Coinbase faces heavy fire as users duped for millions in social engineering scams


A newly released investigation claims that users of the major crypto exchange Coinbase are losing more than $300 million to social engineering scams per year, while the company fails to address this issue.

The investigation was published by the popular blockchain sleuth ZachXBT in collaboration with another investigator, tanuki42.

According to them, at least $65 million was stolen in December 2024 and January 2025 alone. However, the actual numbers might be much higher, as this data was limited to only private messages ZachXBT received and thefts discovered on-chain. The losses do not include Coinbase support tickets and police reports, as the investigators don't have access to them.

ADVERTISEMENT

ZachXBT explained, referring to a case of a victim who lost $850,000, that the social engineering scheme begins with a phone call from a spoofed phone number. (It's important to remember that Coinbase does not call its users.) In an attempt to gain trust, the perpetrators also use personal data about the target from public databases before telling them that their account had multiple unauthorized login attempts.

Soon after, a spoofed email is also sent to the victim, instructing them to transfer funds to a Coinbase Wallet and whitelist an address while "support" verifies their account's security.

Coinbase scam
Source: @zachxbt

Additionally, the scammers use a clone of the Coinbase website to trick their victims.

More Coinbase scams
Source: @zachxbt

"The two main groups conducting these scams are skids from the Com and threat actors located in India, both primarily targeting US customers," ZachXBT said, also reminding that Coinbase recently urged its customers to stop using VPNs to avoid being flagged as suspicious.

"Meanwhile, threat actors will explicitly block VPNs from phishing sites and not use them. This shows Coinbase’s failure to diagnose the actual problem," the investigator said.

The research also claims that Coinbase still hasn't publicly addressed security incidents such as hacked API keys used for tax software, bugs that allowed anyone to send a verification code to any email even if the email did not have an account, the $15.9M Coinbase Commerce theft last year, and a threat actor laundering $38 million via Coinbase in a few hours.

ADVERTISEMENT
jurgita vilius Niamh Ancell BW Konstancija Gasaityte profile
Don't miss our latest stories

Additionally, Coinbase allegedly fails to report theft addresses in popular compliance tools and provide sufficient support to victims.

"I do not blame all Coinbase employees, as most of the fault lies with leadership for these decisions," ZachXBT said, urging the leadership to consider specific steps that might help mitigate the losses.

These include making phone numbers optional for advanced users with an Authenticator app or Security Key added who are fully KYC verified, adding a beginner/elderly user account type that doesn’t allow withdrawals, improving community outreach, and taking necessary legal action.

Coinbase and its leadership have not publicly responded to these accusations and suggestions.