Author: Liz & Lisa
Background
In the field of crypto assets, social engineering attacks are becoming a major threat to the security of user funds. Since 2025, a large number of social engineering scams targeting Coinbase users have surfaced, attracting widespread attention from the community. It is not difficult to see from the community's discussions that such incidents are not isolated cases, but a type of scam with persistent and organized characteristics.

On May 15, Coinbase issued an announcement confirming previous speculation that there was an "insider" in Coinbase. It is reported that the U.S. Department of Justice (DOJ) has launched an investigation into the data leak.
This article will disclose the main methods of scammers by collating information provided by multiple security researchers and victims, and explore how to effectively deal with such scams from the perspectives of both platforms and users.

(https://x.com/coinbase/status/1922967576209998133)
Historical analysis
"In the past week alone, more than $45 million was stolen from Coinbase users due to social engineering scams," wrote Zach, the chain detective, in a Telegram update on May 7.

In the past year, Zach has repeatedly disclosed Coinbase user theft incidents on his Telegram channel and X platform, with individual victims losing up to tens of millions of dollars. Zach published a detailed investigation in February 2025, stating that the total amount of funds stolen due to similar scams between December 2024 and January 2025 alone exceeded US$65 million, and revealed that Coinbase is facing a serious "social engineering fraud" crisis. Such attacks are continuing to infringe on the security of user assets at an average annual scale of US$300 million. He also pointed out:

(https://x.com/zachxbt/status/1886411891213230114)
Scam methods
In this incident, Coinbase's technical system did not
The scammers used the privileges of internal employees to obtain sensitive information of some users. This information includes: name, address, contact information, account data, ID card photos, etc. The ultimate goal of the scammers is to use social engineering methods to guide users to transfer money.

(https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists)
This type of attack method has changed the traditional "cast-net" phishing method and turned to "precision strike", which can be called a "tailor-made" social engineering fraud. The typical path of the crime is as follows: 1. Contact users as "official customer service" Scammers use a fake telephone system (PBX) to impersonate Coinbase customer service and call users to say that their "accounts have been illegally logged in" or "withdrawal anomalies have been detected" to create an atmosphere of urgency. They will then send simulated phishing emails or text messages containing fake work order numbers or "recovery process" links to guide users. These links may point to cloned Coinbase interfaces, and can even send emails that appear to be from official domains. Some emails use redirection technology to bypass security protection.

2. Guide users to download Coinbase Wallet
<span leaf="" para",{"tagName":"section","attributes":{},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"para",{"tagName":"p","attributes":{"dir":"ltr","style":"margin-bottom: 0px;letter-spacing: 0.578px;text-align: left;"},"namespaceURI":"http://www.w3.org/1999/xhtml"}]'>Scammers will guide users to transfer funds to a "safe wallet" on the grounds of "protecting assets". They will also assist users in installing Coinbase Wallet and guide them to transfer assets originally hosted on Coinbase to a newly created wallet.
Different from the traditional "fraudulent mnemonic words", the scammers directly provide a set of mnemonic words they generated themselves, inducing users to use them as the "official new wallet".
4. Scammers steal funds.
text="">Victims are easily trapped when they are nervous, anxious and trust the "customer service" - in their view, the new wallet "officially provided" is naturally safer than the old wallet "suspected of being hacked". As a result, once the funds are transferred to this new wallet, the scammers can immediately transfer them away. Not your keys, not your coins. - This concept has been bloodily verified again in social engineering attacks.
In addition, some phishing emails claim that "Coinbase will fully migrate to self-custodial wallets due to a class action lawsuit ruling" and require users to complete the asset migration before April 1. Under the urgent time pressure and the psychological suggestion of "official instructions", users are more likely to cooperate.

(https://x.com/SteveKBark/status/1900605757025882440)
According to @NanoBaiter, these attacks are often planned and implemented in an organized manner:
Precise Target: Scammers rely on stolen user data purchased from Telegram channels and the dark web (such as "5k COINBASE US2", "100K_USA-gemini_sample"), targeting Coinbase users in the United States as their main target, and even use ChatGPT to process stolen data, split and reorganize phone numbers, and generate TXT in batches. The file is then sent through text messages via blasting software to defraud.
The deception process is coherent:From phone calls, text messages to emails, the fraud path is usually seamless and coherent. Common phishing phrases include "the account has received a withdrawal request", "the password has been reset", "the account has an abnormal login", etc., which continuously induce victims to perform "security verification" until the wallet transfer is completed.


After obtaining the funds, the scammers quickly used a set of cleaning processes to exchange and transfer the assets. The main modes are as follows:


Multiple fraud addresses are still in a "static" state after receiving DAI or USDT and have not been transferred out.

To avoid your address interacting with suspicious addresses and thus facing the risk of assets being frozen, it is recommended that users use the on-chain anti-money laundering and tracking system MistTrack (https://misttrack.io/) to perform risk detection on the target address before trading to effectively avoid potential threats.
Countermeasures
Platform
Current mainstream security measures are more of a "technical layer" protection, and social engineering fraud often bypasses these mechanisms and directly hits the user's psychological and behavioral loopholes. Therefore, it is recommended that the platform integrate user education, security training, and usability design to establish a "people-oriented" security line of defense.
Regularly push anti-fraud education content:Through the App Improve users’ anti-phishing capabilities through pop-up windows, transaction confirmation interfaces, emails, etc.; Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. leaf="">Standardize customer service channels and verification mechanisms: Fraudsters often impersonate customer service to confuse users. Platforms should unify telephone, SMS, and email templates, and provide a "customer service verification entrance" to clarify the only official communication channel to avoid confusion.
Users

(https://haveibeenpwned.com/)
Continue to pay attention to security information:Learn the latest developments in attack methods through security companies, media, trading platforms and other channels, and stay alert. At present, the Web3 phishing drill platform created by SlowMist, @DeFiHackLabs and @realScamSniffer is about to be launched. The platform will simulate a variety of typical phishing methods, including social engineering poisoning, signature phishing, malicious contract interaction, etc., and combine the real cases collected in our historical discussions to continuously update the scenario content. Let users improve their identification and response capabilities in a risk-free environment.

This is not groundless worry. Since the beginning of this year, encryption practitioners/users have encountered many incidents that threaten personal safety. Given that the leaked data includes name, address, contact information, account data, ID card photos, etc., relevant users also need to be vigilant offline and pay attention to safety.

In short, remain skeptical and continue to verify. Whenever emergency operations are involved, be sure to ask the other party to prove their identity and verify independently through official channels to avoid making irreversible decisions under pressure. For more security advice and new attack methods, see the Blockchain Dark Forest Self-Guard Handbook (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/).
Summary
text="">This incident once again exposed that in the face of increasingly sophisticated social engineering attacks, the industry still has obvious shortcomings in protecting customer data and assets. It is worth noting that even if the relevant positions on the platform do not have financial authority and lack sufficient security awareness and capabilities, serious consequences may occur due to unintentional disclosure or subversion. As the platform continues to expand, the complexity of personnel security management and control has increased, and it has become one of the most difficult risks to overcome in the industry. Therefore, while strengthening the on-chain security mechanism, the platform must also systematically build a "social engineering defense system" covering internal personnel and outsourced services, and incorporate human risks into the overall security strategy.
In addition, once it is discovered that the attack is not an isolated incident, but an organized, large-scale and continuous threat, the platform should respond immediately, proactively check for potential vulnerabilities, remind users to take precautions, and control the scope of damage. Only by responding at both the technical and organizational levels can we truly maintain trust and bottom line in an increasingly complex security environment.