“Customer Support” in the Dark Forest: Social Engineering Scams Target Coinbase Users
By: Liz & Lisa
Edited by: Sherry
Background
In the world of crypto assets, social engineering attacks have become a major threat to user fund security. Since 2025, a wave of social engineering scams targeting Coinbase users has come to light, drawing widespread attention across the community. As discussions unfold, it has become increasingly clear that these incidents are not isolated, but part of a sustained and organized scam campaign.
On May 15, Coinbase issued a statement confirming widespread suspicions of insider involvement. The U.S. Department of Justice (DOJ) has reportedly launched an investigation into the data leak.
This article draws on findings from security researchers and victim reports to expose the scammers’ main tactics and offers mitigation advice from both platform and user perspectives.
Historical Analysis
“Another $45M+ was stolen from Coinbase users via social engineering scams in just the last week,” wrote on-chain sleuth Zach in a Telegram update on May 7.
Over the past year, Zach has repeatedly reported on Coinbase user thefts through his Telegram channel and X account, with individual losses reaching tens of millions of dollars. In a detailed investigation published in February 2025, Zach revealed that between December 2024 and January 2025 alone, over $65 million was stolen through similar scams. He warned that Coinbase is facing a severe and ongoing social engineering crisis, with attackers stealing an estimated $300 million annually through these tactics. Zach also noted:
- The scams are primarily carried out by two groups: low-level “skid” attackers from the Com community, and organized cybercrime groups based in India.
- The primary targets are U.S.-based users. These operations follow standardized scripts and mature workflows.
- Actual losses may be far greater than visible on-chain figures, as they don’t account for internal support tickets or police reports not publicly disclosed.
The Scam Methodology
In this incident, Coinbase’s technical infrastructure was not breached. Instead, scammers exploited insider access to obtain sensitive user data, including names, addresses, contact info, account details, and ID photos. Their ultimate goal was to socially engineer users into transferring their funds.
This marked a shift from traditional “spray-and-pray” phishing to precision-targeted, “tailor-made” social engineering attacks. A typical scam unfolds in four stages:
1. Impersonating “official support”
Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there’s been “unauthorized access” or “suspicious withdrawals” on the user’s account. They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or “recovery links.” These links may lead to cloned Coinbase websites or spoofed domains that can bypass standard email protections through redirect tricks.
2. Guiding users to install Coinbase Wallet
Scammers urge users to “protect their funds” by transferring them to a “secure wallet.” They walk victims through installing Coinbase Wallet and migrating assets from their custodial Coinbase account to a new wallet.
3. Providing the seed phrase themselves
Rather than stealing a user’s seed phrase, the scammer directly provides one — pre-generated by them — and tricks the user into importing it as an “official new wallet.”
4. Draining the funds
Under stress and false trust in “official support,” victims are easily misled — believing the new wallet is safer than the “compromised” one. Once the transfer is complete, the scammer immediately drains the assets. Not your keys, not your coins — a hard truth reaffirmed in every social engineering attack.
In some cases, phishing emails claimed that Coinbase was “migrating all users to self-custody wallets” following a class-action settlement, urging users to complete the migration before April 1. This false deadline, framed as an official directive, pressured users into quick compliance.
According to @NanoBaiter, these attacks are often highly organized:
- Well-developed toolkits: Attackers use PBX systems like FreePBX and Bitrix24 to spoof phone numbers. They also deploy Telegram bots like @spoofmailer_bot to send phishing emails impersonating Coinbase, complete with “account recovery instructions.”
- Highly targeted: Victims are selected using stolen data purchased from Telegram groups or darknet markets (e.g., “5k COINBASE US2,” “100K_USA-gemini_sample”). Scammers even use ChatGPT to process this data — segmenting phone numbers, generating TXT files, and sending phishing texts in bulk via SMS spam tools.
- Seamless deception: Calls, texts, and emails follow a smooth sequence. Common messages include “withdrawal request received,” “password changed,” and “unusual login detected” — all designed to prompt users to complete “security verification” that leads to wallet migration.
MistTrack Analysis
Using the anti-money laundering and blockchain tracing platform MistTrack, we analyzed addresses disclosed by Zach as well as those submitted to our form. Findings indicate these scammers are technically skilled in on-chain asset laundering. Key insights include:
The targets held a variety of crypto assets on Coinbase, mainly BTC and ETH. Most attack activity occurred between December 2024 and May 2025. BTC is the primary target, with some addresses receiving hundreds of BTC in a single haul — worth millions of dollars per transaction.
After funds were obtained, scammers rapidly began laundering them through a multi-step cash-out process:
- ETH-based assets were often swapped via Uniswap into DAI or USDT, then scattered across new addresses. Some eventually reached centralized exchanges.
- BTC was often bridged to Ethereum via THORChain, Chainflip, or Defiway Bridge, then swapped into DAI or USDT to avoid tracking.
Several scam-linked addresses holding DAI/USDT remain dormant, with funds yet to be moved.
To avoid interacting with suspicious addresses — which could trigger asset freezes — we recommend using MistTrack to perform risk assessments before any blockchain transactions.
Countermeasures
For Platforms
Current mainstream defenses focus heavily on technical layers, but social engineering bypasses these mechanisms by exploiting human vulnerabilities. Platforms must adopt a human-centric security strategy by integrating user education, usability design, and behavioral risk control:
- Push anti-scam education regularly via in-app popups, transaction screens, and emails to raise phishing awareness.
- Enhance risk models using behavioral pattern detection: Most social engineering scams involve a rapid sequence of user actions (e.g., transfers, whitelist changes, new device bindings). Platforms should monitor suspicious combinations like “frequent interactions + new address + large withdrawals” to trigger cooldown periods or manual reviews.
- Standardize support channels and verification: Scammers often impersonate support. Platforms should unify the appearance of official communications and provide a single “verify support identity” portal to eliminate confusion.
For Users
- Practice identity compartmentalization: Avoid using the same email/phone number across platforms. Use breach-checking tools to monitor leaks.
- Enable withdrawal whitelists and cooling-off periods to prevent large transfers under stress.
- Stay informed on security threats via security firms, media, or exchanges. A Web3 phishing simulation platform built by SlowMist, @DeFiHackLabs, and @realScamSniffer is launching soon. It will replicate common attacks like social engineering, signature phishing, and malicious contract traps using real-world scenarios, helping users build defense skills in a risk-free setting.
- Be cautious of offline risks and privacy leaks. Exposed personal information may also lead to physical threats.
This is not paranoia. In 2025 alone, multiple crypto professionals and users have faced real-world threats. Given that leaked data includes names, addresses, contact info, account details, and ID photos, affected users must remain alert offline as well.
In short: stay skeptical, and verify continuously. Whenever an operation feels urgent, demand that the other party proves their identity — and always double-check through official channels. Never make irreversible decisions under pressure.
For more security tips and emerging attack tactics, check out the Blockchain Dark Forest Selfguard Handbook.
Conclusion
This incident underscores the growing sophistication of social engineering attacks and reveals clear gaps in how platforms protect user data and assets. Alarmingly, even positions without direct access to funds can still lead to serious consequences — whether through inadvertent information leaks or being bribed. As platforms scale, managing insider risk becomes one of the industry’s toughest challenges.
Therefore, platforms must go beyond on-chain defenses and systematically build a social engineering defense architecture that includes employees and third-party contractors — treating human vulnerabilities as part of the overall security strategy.
Finally, when facing coordinated, large-scale attacks, platforms must act swiftly: identify vulnerabilities, alert users, and contain damage. Only by combining technical and organizational responses can we preserve trust and protect users in an increasingly complex threat landscape.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
