One of the largest cryptocurrency exchanges in the world, Coinbase, is facing criticism after blockchain investigator ZachXBT disclosed that users have lost more than $65 million to social engineering scams in December 2024 and January 2025.
A series of attacks has spotlighted critical security weaknesses on the platform and raised serious doubts about Coinbase’s capacity to protect its customers. Meanwhile, as social engineering schemes grow ever more cunning, Coinbase’s response has become a matter of some controversy.
How the Scams Work: A Step-by-Step Breakdown
Scams that target Coinbase users through social engineering usually involve a carefully orchestrated set of actions to convince the victims to send their money. One of the more disturbing cases involved a person who lost almost $850,000. The scammer did this by using stolen personal information to gain the kind of trust that’s usually reserved for your close friends and family. It helped, of course, that the scammer was using a phone number that was nearly identical to the real Coinbase phone number, one that the victim had probably also seen in a text thread by this point.
The scammer sent a bogus email that looked like an official message from Coinbase and included a completely made-up Case ID. The email was meant to further convince the victim that their Coinbase account had a serious problem and needed to be fixed pronto. The instructions were clear and direct:
– Transfer funds to a Coinbase Wallet.
– Whitelist this specific address.
The context made it seem like the “support” team needed the victim’s help to secure the account.
The methods employed by the scammer went even further, involving the creation of phishing websites almost identical to the official Coinbase site. These sites would direct victims to enter sensitive information using the basest of prompts. In many instances, the attackers sent their targets different, more personal-looking prompts via spoofed email to increase the illusion of legitimacy.
These incidents aren’t isolated. ZachXBT reports that a diagram of stolen funds shows they were taken in a phishing scheme tied to an address (“coinbase-hold.eth”) used by over 25 other victims.
Coinbase’s Security Issues: More Than Just Social Engineering
Even though social engineering scams have targeted Coinbase, the platform is still beset by security problems that go well beyond these forms of attack. The exchange has had to manage a number of major incidents—largely without informing its users—that raise real questions about its overall security. One of those incidents involved old API keys that had been hacked and were being used with a certain type of software, even though the keys themselves were supposed to be “read-only.”
Moreover, Coinbase has suffered several thefts that underscore weaknesses in its system. Last year, hackers got into the system and stole $15.9 million through Coinbase Commerce, and in a particularly worrisome situation, $38 million was laundered through Coinbase after the hack of BTCTurk. These incidents point to significant security holes within the system that cannot be explained away as errors made by users or as phishing scams.
ZachXBT’s investigation indicates that Coinbase has not adequately countered many of these breaches. Addresses that are simply theft addresses usually aren’t flagged in the popular compliance tools used by many firms in our space—even weeks after the theft may have occurred—so that there’s no way to identify the transaction, and consequently, no way for the victim to get any sort of support. Adding to the problem, when most victims have reached out to Coinbase for support, they’ve reported that the team is almost always unavailable and that the support they do get is often limited to soft business hours in the United States.
What Needs to Change: Suggestions for Coinbase
ZachXBT has set forth a series of recommendations aimed at Coinbase’s leadership. The intent is to protect users and bolster security, given that the scams in question are expanding in size and scope.
A primary piece of advice is to allow advanced users—those who’ve enabled multi-factor authentication, use security keys, and are fully KYC (Know Your Customer) verified—to make their phone numbers optional. This could greatly reduce the risk of SIM swapping and phone-based social engineering, which, as our research has shown, are the attacks most often successfully used against our users. In addition to this advice, we also suggest a different account type for beginners or elderly users who might be more susceptible to scams that could involve withdrawing funds from their Coinbase account.
ZachXBT suggests that Coinbase increase its community outreach efforts. These should include regular blog posts related to recovering user funds. Coinbase also needs to do a better job of flagging theft addresses and blocking phishing domains. ZachXBT also thinks that Coinbase should consider suing some of the companies that cybercriminals use to pull off their cons. One company mentioned in this context is TLOxp / TransUnion.
In closing, ZachXBT urges Coinbase to take these fraudulent actors to court. He believes the example should be made to deter future attacks. Why shouldn’t Coinbase make use of its legal team in this way? After all, Kraken, OKX, and Binance don’t have nearly the same kind of issues with “scam-related matters,” as ZachXBT puts it.
The Urgent Need for Change
It is in Coinbase’s power to make significant changes that would greatly lower the danger of scams and pay off in enhanced user protection. Yet the exchange seems not to consider this matter pressing, even as the problem keeps growing. And yes, the individuals who get taken in at least partially deserve what they get in that they’ve been duped. Still, it’s a long shot to expect that elderly, less tech-savvy, or just-for-this-occasion savvy users, who might have a custodial account, will fully understand the complexities of the sorts of email and phone spoofing some minds are now capable of.
Each month, Coinbase is seeing tens of millions of dollars go down the drain, and it has to act fast to restore trust among its users and build up its security so that the platform is not a target. The problem, of course, is that the way things are built—in this case, the way the platform is built—takes time to change. And that’s time that Coinbase does not have if it wants to remain a player in the US exchange ecosystem.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
Image Source: ra2studio/123RF // Image Effects by Colorcinch
