#加密安全警示 #社会工程学攻击 $BTC $APT $SUI
When these 10 danger signals appear, it indicates that you may have been targeted by hackers.
Original author: Christoper Rosa
Original article compiled by: AididiaoJP, Foresight News.
Even this cybersecurity expert almost fell victim.
Last weekend, it was reported that a huge dataset containing 16 billion user identities began circulating online, including both past leaks and recently stolen login data. It is currently unclear who updated this dataset and republished it. Although most of the database consists of recompiled data from past breaches, the newly updated data is unsettling. This dataset is regarded as one of the largest single leaks of accounts ever.
Hackers are using this data to conduct a variety of attacks, and I have become one of their targets.
The phishing attack launched against my personal devices and accounts on June 19 was the most sophisticated attack I have encountered in my ten-year cybersecurity career. The attackers first created the illusion that my accounts were under attack across multiple platforms and then impersonated Coinbase employees to offer 'help'. They combined classic social engineering techniques with coordinated tactics across SMS, phone calls, and forged emails, all designed to create a false sense of urgency, credibility, and scale. This fraudulent attack was widespread and highly authoritative, which is precisely what made it so deceptive.
The following text will detail the attack process, analyze the danger signals I noticed during this process, and the protective measures I took. At the same time, I will share key lessons and practical advice to help crypto investors ensure their safety in an increasingly threatening environment.
Historical data and newly leaked data can be used by hackers to implement highly targeted multi-channel attacks. This further underscores the importance of layered security, clear user communication mechanisms, and real-time response strategies. Both institutions and individual users can gain practical tools from this case, including verification protocols, domain recognition habits, and response steps to help prevent momentary lapses from turning into major security vulnerabilities.
SIM Card Hijacking
The attack began around 3:15 PM Eastern Time on June 19, with an anonymous SMS saying someone was trying to trick my mobile carrier into leaking my phone number to others. This attack method is known as SIM swapping.
Please note that this message did not come from a text message number, but from a regular 10-digit phone number. Legitimate businesses always use short codes to send messages. If you receive an SMS from an unknown standard-length number claiming to be a business, it is very likely a scam or phishing attempt.
This information also contained contradictory content. The first SMS indicated the leak was from the San Francisco Bay Area, while subsequent messages claimed it occurred in Amsterdam.
Once SIM swapping is successful, it is extremely dangerous because attackers can obtain one-time verification codes used by most companies to reset passwords or access accounts. However, this was not a real SIM swap; the hacker was setting the stage for a more sophisticated scam.
One-time verification codes and password resets.
The attack then escalated, and I began receiving one-time verification codes allegedly from Venmo and PayPal, sent via SMS and WhatsApp. This made me believe that someone was trying to log into my accounts across various financial platforms. Unlike suspicious operator SMS messages, these verification codes indeed came from seemingly legitimate short codes.
Coinbase Phishing Call
About five minutes after receiving the SMS, I got a call from a California number. The caller, claiming to be 'Mason' and speaking with a strong American accent, said he was from the Coinbase investigation team. He stated that in the past 30 minutes, there had been over 30 attempts to reset the password and hack the account through the Coinbase chat window. According to 'Mason,' the so-called attacker had passed the first layer of security verification for password reset but failed at the second layer.
He told me the other party could provide the last four digits of my ID, my full driver's license number, my home address, and my full name, but failed to provide the complete ID number or the last four digits of the bank card associated with my Coinbase account. Mason explained that it was this contradiction that triggered the Coinbase security team's alert, prompting them to contact me for verification.
Legitimate exchanges like Coinbase would never proactively call users unless you initiate a service request through the official website. To learn more about exchange customer service norms, please read this Coinbase document.
Security Check
After informing me of this 'bad news,' Mason suggested protecting my account by blocking additional attack channels. He started with API connections and associated wallets, claiming he would revoke their access to reduce risk. He listed several connection objects, including Bitstamp, TradingView, and MetaMask wallets, some of which I did not recognize, but I assumed I may have set them up and forgotten.
At this point, my guard was lowered, and I even felt reassured by Coinbase's 'proactive protection'.
At this point, Mason had not requested any personal information, wallet addresses, two-factor verification codes, or one-time passwords, which are typically common requests from phishers. The entire interaction was highly secure and preventive.
Subtle pressure tactics.
Next came the first pressure attempt, creating a sense of urgency and vulnerability. After completing the so-called 'security check,' Mason claimed that due to my account being marked as high risk, the account protection for the Coinbase One subscription service had been terminated. This meant my Coinbase wallet assets were no longer covered by FDIC insurance, and if attackers successfully stole funds, I would not be able to obtain any compensation.
In retrospect, this set of remarks should have raised obvious red flags. Unlike bank deposits, crypto assets are never protected by FDIC insurance. Although Coinbase may store customer dollars in FDIC-insured banks, the exchange itself is not an insured institution.
Mason also warned that a 24-hour countdown had begun, and that after the deadline, the account would be locked. Unlocking would require a complicated and lengthy process. More frighteningly, he claimed that if the attacker obtained my full social security number during this time, they could even steal funds while the account was frozen.
