Author: Liz & Lisa
In the field of crypto assets, social engineering attacks are becoming a major threat to the security of user funds. Since 2025, a large number of social engineering scams targeting Coinbase users have surfaced, attracting widespread attention from the community. It is not difficult to see from the community's discussions that such incidents are not isolated cases, but a type of scam with persistent and organized characteristics.
On May 15, Coinbase issued an announcement confirming previous speculation that there was an "insider" in Coinbase. It is reported that the U.S. Department of Justice (DOJ) has launched an investigation into the data leak.
This article will disclose the main methods of scammers by collating information provided by multiple security researchers and victims, and explore how to effectively deal with such scams from the perspectives of both platforms and users.
(https://x.com/coinbase/status/1922967576209998133)
"In the past week alone, more than $45 million was stolen from Coinbase users due to social engineering scams," wrote Zach, the chain detective, in a Telegram update on May 7.
In the past year, Zach has repeatedly disclosed Coinbase user theft incidents on his Telegram channel and X platform, with individual victims losing up to tens of millions of dollars. Zach published a detailed investigation in February 2025, stating that the total amount of funds stolen due to similar scams between December 2024 and January 2025 alone exceeded US$65 million, and revealed that Coinbase is facing a serious "social engineering fraud" crisis. Such attacks are continuing to infringe on the security of user assets at an average annual scale of US$300 million. He also pointed out:
The gangs that lead this type of fraud are mainly divided into two categories: one is low-level attackers (skids) from the Com circle, and the other is cybercrime organizations based in India;
The fraud gangs mainly target American users, with standardized methods and mature rhetoric;
(https://x.com/zachxbt/status/1886411891213230114)
In this incident, Coinbase's technical system did not
(https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists)
This type of attack method has changed the traditional "cast-net" phishing method and turned to "precision strike", which can be called a "tailor-made" social engineering fraud. The typical path of the crime is as follows: 1. Contact users as "official customer service" Scammers use a fake telephone system (PBX) to impersonate Coinbase customer service and call users to say that their "accounts have been illegally logged in" or "withdrawal anomalies have been detected" to create an atmosphere of urgency. They will then send simulated phishing emails or text messages containing fake work order numbers or "recovery process" links to guide users. These links may point to cloned Coinbase interfaces, and can even send emails that appear to be from official domains. Some emails use redirection technology to bypass security protection.
2. Guide users to download Coinbase Wallet
<span leaf="" para",{"tagName":"section","attributes":{},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"para",{"tagName":"p","attributes":{"dir":"ltr","style":"margin-bottom: 0px;letter-spacing: 0.578px;text-align: left;"},"namespaceURI":"http://www.w3.org/1999/xhtml"}]'>Scammers will guide users to transfer funds to a "safe wallet" on the grounds of "protecting assets". They will also assist users in installing Coinbase Wallet and guide them to transfer assets originally hosted on Coinbase to a newly created wallet.
Different from the traditional "fraudulent mnemonic words", the scammers directly provide a set of mnemonic words they generated themselves, inducing users to use them as the "official new wallet".
4. Scammers steal funds.
text="">Victims are easily trapped when they are nervous, anxious and trust the "customer service" - in their view, the new wallet "officially provided" is naturally safer than the old wallet "suspected of being hacked". As a result, once the funds are transferred to this new wallet, the scammers can immediately transfer them away. Not your keys, not your coins. - This concept has been bloodily verified again in social engineering attacks.
In addition, some phishing emails claim that "Coinbase will fully migrate to self-custodial wallets due to a class action lawsuit ruling" and require users to complete the asset migration before April 1. Under the urgent time pressure and the psychological suggestion of "official instructions", users are more likely to cooperate.
(https://x.com/SteveKBark/status/1900605757025882440)
According to @NanoBaiter, these attacks are often planned and implemented in an organized manner:
The fraud tool chain is complete
Precise Target: Scammers rely on stolen user data purchased from Telegram channels and the dark web (such as "5k COINBASE US2", "100K_USA-gemini_sample"), targeting Coinbase users in the United States as their main target, and even use ChatGPT to process stolen data, split and reorganize phone numbers, and generate TXT in batches. The file is then sent through text messages via blasting software to defraud.
The deception process is coherent:From phone calls, text messages to emails, the fraud path is usually seamless and coherent. Common phishing phrases include "the account has received a withdrawal request", "the password has been reset", "the account has an abnormal login", etc., which continuously induce victims to perform "security verification" until the wallet transfer is completed.
After obtaining the funds, the scammers quickly used a set of cleaning processes to exchange and transfer the assets. The main modes are as follows:
ETH assets are often quickly exchanged for DAI or ETH through Uniswap. USDT, and then dispersedly transferred to multiple new addresses, and some assets entered the centralized trading platform;
BTC is mainly transferred to Ethereum through THORChain, Chainflip or Defiway Bridge, and then converted to DAI or USDT to avoid tracking risks.
Multiple fraud addresses are still in a "static" state after receiving DAI or USDT and have not been transferred out.
To avoid your address interacting with suspicious addresses and thus facing the risk of assets being frozen, it is recommended that users use the on-chain anti-money laundering and tracking system MistTrack (https://misttrack.io/) to perform risk detection on the target address before trading to effectively avoid potential threats.
