Pseudonymous on-chain detective ZachXBT has revealed that Coinbase users are losing more than $300 million annually to sophisticated social engineering scams. The crypto sleuth pointed out that there has been a surge in complaints from the exchange’s users on X in the past few months regarding the unexpected restriction of their accounts.
“This issue stems from the aggressive application of risk models and, more significantly, Coinbase’s demonstrable failure to adequately mitigate the substantial financial losses inflicted upon its users by sophisticated social engineering scams,” ZachXBT asserted.
ZachXBT Investigates Coinbase Social Engineering Scams
Coinbase withdrawal data and information gathered from direct messages, reveals a stark picture.
2/ Myself and @tanuki42_ spent time reviewing Coinbase withdrawals and gathering data from my DMs for high confidence thefts on various chains.
Below is a table we created which shows $65M stolen from Coinbase users in Dec 2024 – Jan 2025.
Our number is likely much lower than… pic.twitter.com/ZceQ5AggYU
— ZachXBT (@zachxbt) February 3, 2025
One particularly illustrative case involved a victim who suffered a loss of approximately $850,000. Tracing the stolen funds led to a consolidation address linked to at least 25 other victims, all associated with the address “coinbase-hold.eth.” The theft address served as a central point for these fraudulent transactions.
Moreover, the scam employed a multi-layered approach. The scammer, using a spoofed phone number and personal information likely obtained from compromised databases, initially contacted the victim. They falsely claimed multiple unauthorized login attempts on the victim’s account.
Subsequently, a spoofed Coinbase email, including a fake Case ID, followed. This boosted the scam’s credibility. The scammers then instructed the victim to transfer funds to a Coinbase Wallet and allowlist a specific address. Meanwhile, supposed “support” personnel seemingly verified the account’s security.
Threat Actors’ Alleged Identities
The geographic origins of these scams present a concerning trend. Individuals identified as “skids” from the Commonwealth of Independent States (CIS) region and Indian-based threat actors appear to be the two main groups behind these operations, primarily targeting US customers.
According to ZackXBT, the recent instance of a Coinbase employee advising users to avoid using VPNs to evade suspicious activity flags further highlights the disconnect between Coinbase’s approach and the reality of the threat landscape.
Threat actors, conversely, often actively block VPN access to their phishing sites, highlighting a fundamental flaw in Coinbase’s risk assessment.
Jonathan Agozie | March 14, 2025
Mishael Nwani | March 13, 2025
Faith | March 13, 2025
Chris Lion | March 13, 2025
