"Customer Service" in the Dark Forest: Social Engineering Scams Target Coinbase Users

For any urgent operations, be sure to require the other party to prove their identity and independently verify through official channels to avoid making irreversible decisions under pressure.

Authors: Liz & Lisa

Editor: Sherry

Background

In the crypto asset field, social engineering attacks are becoming a major threat to user fund security. Since 2025, numerous social engineering scams targeting Coinbase users have continuously emerged, drawing widespread community attention. From community discussions, these incidents are not isolated cases, but a type of scam with persistent and organized characteristics.

On May 15th, Coinbase released an announcement confirming previous speculations about an "insider" at Coinbase. The U.S. Department of Justice (DOJ) has reportedly launched an investigation into this data breach incident.

This article will disclose the main tactics of scammers by compiling information from multiple security researchers and victims, and explore how to effectively counter such scams from both platform and user perspectives.

Historical Analysis

"Over the past week alone, more than $45 million was stolen from Coinbase users through social engineering scams," wrote on-chain detective Zach in his Telegram update on May 7th.

Over the past year, Zach has repeatedly disclosed Coinbase user theft incidents on his Telegram channel and X platform, with some victims losing up to tens of millions of dollars. In a detailed investigation published in February 2025, Zach claimed that the total funds stolen by similar scams between December 2024 and January 2025 exceeded $65 million, revealing that Coinbase is facing a serious "social engineering scam" crisis, with these attacks continuously harming user asset security at a scale of approximately $300 million annually. He also pointed out:

• The gangs leading these scams are mainly divided into two categories: low-level attackers (skids) from the Com circle and cybercrime organizations located in India;

• The scam gangs primarily target U.S. users, with standardized attack methods and mature scripting processes;

• The actual loss amount may be far higher than the on-chain visible statistics, as it does not include unpublished information such as Coinbase customer service tickets and police reports.

Scam Tactics

In this incident, Coinbase's technical system was not breached; instead, scammers exploited internal employee permissions to obtain partial user sensitive information. This information includes: names, addresses, contact details, account data, and ID photos. The ultimate goal of the scammers is to guide users to transfer funds through social engineering methods.

This type of attack method has changed from traditional "net-casting" phishing to a "precision strike", a tailor-made social engineering scam. The typical attack path is as follows:

1. Contacting users as "official customer service"

Scammers use forged PBX systems to impersonate Coinbase customer service, calling users claiming their "account has been illegally accessed" or "withdrawal anomalies detected", creating an urgent atmosphere. They then send simulated phishing emails or text messages containing false ticket numbers or "recovery process" links, guiding users to take actions. These links may lead to cloned Coinbase interfaces or even send emails that appear to be from official domains, with some emails using redirection techniques to bypass security protections.

2. Guiding users to download Coinbase Wallet

Scammers will guide users to transfer funds to a "secure wallet" under the pretext of "protecting assets", assist users in installing Coinbase Wallet, and direct them to transfer assets originally held on Coinbase to a newly created wallet.

3. Inducing users to use scammer-provided seed phrases

Unlike traditional "seed phrase theft", scammers directly provide a set of seed phrases they generated, inducing users to use them for the "official new wallet".

4. Scammers steal funds

Victims are easily trapped in a state of tension, anxiety, and trust in the "customer service" - in their view, the "officially provided" new wallet is naturally safer than the "potentially compromised" old wallet. As a result, once funds are transferred to this new wallet, scammers can immediately transfer them away. Not your keys, not your coins. - This principle is once again brutally verified in social engineering attacks.

Additionally, some phishing emails claim "due to class action lawsuit ruling, Coinbase will fully migrate to self-hosted wallets" and require users to complete asset migration before April 1st. Under the pressure of an urgent timeline and "official instructions", users are more likely to cooperate.

According to @NanoBaiter, these attacks are often planned and implemented in an organized manner:

• Scam Toolchain Improvement: Scammers use PBX systems (such as FreePBX, Bitrix24) to forge caller numbers, simulating official customer service calls. When sending phishing emails, they use @spoofmailer_bot on Telegram to impersonate Coinbase's official email, attaching an "account recovery guide" to guide transfers.

• Precise Targeting: Scammers rely on stolen user data purchased from Telegram channels and the Dark Web (such as "5k COINBASE US2", "100K_USA-gemini_sample"), focusing primarily on Coinbase users in the US region. They can even use ChatGPT to process stolen data, splitting and recombining phone numbers, generating batch TXT files, and then sending SMS scams through cracking software.