Author: Liz & Lisa
In the field of crypto assets, social engineering attacks are becoming a major threat to the security of user funds. Since 2025, a large number of social engineering scams targeting Coinbase users have surfaced, attracting widespread attention from the community. It is not difficult to see from the community's discussions that such incidents are not isolated cases, but a type of scam with persistent and organized characteristics.
On May 15, Coinbase issued an announcement confirming previous speculation that there was an "insider" in Coinbase. It is reported that the U.S. Department of Justice (DOJ) has launched an investigation into the data leak.
This article will disclose the main methods of scammers by collating information provided by multiple security researchers and victims, and explore how to effectively deal with such scams from the perspectives of both platforms and users.
(https://x.com/coinbase/status/1922967576209998133)
"In the past week alone, more than $45 million was stolen from Coinbase users due to social engineering scams," wrote Zach, the chain detective, in a Telegram update on May 7.
In the past year, Zach has repeatedly disclosed Coinbase user theft incidents on his Telegram channel and X platform, with individual victims losing up to tens of millions of dollars. Zach published a detailed investigation in February 2025, stating that the total amount of funds stolen due to similar scams between December 2024 and January 2025 alone exceeded US$65 million, and revealed that Coinbase is facing a serious "social engineering fraud" crisis. Such attacks are continuing to infringe on the security of user assets at an average annual scale of US$300 million. He also pointed out:
The gangs that lead this type of fraud are mainly divided into two categories: one is low-level attackers (skids) from the Com circle, and the other is cybercrime organizations based in India;
The fraud gangs mainly target American users, with standardized methods and mature rhetoric;
(https://x.com/zachxbt/status/1886411891213230114)
In this incident, Coinbase's technical system did not
(https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists)
This type of attack method has changed the traditional "cast-net" phishing method and turned to "precision strike", which can be called a "tailor-made" social engineering fraud. The typical path of the crime is as follows: 1. Contact users as "official customer service" Scammers use a fake telephone system (PBX) to impersonate Coinbase customer service and call users to say that their "accounts have been illegally logged in" or "withdrawal anomalies have been detected" to create an atmosphere of urgency. They will then send simulated phishing emails or text messages containing fake work order numbers or "recovery process" links to guide users. These links may point to cloned Coinbase interfaces, and can even send emails that appear to be from official domains. Some emails use redirection technology to bypass security protection.
2. Guide users to download Coinbase Wallet
<span leaf="" para",{"tagName":"section","attributes":{},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"para",{"tagName":"p","attributes":{"dir":"ltr","style":"margin-bottom: 0px;letter-spacing: 0.578px;text-align: left;"},"namespaceURI":"http://www.w3.org/1999/xhtml"}]'>Scammers will guide users to transfer funds to a "safe wallet" on the grounds of "protecting assets". They will also assist users in installing Coinbase Wallet and guide them to transfer assets originally hosted on Coinbase to a newly created wallet.
Different from the traditional "fraudulent mnemonic words", the scammers directly provide a set of mnemonic words they generated themselves, inducing users to use them as the "official new wallet".
4. Scammers steal funds.
text="">Victims are easily trapped when they are nervous, anxious and trust the "customer service" - in their view, the new wallet "officially provided" is naturally safer than the old wallet "suspected of being hacked". As a result, once the funds are transferred to this new wallet, the scammers can immediately transfer them away. Not your keys, not your coins. - This concept has been bloodily verified again in social engineering attacks.
In addition, some phishing emails claim that "Coinbase will fully migrate to self-custodial wallets due to a class action lawsuit ruling" and require users to complete the asset migration before April 1. Under the urgent time pressure and the psychological suggestion of "official instructions", users are more likely to cooperate.
(https://x.com/SteveKBark/status/1900605757025882440)
According to @NanoBaiter, these attacks are often planned and implemented in an organized manner:
The fraud tool chain is complete
Precise Target: Scammers rely on stolen user data purchased from Telegram channels and the dark web (such as "5k COINBASE US2", "100K_USA-gemini_sample"), targeting Coinbase users in the United States as their main target, and even use ChatGPT to process stolen data, split and reorganize phone numbers, and generate TXT in batches. The file is then sent through text messages via blasting software to defraud.
The deception process is coherent:From phone calls, text messages to emails, the fraud path is usually seamless and coherent. Common phishing phrases include "the account has received a withdrawal request", "the password has been reset", "the account has an abnormal login", etc., which continuously induce victims to perform "security verification" until the wallet transfer is completed.
After obtaining the funds, the scammers quickly used a set of cleaning processes to exchange and transfer the assets. The main modes are as follows:
ETH assets are often quickly exchanged for DAI or ETH through Uniswap. USDT, and then dispersedly transferred to multiple new addresses, and some assets entered the centralized trading platform;
BTC is mainly transferred to Ethereum through THORChain, Chainflip or Defiway Bridge, and then converted to DAI or USDT to avoid tracking risks.
Multiple fraud addresses are still in a "static" state after receiving DAI or USDT and have not been transferred out.
To avoid your address interacting with suspicious addresses and thus facing the risk of assets being frozen, it is recommended that users use the on-chain anti-money laundering and tracking system MistTrack (https://misttrack.io/) to perform risk detection on the target address before trading to effectively avoid potential threats.
