A Puerto Rico-based cryptocurrency investor has filed a federal lawsuit against Coinbase in San Francisco, seeking a court order to recover $55 million in DAI stolen via a DeFi Saver phishing attack in August 2024. The plaintiff claims Coinbase has acknowledged holding the traced stolen funds but refuses to release them without judicial intervention. The case underscores a persistent friction point in crypto asset recovery: exchanges freeze suspected stolen funds after receiving alerts, yet demand court orders before returning assets to victims.
How the $55 Million DAI Theft Unfolded
In August 2024, the plaintiff fell victim to a phishing exploit targeting DeFi Saver, a popular DeFi automation platform. Attackers used Inferno Drainer, a malware-as-a-service platform that tripled in usage during the first half of 2024 to over 2,400 active malicious dApps by year-end, to execute the theft. The stolen DAI was then routed through Tornado Cash, a cryptocurrency mixer, and eventually deposited into a Coinbase retail account. Zero Shadow, a crypto analytics firm, traced the funds and notified Coinbase on November 30, 2024. Coinbase confirmed it held the address two days later and implemented what the complaint describes as “friction measures” to restrict access.
Coinbase’s Frozen Assets and Legal Standoff
According to the complaint filed May 6, 2026, in federal court, Coinbase has “acknowledged” holding the traced stolen funds and “indicated that a court order adjudicating ownership is required before it will release the frozen assets.” The specific amount frozen in the Coinbase account has not been disclosed. This legal posture reflects standard industry practice: exchanges freeze suspected stolen assets to prevent further movement but require judicial confirmation of ownership before returning them to claimants. The plaintiff seeks a court order to compel Coinbase to release the recovered funds. Coinbase has not yet publicly responded to the lawsuit.
Inferno Drainer’s Explosive Growth in Crypto Crime
Inferno Drainer’s proliferation illustrates the scaling threat of scam-as-a-service malware platforms in 2024. Unlike protocol-level exploits that require technical sophistication, Inferno Drainer enabled attackers to deploy phishing campaigns and asset theft at scale without deep blockchain knowledge. Usage of the platform tripled in the first half of 2024 and continued expanding, reaching 2,400+ active malicious dApps by December 2024. The platform was weaponized in this case to execute the DeFi Saver phishing attack, demonstrating how criminal infrastructure now commoditizes theft execution. Blockaid and Five Stones Intelligence have tracked similar malware proliferation across DeFi.
What Comes Next for Crypto Theft Recovery
The lawsuit highlights a structural gap in crypto asset recovery. Exchanges can identify and freeze stolen funds but lack the authority to return them without court validation. This creates a bottleneck for victims seeking recovery. The case also implicates Ukrainian citizen Okelsiy Oleksandrovych Gorelikhin, linked to fund laundering in the theft chain, though his current status remains unknown. The outcome will establish precedent for how U.S. courts treat frozen cryptocurrency assets and exchange obligations in theft recovery cases.
