- Hackers are exploiting Coinbase users through sophisticated social engineering scams, leading to over $300 million in annual losses, as revealed by on-chain investigator ZachXBT
- The report highlights Coinbase’s security vulnerabilities, urging the exchange to implement stronger protective measures to prevent further financial damage.
On-chain investigator ZachXBT recently revealed alarming data indicating that Coinbase users lose over $300 million annually to social engineering scams. In collaboration with researcher Tanuki42, the investigation analyzed Coinbase withdrawals and direct messages from victims, uncovering a widespread and sophisticated scheme that exploits security vulnerabilities within the exchange.
The Scale of the Exploitation
Over the past few months, numerous Coinbase users have reported sudden account restrictions on social media, which ZachXBT attributed to the exchange’s aggressive risk models and failure to curb ongoing scams.
Data from December 2024 to January 2025 alone suggests at least $65 million was stolen, though this figure is likely an underestimation, as it does not factor in Coinbase support tickets or law enforcement reports.
One particularly egregious case involved a victim who lost approximately $850,000. The stolen funds were traced to a consolidation address labeled “coinbase-hold.eth,” which was linked to over 25 other victims, highlighting the systematic nature of these attacks.
How Social Engineering Scams Work
Social engineering scams often involve attackers posing as Coinbase representatives and contacting victims through spoofed phone numbers. Leveraging personal information obtained from private databases, scammers convince users that their accounts have been compromised.
Victims receive fraudulent emails that appear to be from Coinbase, containing a fake case ID for verification. They are then instructed to transfer funds to a Coinbase Wallet and allowlist an address—unknowingly granting the scammers control over their assets.
These scams are further enabled by cloned Coinbase websites and sophisticated phishing panels promoted in Telegram channels.
Two primary groups have been identified as orchestrators of these scams: members of ‘The Com’ and cybercriminals based in India, who primarily target U.S. customers.
The report also highlighted a concerning contradiction in Coinbase’s security practices. While employees warn users against using VPNs to avoid account flags, threat actors explicitly block VPN access to phishing sites to evade detection.
According to Chainalysis, social engineering scams led to $4.6 billion in stolen funds between 2023 and 2024, underscoring the widespread nature of this issue beyond just Coinbase.
Alleged Security Incidents at Coinbase
The report also alleged multiple security incidents at Coinbase, which the exchange has not publicly addressed. These include:
- Hacks involving old API keys used for tax software.
- A vulnerability allowing verification codes to be sent to any email, regardless of account status.
- A $15.9 million theft from Coinbase Commerce in 2023.
Additionally, the investigators noted that stolen funds often go unflagged in compliance tools for weeks, exacerbating user losses. Victims frequently report difficulties in reaching Coinbase’s customer support, particularly outside U.S. business hours.
Proposed Solutions and Coinbase’s Strengths
To combat these scams, ZachXBT recommended several measures, including:
- Making phone numbers optional for advanced users who utilize authentication apps or security keys.
- Introducing a beginner/elderly user account type with withdrawal restrictions and enhanced customer support.
- Increasing community engagement through blog posts on fund recovery and real-time incident response.
- Actively flagging theft addresses and blocking phishing domains.
Despite these security concerns, Coinbase retains several strengths, including stablecoin on/off-ramps, the development of the Base blockchain, asset recovery tools, legal opposition to the U.S. Securities and Exchange Commission, and a strong custody product. However, the report argues that more proactive steps are necessary to safeguard users.