Brooklyn. It was not the kind of place you'd picture a multimillion-dollar criminal operation running out of. But that's where it ran. Out of Ronald's bedroom, with a phone, a laptop, and a list of names he should have never had access to.

Ronald had a routine. He'd eat whatever was in the kitchen, sit down at his laptop, and start working through the list. Pick a name. Pull up their details. Launch automated bots to flood their phone with fake security alerts from Coinbase and Google. Wait a few minutes for the panic to build. And then make the call.

He used the same script every time. The same calm, rehearsed, professional voice. The same Coinbase security story and urgency. And it worked, because he knew things about his targets that a stranger shouldn't know. He knew their names, their email addresses, what platforms they were on. He had a list, and that list had details.

He'd been running this play since April 2023, so almost two years. David was not his first victim, not even close. By September of 2024, Ronald had stolen millions from dozens of people across the country. A Virginia resident lost more than $900,000. A woman in Maryland lost $38,750. The stories were almost identical every time. Bots, panic, phone call, and then securing the seed phrase.

What Ronald did with the stolen money was almost as reckless as how he got it. He ran the crypto through mixing services and token-swapping platforms to obscure the trail. He then converted some of it to cash, or bought gift cards. And then he gambled with it all. He was on betting platforms and online casinos constantly, dropping millions of dollars into gambling sites the same week he stole them. He burned through money like someone who believed there would always be more.

AND, he couldn't stop talking about it.

Ronald operated under the handle @lolimfeelingevil. He ran a Telegram channel called Blockchain Enemies and was on Discord telling people, openly, that he was robbing Coinbase users through social engineering. He talked about specific heists, and joked about how easy it was.

A 23-year-old living in his father's apartment, stealing millions, gambling it all away, and then going online to brag about it to anyone who would listen.

In October 2024, Ronald made a call to a man in California. This one had a big portfolio. Ronald ran the same playbook. The bots, the panic, the phone call, the seed phrase. The California man lost over six million dollars in a single conversation.

Ronald didn't invest any of it. He didn't leave the country. He didn't buy property or open offshore accounts or do any of the things you'd expect from someone who just came into six million dollars. He gambled it. When people on Discord asked him about it later, he told them he'd lost the six million gambling. He said it like it was a bad day at the poker table.

But this California victim went looking for help.

There's a person on the internet who goes by ZachXBT. He's a blockchain investigator who tracks crypto scams and publishes his findings. He's not law enforcement and he's not affiliated with any company. He's just an independent researcher with a laptop and he happens to be very good at following money across the blockchain.

The California victim found ZachXBT and told him everything. The phone call, the fake alerts, the six million dollars. ZachXBT started pulling on the thread. He traced wallet addresses. He followed the stolen crypto through the mixers and the swaps, through Bitcoin and Ethereum and into Litecoin, tracking conversion after conversion. He cross-referenced transaction patterns with publicly available information. He matched wallet activity with withdrawal timing and linked it to Discord accounts and Telegram channels. Piece by piece, he built a map that led back to a young man in Sheepshead Bay.

On November 20, 2024, ZachXBT published his findings. The transaction patterns were laid out. The timeline was mapped. The online aliases, the wallet connections, the screen-shared Ledger balances. All of it pointed to Ronald Spektor.

Within days, the Telegram channel stopped updating. The Discord activity dried up. For the first time, Ronald was scared. For the first time, he felt seen. This wasn't the kind of attention he'd been looking for when he was bragging on Blockchain Enemies.

He texted his father. Messages recovered later from his phone showed the two of them discussing what prosecutors would describe as concealing the financial proceeds of the scheme. Ronald asked his father to destroy his hardware wallets. He asked his mother to buy him a new one. A clean one. He moved $600,000 in crypto to a contact in the country of Georgia. He looked into routes to Mexico. He looked into Canada.

Then he bought a one-way Greyhound ticket with cash.

Ronald traveled for months. Buses, city to city, station to station. He made no reservations. He had no pattern and no return trips. He kept his hood up in terminals and sat near the back of the bus where he could see the whole aisle. He used different names whenever he had to talk to someone and avoided sitting down in any restaurant where someone might remember his face.

Two months earlier, this was the same kid posting his wallet balances on Discord. Now he was riding overnight through cities he'd never been to, carrying everything he had in one bag, trying not to be noticed by anyone.

But the blockchain doesn't lose your trail at a bus station in Virginia. Every transaction Ronald had ever made was still sitting on a public ledger, timestamped and permanent, waiting for someone with the patience to follow it home.

The Brooklyn District Attorney's Virtual Currency Unit had been building the case for over a year. They'd been quietly serving warrants and tracing transactions and interviewing victims while Ronald was building his Telegram following. ZachXBT's published research gave them a boost, but they were already closing in. More than 70 victims had told investigators the same story. Prosecutors had already traced the stolen funds and linked wallet activity back to Ronald's home IP address. His own messages on Telegram and Discord read like a signed confession.