Current mainstream security measures are more of a "technical layer" protection, and social engineering fraud often bypasses these mechanisms and directly hits the user's psychological and behavioral loopholes. Therefore, it is recommended that the platform integrate user education, security training, and usability design to establish a "people-oriented" security line of defense.
Regularly push anti-fraud education content:Through the App Improve users’ anti-phishing capabilities through pop-up windows, transaction confirmation interfaces, emails, etc.; Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. leaf="">Standardize customer service channels and verification mechanisms: Fraudsters often impersonate customer service to confuse users. Platforms should unify telephone, SMS, and email templates, and provide a "customer service verification entrance" to clarify the only official communication channel to avoid confusion.
Implement identity isolation strategies:Avoid multiple platforms sharing the same email address or mobile phone number to reduce joint risks. You can use leak query tools to regularly check whether your email address has been leaked.
(https://haveibeenpwned.com/)
Enable transfer whitelist and withdrawal cooling mechanism:Preset trusted addresses to reduce the risk of capital loss in emergency situations.
Continue to pay attention to security information:Learn the latest developments in attack methods through security companies, media, trading platforms and other channels, and stay alert. At present, the Web3 phishing drill platform created by SlowMist, @DeFiHackLabs and @realScamSniffer is about to be launched. The platform will simulate a variety of typical phishing methods, including social engineering poisoning, signature phishing, malicious contract interaction, etc., and combine the real cases collected in our historical discussions to continuously update the scenario content. Let users improve their identification and response capabilities in a risk-free environment.
Pay attention to offline risks and privacy protection:Personal information leakage may also cause personal safety issues.
This is not groundless worry. Since the beginning of this year, encryption practitioners/users have encountered many incidents that threaten personal safety. Given that the leaked data includes name, address, contact information, account data, ID card photos, etc., relevant users also need to be vigilant offline and pay attention to safety.
In short, remain skeptical and continue to verify. Whenever emergency operations are involved, be sure to ask the other party to prove their identity and verify independently through official channels to avoid making irreversible decisions under pressure. For more security advice and new attack methods, see the Blockchain Dark Forest Self-Guard Handbook (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/).
text="">This incident once again exposed that in the face of increasingly sophisticated social engineering attacks, the industry still has obvious shortcomings in protecting customer data and assets. It is worth noting that even if the relevant positions on the platform do not have financial authority and lack sufficient security awareness and capabilities, serious consequences may occur due to unintentional disclosure or subversion. As the platform continues to expand, the complexity of personnel security management and control has increased, and it has become one of the most difficult risks to overcome in the industry. Therefore, while strengthening the on-chain security mechanism, the platform must also systematically build a "social engineering defense system" covering internal personnel and outsourced services, and incorporate human risks into the overall security strategy.
In addition, once it is discovered that the attack is not an isolated incident, but an organized, large-scale and continuous threat, the platform should respond immediately, proactively check for potential vulnerabilities, remind users to take precautions, and control the scope of damage. Only by responding at both the technical and organizational levels can we truly maintain trust and bottom line in an increasingly complex security environment.
xAI is negotiating a $20 billion funding round, which could increase its valuation to $120 billion and solidify Musk's influence in the AI field. Despite challenges with debt from the acquisition of Twitter, investor interest remains high, and xAI is positioned for significant growth in both AI and social media sectors.
WeatherlyDeepSeek has returned to South Korea’s app stores after a two-month suspension due to data privacy concerns. The company revised its privacy policy to comply with local laws and allow users to opt out of data sharing with foreign companies.
AnaisA recent study shows that humans outperform AI in understanding social interactions in dynamic environments. The research suggests this gap arises because AI is modelled on brain regions for static images, not dynamic, interactive contexts.
CatherineEl Salvador has stopped using public funds to buy Bitcoin as part of an agreement with the IMF. However, the country continues to grow its Bitcoin holdings through private sources.
AnaisThe announcement of new incentives for President Trump’s official meme coin sparked $2.4 billion in onchain transfers, a 60% price jump, and a 200% surge in activity. Critics, however, call the move controversial, with some demanding impeachment. Is Trump blurring the lines between politics, personal gain, and public trust?
CatherineVirtually Human Studios shut down the original Zed Run and launched a new game called Zed Champions on Base network. The new version brings automatic racing, uses ZED tokens for gameplay, and gives players a fresh start without using old NFTs.
WeatherlyMetaMask’s new self-custody crypto card backed by Mastercard and launched in partnership with CompoSecure and Baanx, enters a market already crowded with offerings from major centralised exchanges. Can it carve out a niche in an increasingly competitive landscape?
KikyoAI "nudification" apps, which alter photos to create explicit images of children, have raised serious concerns in the UK, with the Children's Commissioner calling for a ban. The rise in AI-generated child abuse material has led to a 380% increase in reported cases, prompting calls for stronger legal actions.
AnaisElon Musk predicts robotic surgeons will outperform humans within a few years—and even surpass the best in five—pointing to Neuralink’s robot, which implants brain interfaces with micron-level precision beyond human capability.
CatherineIn 2024, Americans lost at least $9.3 billion to crypto scams, making up more than half of the $16.6 billion total reported losses from internet crimes. The FBI ramped up efforts to tackle fraud, preventing $286 million in losses through initiatives like Operation Level Up.
Weatherly