Later, I consulted the real Coinbase customer service team and learned that locking the account was indeed their recommended security measure. The unlocking process is actually simple and secure: provide a photo of your ID and a selfie, and the exchange will quickly restore access after verifying your identity.
Subsequently, I received two emails. The first was a confirmation of subscription to the Coinbase Bytes newsletter, which was simply a normal email triggered by the attacker submitting my email through the official website form. This was clearly an attempt to confuse my judgment by using official Coinbase emails to enhance the credibility of the scam.
The second, more disturbing email came from [email protected], stating that my Coinbase One account protection had been canceled. This email, seemingly from a legitimate Coinbase domain, was highly misleading—if it had come from a suspicious domain, it could have been easily recognized, but its presentation as an official address made it appear authentic.
Recommended remedial measures.
Mason then suggested transferring my assets to a multi-signature wallet called Coinbase Vault to ensure security. He even told me to Google 'Coinbase Vault' to consult the official documentation to prove that this was a legitimate service from Coinbase for many years.
I stated that I was unwilling to make such a significant change without thorough investigation. He expressed understanding and encouraged me to research carefully while supporting me in contacting my carrier to prevent SIM swapping. He claimed he would call back 30 minutes later to continue the next steps. After hanging up, I immediately received an SMS confirming the call and appointment.
Callback and Coinbase Vault.
After confirming with the carrier that there were no attempts to transfer my SIM, I immediately changed all account passwords. Mason called back as promised, and we began discussing the next steps.
At this time, I have verified that Coinbase Vault is indeed a legitimate service provided by Coinbase. It is a custody solution that enhances security through multi-signature authorization and a 24-hour withdrawal delay, but it is not a true self-custody cold wallet.
Mason then sent a link to vault-coinbase.com, claiming it could review the security settings discussed in our first call. After completing the review, I could transfer assets into the Vault, at which point my cybersecurity expertise finally emerged.
After entering the case number he provided, the opened page displayed the so-called 'removed API connections' and 'create Coinbase Vault' buttons. I immediately checked the website's SSL certificate and found that this registered domain, only a month old, had no affiliation with Coinbase. Although SSL certificates can often create an illusion of legitimacy, legitimate enterprise certificates clearly indicate ownership, and this discovery made me stop my actions immediately.
Coinbase explicitly states that it will never use unofficial domains. Even when using third-party services, it should be subdomains like vault.coinbase.com. Any operations involving exchange accounts should be conducted through the official app or website.
I expressed my concerns to Mason, emphasizing that I only wanted to operate through the official app. He argued that using the app would lead to a 48-hour delay, while the account would be locked after 24 hours. I again refused to make a hasty decision, and he then said he would escalate the case to the 'Level 3 Support Team' to try to restore my Coinbase One protection.
After hanging up, I continued to verify the security of other accounts, and my unease grew stronger.
'Level 3 Support Team' Call
About half an hour later, I received a call from a Texas number. Another American-accented person claimed to be a level three investigator handling my Coinbase One recovery application. He stated that the review period would take 7 days, during which the account would still be uninsured. He also 'kindly' suggested opening multiple Vaults for different on-chain assets, appearing professional but failing to mention specific assets, only vaguely referring to 'Ethereum, Bitcoin, etc.'
He mentioned that he would apply to the legal department to send the chat records, and then began promoting Coinbase Vault. As an alternative, he recommended a third-party wallet named SafePal. While SafePal is indeed a legitimate hardware wallet, this was clearly a setup to gain trust.
When I questioned the vault-coinbase.com domain again, the other party still tried to eliminate my doubts. At this point, the attacker may have realized they were unlikely to succeed and ultimately gave up on this phishing attempt.
Contact real Coinbase customer service.
After ending the call with the second fake customer service representative, I immediately submitted a request through Coinbase.com. A genuine customer service representative quickly confirmed that my account had no unusual logins or password reset requests.
He suggested immediately locking the account and collecting attack details to submit to the investigation team. I provided all fraudulent domains, phone numbers, and attack methods, particularly inquiring about the sending authority of [email protected]. Customer service admitted that this was very serious and promised that the security team would conduct a thorough investigation.
When contacting exchange or custodian customer service, always do so through official channels. Legitimate companies will never proactively contact users.
Experience Summary
Although I was fortunate not to be scammed, this near-miss experience deeply unsettled me as a former cybersecurity professional. Without professional training, I might have fallen victim. If it had been just a regular cold call, I would have hung up immediately. It was the attacker’s meticulously designed series of actions that created a sense of urgency and authority, making the phishing attempt so dangerous.
I have summarized the following danger signals and protective advice, hoping to help crypto investors ensure the safety of their funds in the current online environment.
Danger Signals
Coordinated false alerts create confusion and urgency.
The attacker first created a series of SIM card swap alerts and requests for one-time verification codes from services like Venmo and PayPal (sent simultaneously via SMS and WhatsApp), deliberately creating the illusion that multiple platforms were being attacked at once. This information likely could be triggered just by obtaining my phone number and email, which are easily accessible. At this stage, I believed the attacker did not yet have deeper account data.
