Crypto Whale Sues Coinbase Over $55M in Stolen DAI

A cryptocurrency whale has filed a lawsuit against Coinbase, alleging the exchange refused to return approximately $55 million in DAI stablecoins stolen in a 2024 phishing attack. The plaintiff's funds were traced to a Coinbase user account, but the exchange has not returned them despite claims of theft.

The case centers on a fundamental tension in crypto: whether exchanges bear responsibility for returning funds that arrive on their platforms as a result of user error or fraud. The victim's inability to recover the stolen DAI through Coinbase's normal channels over nearly two years suggests a gap between user expectations and exchange policy.

Phishing attacks remain one of the most effective attack vectors against cryptocurrency holders. Unlike smart contract exploits or exchange hacks, phishing scams target individual users through fraudulent emails, websites, or messages that trick them into revealing private keys or authorizing transfers. Once funds move from a victim's wallet to an attacker's address, recovery becomes complex. If those funds then flow into a regulated exchange like Coinbase, the situation becomes a legal gray area.

The plaintiff's legal strategy appears to rest on the argument that Coinbase, as a regulated financial platform, should have obligations similar to a traditional bank or custodian when stolen funds appear in an account on its system. Under this theory, the exchange should freeze the receiving account and return the funds to the rightful owner. Coinbase likely takes a different position: that it operates as neutral infrastructure, not a custodian responsible for policing every incoming transfer. The exchange would argue that the receiving account holder has legal ownership rights to deposited funds and that freezing accounts requires proper legal process, law enforcement involvement, and clear evidence of theft.

The two-year delay between the 2024 attack and the 2026 lawsuit filing complicates matters. Coinbase may argue it cannot adequately investigate or preserve evidence after such a long period. Additionally, the receiving account holder on Coinbase may have already withdrawn or spent the funds, making recovery impossible even if the court rules in the plaintiff's favor.

The case reflects a broader challenge facing the industry. Exchanges have incentives to cooperate with law enforcement and fraud victims to maintain their reputation and regulatory standing. But they also face operational and legal complexity in distinguishing between legitimate transfers and stolen funds without clear legal authority to seize accounts unilaterally. If courts begin holding exchanges liable for returning funds traced to their platforms, it could set a precedent that fundamentally changes how platforms handle suspicious deposits.

For users, the lawsuit underscores the reality that phishing victims often have limited recourse. Law enforcement rarely prioritizes cryptocurrency theft, and recovery depends on whether stolen funds end up on a regulated exchange willing to cooperate. The plaintiff's decision to pursue Coinbase rather than the phishing attacker suggests the attacker may be untraceable or judgment-proof, making the exchange the only potentially solvent defendant.

The outcome of this case could influence how Coinbase and other major exchanges handle similar situations going forward. A ruling in the plaintiff's favor might expand exchange liability for stolen asset recovery. A ruling in Coinbase's favor would reinforce the principle that exchanges are platforms, not custodians, and that users bear responsibility for protecting their own accounts against phishing attacks.