Author: Liz & Lisa
In the field of crypto assets, social engineering attacks are becoming a major threat to the security of user funds. Since 2025, a large number of social engineering scams targeting Coinbase users have surfaced, attracting widespread attention from the community. It is not difficult to see from the community's discussions that such incidents are not isolated cases, but a type of scam with persistent and organized characteristics.
On May 15, Coinbase issued an announcement confirming previous speculation that there was an "insider" in Coinbase. It is reported that the U.S. Department of Justice (DOJ) has launched an investigation into the data leak.
This article will disclose the main methods of scammers by collating information provided by multiple security researchers and victims, and explore how to effectively deal with such scams from the perspectives of both platforms and users.
(https://x.com/coinbase/status/1922967576209998133)
"In the past week alone, more than $45 million was stolen from Coinbase users due to social engineering scams," wrote Zach, the chain detective, in a Telegram update on May 7.
In the past year, Zach has repeatedly disclosed Coinbase user theft incidents on his Telegram channel and X platform, with individual victims losing up to tens of millions of dollars. Zach published a detailed investigation in February 2025, stating that the total amount of funds stolen due to similar scams between December 2024 and January 2025 alone exceeded US$65 million, and revealed that Coinbase is facing a serious "social engineering fraud" crisis. Such attacks are continuing to infringe on the security of user assets at an average annual scale of US$300 million. He also pointed out:
The gangs that lead this type of fraud are mainly divided into two categories: one is low-level attackers (skids) from the Com circle, and the other is cybercrime organizations based in India;
The fraud gangs mainly target American users, with standardized methods and mature rhetoric;
(https://x.com/zachxbt/status/1886411891213230114)
In this incident, Coinbase's technical system did not
(https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists)
This type of attack method has changed the traditional "cast-net" phishing method and turned to "precision strike", which can be called a "tailor-made" social engineering fraud. The typical path of the crime is as follows: 1. Contact users as "official customer service" Scammers use a fake telephone system (PBX) to impersonate Coinbase customer service and call users to say that their "accounts have been illegally logged in" or "withdrawal anomalies have been detected" to create an atmosphere of urgency. They will then send simulated phishing emails or text messages containing fake work order numbers or "recovery process" links to guide users. These links may point to cloned Coinbase interfaces, and can even send emails that appear to be from official domains. Some emails use redirection technology to bypass security protection.
2. Guide users to download Coinbase Wallet
<span leaf="" para",{"tagName":"section","attributes":{},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"node",{"tagName":"b","attributes":{"data-pm-slice":"0 0 []"},"namespaceURI":"http://www.w3.org/1999/xhtml"},"para",{"tagName":"p","attributes":{"dir":"ltr","style":"margin-bottom: 0px;letter-spacing: 0.578px;text-align: left;"},"namespaceURI":"http://www.w3.org/1999/xhtml"}]'>Scammers will guide users to transfer funds to a "safe wallet" on the grounds of "protecting assets". They will also assist users in installing Coinbase Wallet and guide them to transfer assets originally hosted on Coinbase to a newly created wallet.
Different from the traditional "fraudulent mnemonic words", the scammers directly provide a set of mnemonic words they generated themselves, inducing users to use them as the "official new wallet".
4. Scammers steal funds.
text="">Victims are easily trapped when they are nervous, anxious and trust the "customer service" - in their view, the new wallet "officially provided" is naturally safer than the old wallet "suspected of being hacked". As a result, once the funds are transferred to this new wallet, the scammers can immediately transfer them away. Not your keys, not your coins. - This concept has been bloodily verified again in social engineering attacks.
In addition, some phishing emails claim that "Coinbase will fully migrate to self-custodial wallets due to a class action lawsuit ruling" and require users to complete the asset migration before April 1. Under the urgent time pressure and the psychological suggestion of "official instructions", users are more likely to cooperate.
(https://x.com/SteveKBark/status/1900605757025882440)
According to @NanoBaiter, these attacks are often planned and implemented in an organized manner:
The fraud tool chain is complete
Precise Target: Scammers rely on stolen user data purchased from Telegram channels and the dark web (such as "5k COINBASE US2", "100K_USA-gemini_sample"), targeting Coinbase users in the United States as their main target, and even use ChatGPT to process stolen data, split and reorganize phone numbers, and generate TXT in batches. The file is then sent through text messages via blasting software to defraud.
The deception process is coherent:From phone calls, text messages to emails, the fraud path is usually seamless and coherent. Common phishing phrases include "the account has received a withdrawal request", "the password has been reset", "the account has an abnormal login", etc., which continuously induce victims to perform "security verification" until the wallet transfer is completed.
After obtaining the funds, the scammers quickly used a set of cleaning processes to exchange and transfer the assets. The main modes are as follows:
ETH assets are often quickly exchanged for DAI or ETH through Uniswap. USDT, and then dispersedly transferred to multiple new addresses, and some assets entered the centralized trading platform;
BTC is mainly transferred to Ethereum through THORChain, Chainflip or Defiway Bridge, and then converted to DAI or USDT to avoid tracking risks.
Multiple fraud addresses are still in a "static" state after receiving DAI or USDT and have not been transferred out.
To avoid your address interacting with suspicious addresses and thus facing the risk of assets being frozen, it is recommended that users use the on-chain anti-money laundering and tracking system MistTrack (https://misttrack.io/) to perform risk detection on the target address before trading to effectively avoid potential threats.
Current mainstream security measures are more of a "technical layer" protection, and social engineering fraud often bypasses these mechanisms and directly hits the user's psychological and behavioral loopholes. Therefore, it is recommended that the platform integrate user education, security training, and usability design to establish a "people-oriented" security line of defense.