Using short codes and regular phone numbers interchangeably.
Phishing information was sent using a combination of SMS short codes and regular phone numbers. While businesses typically use short codes for official communications, attackers can spoof or recycle these short codes. However, it is important to note that legitimate services will never send security alerts using regular phone numbers. Messages from standard-length numbers should always be viewed with suspicion.
Request operations through unofficial or unfamiliar domains.
The attacker requested that I visit the phishing site hosted on vault-coinbase.com. This domain initially seemed normal but was actually unrelated to Coinbase. Before entering any information, always carefully check the domain name and SSL certificate. Operations involving sensitive accounts should only be performed on the company's official domain or application.
Unsolicited calls and follow-up communications.
Coinbase and most other financial institutions would never call you unless you actively initiated a support request. Receiving a call purportedly from the 'Level 3 Investigation Team' is a major danger signal, especially when such calls coincide with intimidation tactics and complex account protection explanations.
Unsolicited emergencies and warnings of consequences.
Phishing attackers often use fear and urgency to force victims into action without thought. In this case, threats about account locking, asset theft, and insurance coverage being canceled were classic social engineering tactics.
Request to bypass official channels.
Any suggestion to avoid using the company's official application or website, especially when these suggestions claim to offer 'faster' or 'safer' alternatives, should immediately raise suspicion. Attackers may provide seemingly legitimate links that actually point to malicious domains.
Unverified case numbers or support tickets.
Providing a 'case number' to introduce a custom-built phishing portal creates a false sense of legitimacy. No legitimate service would require users to verify their identity or perform actions through an external custom link with a case number.
Mixed True and False Information
Attackers often mix real personal information (such as email or partial social security numbers) with vague or inaccurate information to enhance credibility. Any inconsistencies or vague mentions of 'chain', 'wallet', or 'security review' should raise suspicion.
Use real company names in alternative solution suggestions.
Introducing trusted names like SafePal (even if these companies are indeed legitimate) may be a strategy to divert attention. This practice provides a semblance of choice and legitimacy while actually leading victims towards malicious operations.
Overly enthusiastic but not verifying
The attacker was very patient, encouraging me to research on my own, and initially did not request sensitive information. This behavior mimicked that of real customer service personnel, making the scam appear professional. Any unsolicited help that seems 'too good to be true' should raise suspicion.
Proactive protective measures and suggestions.
Enable transaction-level verification on the exchange.
Enable two-factor authentication and code-based verification in the exchange settings. This ensures that any attempts to send or transfer funds require real-time confirmation sent to a trusted device, thus preventing unauthorized transactions.
Always contact the service provider through legitimate, verified channels.
In this case, I contacted my mobile service provider and Coinbase by directly logging into the official platforms and submitting a support request. When account security is threatened, this is the safest and only appropriate way to interact with customer service personnel.
Exchange customer service representatives will never ask you to move, access, or protect funds.
They also will not ask for or provide your wallet recovery phrase, will not request your two-factor verification codes, and will not attempt to remotely access or install software on your device.
Consider using multi-signature wallets or cold wallet storage solutions.
Multi-signature wallets require multiple approvals to authorize transactions, while cold wallets keep your private keys completely offline. Both methods effectively protect long-term held assets from remote phishing or malware attacks.
Bookmark the official website and avoid clicking links from unsolicited information.
Manually entering URLs or using trusted bookmarks is the best way to avoid domain spoofing.
Use a password manager to identify suspicious websites and maintain strong passwords.
Password managers help prevent phishing attempts by refusing to autofill on fake or unknown domains. Regularly change passwords, and if you suspect a malicious attack, change your password immediately.
Regularly review associated applications, API keys, and third-party integrations.
Revoke access for any applications or services you no longer use or cannot identify.
Enable real-time account alerts where available.
Notifications of logins, withdrawals, or security setting changes can provide critical early warnings of unauthorized activity.
Report all suspicious activities to the official support team of the service provider.
Early reporting helps prevent broader attacks and contributes to the overall security protection of the platform.
Conclusion
For financial institutions, IT security teams, and executives, this attack highlights how historical data can be repurposed and combined with real-time social engineering to bypass even the most mature security defenses. Threat actors no longer rely solely on brute force attacks; they execute coordinated cross-channel strategies to build trust and deceive users by mimicking legitimate workflows.
We must not only protect system and network security but also identify threats and take action to protect ourselves. Whether working at a crypto organization or managing crypto assets at home, everyone must understand how personal security vulnerabilities can evolve into systemic risks.
To guard against these threats, institutions must implement layered defenses such as domain monitoring, adaptive authentication, anti-phishing multi-factor authentication, and clear communication protocols. It is equally important for companies to foster a culture of cybersecurity literacy, ensuring that every employee from engineers to executives understands their role in safeguarding the organization. In today's environment, security is not just a technical function but a responsibility shared from the individual to the entire organization.
