Original author: Fairy, ChainCatcher
Original editor: TB, ChainCatcher
“Hello, this is the Coinbase security team, we have detected unusual logins to your account…”
The voice on the other end of the phone is professional and urgent, and can even accurately report your name, registered email address and recent transaction records. Will you choose to hang up immediately, or follow the customer service instructions and transfer the funds step by step to the so-called safe wallet?
Recently, many Coinbase users have been defrauded one after another, and the amount of loss is staggering. In March alone, the stolen funds exceeded 46 million US dollars. Every year, the losses caused by social engineering scams to Coinbase users are as high as 300 million US dollars.
However, how did these hackers accurately target their users? How did they obtain users personal information? This security crisis may be more serious than imagined.
Fraud is rampant and phishing attacks are becoming an industry
On March 28, on-chain detective ZachXBT revealed that in the past two weeks, there have been multiple cases of suspected Coinbase users being defrauded, bringing the total amount of funds stolen in March to more than $46 million.
In fact, this type of fraud has long been traceable. As early as early February, ZachXBT revealed that between December 2024 and January 2025, Coinbase users lost up to $65 million due to similar tactics. This figure puts Coinbase at risk of a social engineering fraud crisis of more than $300 million per year.
According to ZachXBT’s analysis, fraudulent methods have formed a mature industrial chain:
Scammers impersonating Coinbase officials
Scammers use fake phone numbers to call victims and use personal information to gain trust. They claim that there are unauthorized login attempts to the users account and trick the victim into cooperating with security verification.
Sending phishing emails
Scammers send fake Coinbase emails containing fake case IDs.
Guide users to transfer funds
The scammers ask victims to transfer funds to Coinbase Wallet and whitelist the scam address, claiming it is a form of account security verification.
Clone the Coinbase website
The scammers created an almost 1:1 copy of the Coinbase phishing website and sent different operation instructions to the victims through fake emails and Telegram scam panels.
In addition, according to Cointelegraph, several cryptocurrency users have recently received fraudulent emails impersonating Coinbase and Gemini. Such emails usually claim that due to regulatory requirements, users must transition to self-hosted wallets and set April 1 as the deadline to create a sense of urgency.
The email provides a link to download Coinbase Wallet or Gemini Wallet, and comes with a pre-generated recovery phrase. Once the user uses these phrases to create a new wallet and transfer assets, the funds will be emptied by the scammers in an instant.
Internal data access issues surface
The core of social engineering scams lies in accurate information acquisition, and in the case of Coinbase users being defrauded, the attackers seemed to have the victims personal information, including phone numbers, email addresses, transaction records, etc. This raises a key question: How did this data fall into the hands of scammers?
Yesterday, The Block co-founder Mike Dudas said on the X platform that he received an email from Coinbase. The content of this email is disturbing and directly points to the problem of internal data access. The email reads:
“We are writing to inform you that we have detected indications that a Coinbase employee may have accessed the account records of a small number of Coinbase customers, including yours, in a manner inconsistent with internal policies.”
Although the email stated that your assets remain safe and your Coinbase account has not been compromised and emphasized that there is currently no evidence that the data has been leaked to the outside, the email gave users a clear warning: the problem of accessing internal data has been confirmed and is not an isolated incident.
Dudas said this explains the phishing emails and phone calls that have been sent impersonating Coinbase.
However, the scope of the data leak is questionable, or it may involve a wider range of users. Community user @ghaiankur said: I dont have any funds on Coinbase and have never used it. But I still received these emails because I have an account. This may not only target a few target accounts, but the entire database.
Data leakage becomes a hidden danger in the industry
Not only Coinbase, other exchanges seem to be facing similar internal security risks.
After Dudas shared the email, crypto trader Jordan Fish (@Cobie) broke the news that the crypto exchange Kraken had also recently suffered a similar attack. He speculated: This may be the attackers strategy - to infiltrate the customer service team and steal user data from the inside.
Meanwhile, on March 27, the Dark Web news website Dark Web Informer revealed that a hacker codenamed AKM 69 claimed to have obtained the private information of a large number of users of the crypto exchange Gemini. The database contains 100,000 records, including the full names, emails, phone numbers and location information of American users, and even some data of users in Singapore and the United Kingdom.
Either learn to protect users or be abandoned by them.
Solana co-founder Toly commented on this incident and said that exchanges should implement user-controllable transfer time locks to reduce the risk of assets being quickly stolen. However, the essence of this incident is far more than that, but it exposes the failure of internal risk control in exchanges and the high degree of industrialization of fraud.
The security of exchanges is no longer just a matter of technical protection, but also a matter of management and trust. With increasingly complex attack methods, how to establish a more complete risk control system will determine the security benchmark of the industry in the future.
