Authors: Liz & Lisa
Editor: Sherry
Background
In the field of crypto assets, social engineering attacks are becoming a major threat to user fund security. Since 2025, a large number of social engineering scam incidents targeting Coinbase users have surfaced, drawing widespread attention from the community. It is clear from the community discussions that these incidents are not isolated cases, but a type of scam that is characterized by persistence and organization.
On May 15, Coinbase released a statement confirming previous speculations about the existence of 'insiders' within Coinbase. It is reported that the U.S. Department of Justice (DOJ) has initiated an investigation into this data leak incident.
This article will disclose the main methods used by scammers by整理ing information provided by multiple security researchers and victims, and from both the platform and user perspectives, explore how to effectively respond to such scams.
(https://x.com/coinbase/status/1922967576209998133)
Historical Analysis
"In just the past week, over $45 million has been stolen from Coinbase users due to social engineering scams," on-chain detective Zach wrote in a Telegram update on May 7.
In the past year, Zach has repeatedly disclosed incidents of Coinbase users being stolen from on his Telegram channel and X platform, with individual victims losing tens of millions of dollars. Zach published a detailed investigation in February 2025, stating that between December 2024 and January 2025 alone, the total amount stolen due to similar scams exceeded $65 million, revealing that Coinbase is facing a severe 'social engineering scam' crisis, with such attacks continuously harming user asset security at an annual scale of $300 million. He also pointed out:
The groups leading these scams mainly fall into two categories: one is low-level attackers (skids) from the Com circle, and the other is cybercrime organizations based in India.
The scam groups primarily target American users, with standardized methods and mature scripts.
The actual amount of loss may far exceed the visible on-chain statistics, as it does not include unpublicized information such as undisclosed Coinbase customer service tickets and police reports.
(https://x.com/zachxbt/status/1886411891213230114)
Scam Techniques
In this incident, Coinbase's technical system was not breached; the scammers utilized the permissions of internal employees to obtain sensitive information from some users. This information includes: name, address, contact information, account data, ID photos, etc. The scammers' ultimate goal is to guide users to transfer funds using social engineering methods.
(https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists)
This type of attack has changed from the traditional 'scattergun' phishing methods to a more 'precision strike' approach, making it a 'customized' social engineering scam. A typical attack path is as follows:
1. Contact users as 'official customer service.'
Scammers use forged phone systems (PBX) to impersonate Coinbase customer service, calling users to say their 'accounts have encountered illegal logins' or 'abnormal withdrawals have been detected,' creating a sense of urgency. They then send realistic phishing emails or texts containing fake ticket numbers or 'recovery process' links, guiding users to act. These links may lead to cloned Coinbase interfaces, or even send email messages that appear to come from official domains, with some emails using redirect techniques to bypass security protections.
2. Guide users to download Coinbase Wallet.
The scammers will guide users to transfer funds to a 'safe wallet' under the pretext of 'protecting assets,' and will also assist users in installing Coinbase Wallet, instructing them to transfer assets originally held on Coinbase into a newly created wallet.
3. Induce users to use the recovery phrases provided by the scammers.
Unlike the traditional method of 'tricking users into providing their recovery phrases,' the scammers directly provide a set of recovery phrases they generated themselves, luring users to use them as 'official new wallets.'
4. Scammers conduct fund theft.
Victims, in a state of tension, anxiety, and trust in 'customer service,' are very likely to fall into the trap — in their view, a 'new wallet' provided by the 'official' source is naturally more secure than an 'old wallet' that seems to be 'hacked.' The result is that once funds are transferred to this new wallet, the scammers can immediately withdraw them. Not your keys, not your coins. — This principle is once again gruesomely validated in social engineering attacks.
In addition, some phishing emails claim that 'due to a collective lawsuit ruling, Coinbase will fully migrate to self-custody wallets' and require users to complete asset migration before April 1. Users are more likely to comply with the operation under time pressure and the psychological suggestion of 'official directives.'
(https://x.com/SteveKBark/status/1900605757025882440)
According to @NanoBaiter, these attacks are often organized and systematically planned and implemented:
The scam toolchain is well-developed: Scammers use PBX systems (such as FreePBX, Bitrix24) to spoof caller numbers, simulating official customer service calls. When sending phishing emails, they use @spoofmailer_bot in Telegram to impersonate Coinbase's official email, attaching 'account recovery guides' to lead transfers.
Precise targeting: Scammers rely on stolen user data purchased from Telegram channels and the dark web (such as '5k COINBASE US2', '100K_USA-gemini_sample') to lock in US Coinbase users as the primary target, and they may even use ChatGPT to process stolen data, splitting and reassembling phone numbers, bulk generating TXT files, and then sending SMS scams via cracking software.
The deception process is coherent: From phone calls, texts to emails, the scam paths are usually seamless, with common phishing phrases including 'Withdrawal request made on account,' 'Password has been reset,' 'Abnormal login on account,' etc., continuously inducing victims to perform 'security verification' until the wallet transfer is completed.