Regularly push anti-fraud education content:Through the App Improve users’ anti-phishing capabilities through pop-up windows, transaction confirmation interfaces, emails, etc.; Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. Optimize risk control models and introduce “interactive abnormal behavior identification”: Most social engineering frauds will induce users to complete a series of operations (such as transfers, whitelist changes, device binding, etc.) in a short period of time. The platform should identify suspicious interaction combinations (such as “frequent interactions + new addresses + large withdrawals”) based on the behavior chain model and trigger a cooling-off period or manual review mechanism. leaf="">Standardize customer service channels and verification mechanisms: Fraudsters often impersonate customer service to confuse users. Platforms should unify telephone, SMS, and email templates, and provide a "customer service verification entrance" to clarify the only official communication channel to avoid confusion.
Implement identity isolation strategies:Avoid multiple platforms sharing the same email address or mobile phone number to reduce joint risks. You can use leak query tools to regularly check whether your email address has been leaked.
(https://haveibeenpwned.com/)
Enable transfer whitelist and withdrawal cooling mechanism:Preset trusted addresses to reduce the risk of capital loss in emergency situations.
Continue to pay attention to security information:Learn the latest developments in attack methods through security companies, media, trading platforms and other channels, and stay alert. At present, the Web3 phishing drill platform created by SlowMist, @DeFiHackLabs and @realScamSniffer is about to be launched. The platform will simulate a variety of typical phishing methods, including social engineering poisoning, signature phishing, malicious contract interaction, etc., and combine the real cases collected in our historical discussions to continuously update the scenario content. Let users improve their identification and response capabilities in a risk-free environment.
Pay attention to offline risks and privacy protection:Personal information leakage may also cause personal safety issues.
This is not groundless worry. Since the beginning of this year, encryption practitioners/users have encountered many incidents that threaten personal safety. Given that the leaked data includes name, address, contact information, account data, ID card photos, etc., relevant users also need to be vigilant offline and pay attention to safety.
In short, remain skeptical and continue to verify. Whenever emergency operations are involved, be sure to ask the other party to prove their identity and verify independently through official channels to avoid making irreversible decisions under pressure. For more security advice and new attack methods, see the Blockchain Dark Forest Self-Guard Handbook (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/).
text="">This incident once again exposed that in the face of increasingly sophisticated social engineering attacks, the industry still has obvious shortcomings in protecting customer data and assets. It is worth noting that even if the relevant positions on the platform do not have financial authority and lack sufficient security awareness and capabilities, serious consequences may occur due to unintentional disclosure or subversion. As the platform continues to expand, the complexity of personnel security management and control has increased, and it has become one of the most difficult risks to overcome in the industry. Therefore, while strengthening the on-chain security mechanism, the platform must also systematically build a "social engineering defense system" covering internal personnel and outsourced services, and incorporate human risks into the overall security strategy.
In addition, once it is discovered that the attack is not an isolated incident, but an organized, large-scale and continuous threat, the platform should respond immediately, proactively check for potential vulnerabilities, remind users to take precautions, and control the scope of damage. Only by responding at both the technical and organizational levels can we truly maintain trust and bottom line in an increasingly complex security environment.
In 2024, cash remains the top choice for illegal activities, far exceeding cryptocurrency use. Crypto ISAC points out that blockchain makes crypto easier to trace, while cash is untraceable. Does this shift toward fiat signal progress or new challenges?
KikyoLeah, a woman from Antelope, California, lost her entire life savings of $100,000 to a scammer on LinkedIn who posed as a legitimate investor. After gaining her trust through months of communication, he convinced her to invest in cryptocurrency, only to quickly drain her account and cut off all contact.
AnaisBank of America recently faced a nationwide outage, leaving users unable to access their accounts and discovering a $0 balance. Customers were alarmed by the absence of their funds while their outstanding debts remained visible. Fears among users regarding the potential loss of their assets runs rampant.
CatherineSocial media platforms, especially Snapchat, are significantly influencing young consumers' purchasing decisions through creator-driven marketing, with 82% of Gen Z buying products because of influencers. As Facebook declines in effectiveness, brands must adapt to these shifts by fostering genuine connections and embracing creativity in their marketing strategies.
AnaisChatGPT leads the AI market with 25 million searches monthly, while Google’s Gemini lags far behind with only 1.5 million searches, highlighting a significant gap in interest. As the AI landscape evolves, users prefer established names, making it challenging for newer models to gain traction.
WeatherlyOpenSea is grappling with executive departures, including former COO Shiva Rajaraman, amidst a declining NFT market and rising competition. The SEC's Wells notice, classifying its NFTs as securities, adds to its challenges, resulting in potential legal action from users.
AnaisRussian authorities arrested nearly 100 individuals linked to cybercriminal operations using UAPS and Cryptex for money laundering. The suspects, who owned luxury items, face charges for running illegal cryptocurrency exchanges, processing billions in illicit transactions.
WeatherlyCullen Hoback's upcoming HBO documentary, “Money Electric: The Bitcoin Mystery,” premiering on 8 October 2024, may finally reveal the identity of Bitcoin's creator, Satoshi Nakamoto. Despite ongoing speculation, many in the Bitcoin community stress the importance of respecting Nakamoto's anonymity and highlight that any claims about his identity remain unproven without concrete evidence.
JoyTaiwan's Financial Supervisory Commission has mandated that all virtual asset service providers register by September 2025 and comply with new anti-money laundering regulations effective January 2025. The regulations aim to enhance oversight, reduce risks, and ensure that management teams have the required experience and no criminal records.
WeatherlyGoogle has launched a new video search feature that allows users to point their camera at objects and ask questions, providing relevant search results. This initiative, part of their ongoing AI enhancements, aims to improve user interaction and maintain Google’s dominance in the competitive search market.
Anais