Current mainstream security measures are more of a "technical layer" protection, and social engineering fraud often bypasses these mechanisms and directly hits the user's psychological and behavioral loopholes. Therefore, it is recommended that the platform integrate user education, security training, and usability design to establish a "people-oriented" security line of defense.
Regularly push anti-fraud education content:Through the App Improve users’ anti-phishing capabilities through pop-up windows, transaction confirmation interfaces, emails, etc.; Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. leaf="">Standardize customer service channels and verification mechanisms: Fraudsters often impersonate customer service to confuse users. Platforms should unify telephone, SMS, and email templates, and provide a "customer service verification entrance" to clarify the only official communication channel to avoid confusion.
Implement identity isolation strategies:Avoid multiple platforms sharing the same email address or mobile phone number to reduce joint risks. You can use leak query tools to regularly check whether your email address has been leaked.
(https://haveibeenpwned.com/)
Enable transfer whitelist and withdrawal cooling mechanism:Preset trusted addresses to reduce the risk of capital loss in emergency situations.
Continue to pay attention to security information:Learn the latest developments in attack methods through security companies, media, trading platforms and other channels, and stay alert. At present, the Web3 phishing drill platform created by SlowMist, @DeFiHackLabs and @realScamSniffer is about to be launched. The platform will simulate a variety of typical phishing methods, including social engineering poisoning, signature phishing, malicious contract interaction, etc., and combine the real cases collected in our historical discussions to continuously update the scenario content. Let users improve their identification and response capabilities in a risk-free environment.
Pay attention to offline risks and privacy protection:Personal information leakage may also cause personal safety issues.
This is not groundless worry. Since the beginning of this year, encryption practitioners/users have encountered many incidents that threaten personal safety. Given that the leaked data includes name, address, contact information, account data, ID card photos, etc., relevant users also need to be vigilant offline and pay attention to safety.
In short, remain skeptical and continue to verify. Whenever emergency operations are involved, be sure to ask the other party to prove their identity and verify independently through official channels to avoid making irreversible decisions under pressure. For more security advice and new attack methods, see the Blockchain Dark Forest Self-Guard Handbook (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/).
text="">This incident once again exposed that in the face of increasingly sophisticated social engineering attacks, the industry still has obvious shortcomings in protecting customer data and assets. It is worth noting that even if the relevant positions on the platform do not have financial authority and lack sufficient security awareness and capabilities, serious consequences may occur due to unintentional disclosure or subversion. As the platform continues to expand, the complexity of personnel security management and control has increased, and it has become one of the most difficult risks to overcome in the industry. Therefore, while strengthening the on-chain security mechanism, the platform must also systematically build a "social engineering defense system" covering internal personnel and outsourced services, and incorporate human risks into the overall security strategy.
In addition, once it is discovered that the attack is not an isolated incident, but an organized, large-scale and continuous threat, the platform should respond immediately, proactively check for potential vulnerabilities, remind users to take precautions, and control the scope of damage. Only by responding at both the technical and organizational levels can we truly maintain trust and bottom line in an increasingly complex security environment.
Red Bull Racing has ended its three-year partnership with cryptocurrency exchange Bybit, dropping the sponsor ahead of the 2025 season. The team appears to be shifting its focus to more performance-driven partnerships, distancing itself from the cryptocurrency sector.
AnaisA Ministry of Home Affairs (MHA) report identifies WhatsApp, Telegram, and Instagram as top targets for online scammers, posing significant risks to their millions of daily users.
CatherineMalaysia's new social media law requires platforms with over 8 million users to obtain operating licences, and WeChat and TikTok have already secured theirs. Some platforms, like X (formerly Twitter) and Google, have yet to apply, facing potential regulatory action if they don't comply.
AnaisDo Kwon, now in US custody, has pleaded not guilty to fraud charges tied to TerraUSD’s $40 billion collapse. Following his extradition, the Justice Department seeks prison time for financial fraud and fake passports, while South Korea sought a 40-year sentence. Calm in court, Kwon faces a long legal battle. Is he unrepentant or truly innocent?
CatherineTelegram enhances security with decentralised verification and adds NFT gifting and advanced search, fuelling a TON price rally.
KikyoAI-powered phishing attacks are targeting senior executives at companies like eBay with highly personalized and convincing emails, making them harder to detect. These scams are bypassing traditional security systems and increasing the risk of data breaches and financial loss.
AnaisKuCoin introduces seamless crypto payments for retail, with low fees, instant settlements, and support for 54 cryptocurrencies, including BTC, ETH, and stablecoins like USDT and USDC. Users can make direct purchases via their KuCoin accounts, driving crypto adoption in everyday transactions.
CatherineMeta plans to introduce millions of AI-generated characters on Facebook and Instagram by 2025, allowing users to create and interact with virtual personas. This shift could transform social media, but it raises concerns about misinformation, mental health, and the impact on human content creators.
WeatherlyRumors about X Money's imminent launch have emerged just two days after CEO Linda Yaccarino confirmed its 2025 debut. Speculation suggests it could launch today, though it will initially be available in only 39 states. Is this a new chapter for digital payments or just a fleeting rumour?
KikyoTaiwan’s government has approved a plan to transform the southern region into a high-tech hub, focusing on semiconductors, AI, and advanced technologies. The initiative includes improving infrastructure, fostering public-private partnerships, and enhancing education to attract global talent.
Anais