(https://x.com/NanoBaiter/status/1923099215112057010)
MistTrack Analysis
We used the on-chain anti-money laundering and tracking system MistTrack (https://misttrack.io/) to analyze some of the publicly disclosed scammer addresses by Zach and those received through our form, discovering that these scammers possess strong on-chain operation capabilities. Here are some key pieces of information:
The scammers target a variety of assets held by Coinbase users, with the active addresses concentrated between December 2024 and May 2025, mainly targeting BTC and ETH. BTC is currently the primary target of scams, with multiple addresses profiting up to hundreds of BTC in one go, with each transaction worth millions of dollars.
After obtaining funds, scammers quickly use a laundering process to exchange and transfer the assets, with the main modes as follows:
ETH-type assets are often quickly exchanged for DAI or USDT through Uniswap, then dispersed to multiple new addresses, with some assets entering centralized trading platforms.
BTC is mainly cross-chain to Ethereum through THORChain, Chainflip, or Defiway Bridge, then exchanged for DAI or USDT to avoid tracking risks.
Several scam addresses remain in a 'static' state after receiving DAI or USDT and have not yet been transferred out.
To avoid interactions between your address and suspicious addresses that may lead to asset freezing risks, users are advised to use the on-chain anti-money laundering and tracking system MistTrack (https://misttrack.io/) to conduct risk assessments on target addresses before transactions to effectively avoid potential threats.
Countermeasures
Platform
Current mainstream security measures are more 'technical-layer' protections, while social engineering scams often bypass these mechanisms, directly targeting psychological and behavioral vulnerabilities of users. Therefore, it is recommended that platforms integrate user education, security training, and usability design to establish a 'human-oriented' security defense line.
Regularly push anti-fraud educational content: Enhance users' phishing resistance capabilities through app pop-ups, transaction confirmation interfaces, emails, etc.
Optimize risk control models by introducing 'interactive abnormal behavior recognition': Most social engineering scams induce users to complete a series of operations (such as transfers, whitelist changes, device bindings, etc.) in a short time. Platforms should identify suspicious interaction combinations (such as 'frequent interactions + new address + large withdrawals') based on behavior chain models, triggering a cooling-off period or manual review mechanisms.
Standardize customer service channels and verification mechanisms: Scammers often impersonate customer service to confuse users, and platforms should unify phone, text, and email templates, providing a 'customer service verification entry' to clarify the unique official communication channel and avoid confusion.
Users
Implement identity isolation strategies: Avoid using the same email or phone number across multiple platforms to reduce associated risks, and regularly check if emails have been leaked using leak inquiry tools.
(https://haveibeenpwned.com/)
Enable transfer whitelist and withdrawal cooling mechanisms: Pre-set trusted addresses to reduce the risk of fund loss in emergencies.
Continue to pay attention to security information: Use channels such as security companies, media, and trading platforms to stay informed about the latest developments in attack methods, and remain vigilant. Currently, the Web3 phishing drill platform created by SlowMist, @DeFiHackLabs, and @realScamSniffer is about to launch. This platform will simulate various typical phishing methods, including social engineering poisonings, signature phishing, malicious contract interactions, etc., and continuously update scenario content based on real cases collected from our historical discussions, allowing users to enhance their recognition and response capabilities in a risk-free environment.
Be aware of offline risks and privacy protection: Personal information leaks can also lead to personal safety issues.
This is not alarmism; since the beginning of this year, crypto practitioners/users have encountered multiple incidents threatening personal safety. Given that the leaked data includes names, addresses, contact information, account data, ID photos, etc., relevant users should also be more vigilant offline and pay attention to safety.
In summary, remain skeptical and continuously verify. For any urgent operations, be sure to request the other party to prove their identity and independently verify through official channels to avoid making irreversible decisions under pressure. More safety tips and new attack methods can be found in the Blockchain Dark Forest Self-Rescue Handbook (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/).
Summary
This incident once again exposes the industry's significant shortcomings in customer data and asset protection in the face of increasingly sophisticated social engineering attack methods. It is worth noting that even if the relevant positions of the platform do not have fund permissions, a lack of sufficient security awareness and capabilities may still lead to severe consequences due to unintentional leaks or being coerced. As the platform continues to grow, the complexity of personnel security control also increases, becoming one of the industry’s most challenging risks to overcome. Therefore, while strengthening on-chain security mechanisms, the platform must systematically build a 'social engineering defense system' that covers internal staff and outsourced services, incorporating human risks into the overall security strategy.
Furthermore, once an attack is found to be not an isolated incident, but an organized and large-scale ongoing threat, the platform should respond immediately, proactively checking for potential vulnerabilities, warning users to take precautions, and controlling the extent of damage. Only by responding at both the technical and organizational levels can trust and boundaries be preserved in an increasingly complex security environment.