Ronald was taken into custody on December 4, 2024, through what the DA's office called Operation Phish Net. Investigators seized about $105,000 in cash and roughly $400,000 in cryptocurrency. Out of nearly $16 million stolen from about a hundred people, they recovered half a million. The rest was gone. Gambled, laundered, or scattered across mixing services and betting platforms.

On December 19, Ronald was brought into a Brooklyn courtroom. He stood before Supreme Court Justice Danny Chun and faced a 31-count indictment: first-degree grand larceny, first-degree money laundering, possession of stolen property, scheme to defraud. The top charges carried a maximum of 25 years.

He stood there, the 23-year-old who called himself @lolimfeelingevil, the kid who ran Blockchain Enemies, the kid who gambled away six million dollars and laughed about it online.

He pleaded not guilty.

His attorney, Todd Spodek, told reporters that the allegations were speculative and based on incomplete information. He said the case would look very different once the full picture came out. The judge set bail at $500,000 cash.

Ronald's father came to court to post the bail. The judge asked him one question: where did this money come from?

His father couldn't answer.

The judge refused to accept it. Ronald's father walked out of the courtroom. Ronald didn't. He was transported to Rikers Island.

His father is now an active suspect in the investigation.

There's a piece of this story we haven't gotten to yet. How did Ronald know who to call? How did he have their names, their phone numbers, their email addresses? How did he know which people held Coinbase accounts and how much they were holding?

Coinbase is one of the largest cryptocurrency exchanges in the world. It's publicly traded. It manages billions of dollars in customer assets. It has security teams and compliance departments and entire divisions built around protecting user data.

But in a separate incident that came to light months later, it turned out that Coinbase customer service agents working overseas had been bribed to hand over customer records. The agents worked for a company called TaskUs, a Texas-based outsourcing firm with operations in India. According to court filings and investigative reporting, employees at TaskUs were paid to pull up customer data and pass it to criminals. One agent was accused of photographing up to 200 records a day from her computer screen.

The breach ran for months before Coinbase caught it. By then, nearly 70,000 customer accounts had been compromised. The stolen data included names, contact information, partial Social Security numbers, banking details, and images of government-issued identification. Armed with this kind of information, a group of attackers demanded $20 million in ransom from Coinbase.

Coinbase refused to pay. Instead, the company posted a $20 million bounty for information leading to the arrest of those responsible.

Prosecutors have not publicly stated that Ronald's target list came from this specific breach. But the broader pattern is clear: when insider access meets outsourced customer data, the people on the other end of the phone never see it coming.

No legitimate company will ever call you and ask for your seed phrase. They won't ask for your password. They won't ask you to transfer assets to a "safe wallet." That process does not exist.

Every scam like this works the same way. They manufacture a crisis, and then they need you to act right now. The urgency is the weapon. Every second you spend thinking about it is a second you might hang up. In this story, David almost did. He almost hung up and called the real Coinbase number. But the caller talked him out of it. That one decision cost him everything he had in that account.

If someone calls you claiming to be from any financial platform, hang up. Find the official number yourself. Call them back. If there's really a problem with your account, it'll still be a problem in five minutes. The only person who benefits from you staying on the line is the person who called you.

Your seed phrase is yours. Period. No company representative, no security team, no support agent will ever need it. If someone asks for it, they're stealing from you.

Urgency is always the tell. Legitimate companies don't call you in a panic. They send emails. They send notifications through their app. They give you time. If someone is telling you that you have to act right now or you'll lose everything, that's not a security team protecting your money. That's a thief trying to take it.

^{This story is based on the indictment and press release from the Brooklyn District Attorney's Office (December 19, 2024), reporting from ABC7 New York, The Block, Fortune, BleepingComputer, and the published blockchain investigation by ZachXBT (November 20, 2024).}

^{The defendant's legal name is Ronald Spektor. He has pleaded not guilty to all charges and is presumed innocent until proven guilty. His attorney, Todd Spodek, has disputed the allegations.}

^{David is a composite character. His story is based on details from the Brooklyn DA's press release describing a Pennsylvania victim who received a call from someone claiming to be "Fred Wilson from Coinbase" in September 2024. Specific details of his evening, his personal background, and his internal experience have been dramatized. The actual Pennsylvania victim reported losing $53,150 in cryptocurrency.}

^{The Coinbase insider breach involving TaskUs employees was a separate incident disclosed by Coinbase in May 2025. Prosecutors have not publicly connected that specific breach to Ronald Spektor's target list. We've included it here because it illustrates how insider access to customer data can enable the kind of social engineering attacks described in this story.}

^{Ronald's time on the run, including the Greyhound buses and attempts to flee the country, is drawn from court documents and prosecutors' statements as reported by multiple outlets. His online activity, including the @lolimfeelingevil handle and the Blockchain Enemies Telegram channel, is documented in the indictment.}

If you want stories like this in your inbox every week, you're already in the right place. Forward this to someone who needs to read it.

If you run a company or a team and you want your people to actually engage with security awareness, check out dontgetgot.co/training. We built it around stories like this one. The kind of thing people actually remember.

Listen to the full audio version of this story on the dontgetgot podcast page wherever you get your podcasts.