This article is more than one year old

How Coinbase used Slack to sniff out its insider trader

How Coinbase used Slack to sniff out its insider trader
RegulationPeople & Culture
Coinbase, led by CEO Brian Armstrong, hunted down its insider trader by narrowing down who had both access to the Slack channel and also specific knowledge of the KROM listing

Coinbase product manager Ishan Wahi pleaded guilty to insider trading via wire fraud on February 7, and prosecutors have asked he be sentenced to between three or four years in prison.

Wahi and two accomplices had used their advance knowledge of which new tokens Coinbase was about to add to its exchange in order to buy them ahead of the official announcement, and then sell them once the coins, inevitably, popped on the news. The three earned $1.1 million on at least 60 assets, according to the SEC’s civil case against them.

But all Wahi’s trades were conducted through anonymous Ethereum wallets controlled by two other people — so how did officials link Wahi to those wallets?

Papers filed in federal civil and criminal court reveal that, for all crypto’s promise of pseudonymity, it’s actually not difficult to “dox” a wallet that is trading suspiciously.

A clue that something was wrong became public on April 12, 2022, when the prominent crypto personality Jordan Fish, better known as Cobie, tweeted:

“Found an ETH address that bought hundreds of thousands of dollars of tokens exclusively featured in the Coinbase Asset Listing post about 24 hours before it was published.”

KROM price

Cobie implied that the owner of one specific Ethereum wallet knew that a relatively obscure token called KROM was about to be listed on the Coinbase exchange the day before the company announced it was going to be available. On April 13, Coinbase’s chief security officer publicly replied on Twitter to Cobie’s tweet, saying that the company had already begun investigating the matter, the filings show. On September 8, Cobie tweeted a screenshot of a Telegram group with Coinbase CEO Brian Armstrong, suggesting that he was privately in contact with Armstrong about the matter. The screenshot shows phone calls on March 9 and April 14.

When Coinbase lists a new coin on its exchange, it becomes exposed to a massive new audience of potential buyers, and usually the price of that coin will then rise – a phenomenon known as the “Coinbase effect.”

Join the community to get our latest stories and updates

The FBI also read those tweets, according to its indictment. In order to prove an insider trading case, prosecutors have to be able to show that someone bought an asset shortly before a significant but confidential event, and then sold the asset at a profit after the confidential information about the event was revealed.

Sure enough, the anonymous wallet acquired $72,700 of KROM on April 11. Coinbase announced it would list KROM on April 12. And the price of KROM rose by 50% as a result.

In just 24 hours, the holder of the wallet had turned a bet of $72,700 into something like $109,050.

But the KROM wallet didn’t cash out the win.

Instead, it held onto the tokens. It retains them to this day, according to a lawsuit filed by the SEC. You can see them on the blockchain here: 783,309 KROM tokens, which haven’t moved in nearly a year.

Why would someone abandon $100,000 in crypto after such a well-timed gamble?

The answer is that the person who controlled the wallet also read Cobie’s tweet and was spooked, we now know from filings in federal court. If the wallet sold the tokens, it would fulfil the threshold test of an insider trade. So the wallet holder must have decided that abandoning the KROM would be less suspicious.

Some people on Twitter had been suspicious of certain wallets since February of that year. Max Sarafin, a web3 consultant who tweets as “Crypto Max”, noted that “Someone made a fresh wallet and front ran 7 figures into $UPI and $AVT before the @Coinbase announcement of listings. Makes sense now. Clear insider trading going on behind the Coinbase doors.” He then linked to the wallet in question.

Around this time, Coinbase’s director of security operations began an internal investigation into how these wallets seemed to know which tokens were going to be listed before the company announced its listing. Neither Coinbase nor the lawyers for the Wahi brothers immediately responded to DL News’ request for comment.

Figuring out who the suspects were was relatively easy — because the number of people within Coinbase who have advance knowledge of new coin listings is quite small. Conveniently, they are all in the same private Slack channel, which is reserved only for Coinbase’s Assets and Investing Products group.

“Please do not add anyone else to this channel.”

Ishan Wahi was a manager in that group. In fact, in February 2022, he had tried to make the access to the Slack channel even more limited. At one point he told his colleagues, “Please do not add anyone else to this channel.” Another time, when a group of engineers asked for access, he responded that the channel should be restricted to “a tighter circle.”

So now the question for Coinbase security staff was, who in this Slack channel was the insider trader? To figure that out, they narrowed down their search to executives who had both access to the channel and also specific knowledge of the KROM listing, according to filings by the Securities and Exchange Commission and the Department of Justice.

Coinbase maintains an internal spreadsheet showing a calendar for new listings that, like the Slack channel, is restricted to only a small number of staff. On April 7, Wahi accessed the spreadsheet. He looked at it again, twice, on April 11 — the day the mysterious wallet placed its $70,000 bet.

Although that alone isn’t proof of insider trading, it narrowed the suspects further by eliminating staff who had access to the Slack channel but who had not looked at the spreadsheet, or at least not looked at on the same day that the mysterious wallet was making its trades.

On May 11, Coinbase’s security chief emailed Wahi to schedule an interview with him five days later to discuss the “ongoing company investigation into Coinbase’s asset listing process.”

KROM is the token of Kromatika, a DeFi protocol. The chart shows Kromatika's total value locked (TVL).

May 16 was a Monday. Instead of going to work, Wahi emailed his colleagues to tell them he would be “out indefinitely” because he “had to fly back to India overnight.” There was a “medical emergency with his father,” according to the indictment against him, and he asked Coinbase security to reschedule the interview for a later date because he “had to fly back home.” That was false, it turned out. Wahi had bought a one-way ticket.

By this time, Coinbase had called the FBI.

Agents intercepted Wahi at the airport and obtained access to his phone. Wahi had used WhatsApp to communicate with his brother in India, Nikhil, and Sameer Ramani, a friend he met at the University of Texas in Austin in 2013. With their messages in the hands of the authorities, the game was now over.

Nikhil pleaded guilty in September. He was sentenced to 10 months in prison.

Ramani, according to Reuters, remains “at large.”