A loss of US$300 million a year, Coinbase users are frequently deceived, and there is a "insider" behind the scenes that leak information?

Author: Fairy, ChainCatcher

Edited by: TB, ChainCatcher

"Hello, this is the Coinbase security team. I detected that there was an abnormal login in your account..."

The sound on the other end of the phone is professional and urgent, and can even accurately report your name, registered email and recent transaction records. Would you choose to hang up immediately, or follow the "customer service" guidelines and transfer funds step by step into the so-called "safe wallet"?

Recently, multiple Coinbase users have been cheated one after another, with astonishing losses. In March alone, the stolen funds exceeded US$46 million, and the losses caused by Coinbase users by social engineering fraud are as high as US$300 million each year.

However, how exactly do these hackers accurately target the target? Why can they obtain user personal information? This security crisis may be more serious than expected.

Fraud is rampant , ****phishing attacks are

industrialized****

On March 28, on-chain detective ZachXBT disclosed that in the past two weeks, there have been several suspected cases of fraud by Coinbase users, bringing the total amount of stolen funds in March to more than $46 million.

In fact, there are already traces of such frauds. As early as early February, ZachXBT revealed that from December 2024 to January 2025, Coinbase users lost as much as $65 million due to similar methods, which put Coinbase in a social engineering fraud crisis of more than $300 million a year.

According to ZachXBT's analysis, fraud methods have formed a mature industrial chain:

1. Scammers impersonate Coinbase official

Scammers use fake phone numbers to call victims and use user personal information to gain trust. They claimed that there were unauthorized login attempts for user accounts, inducing victims to cooperate with security verification.

2. Send phishing emails

The scammer sends a fake Coinbase email containing a fake case number (Case ID).

3. Guide users to transfer money

The scammer asked the victim to transfer funds to Coinbase Wallet and whitelisted the scam address, claiming that it was a security verification method for account.

4. Clone the Coinbase website

Scammers create almost 1:1 copy of Coinbase phishing sites and send different action prompts to victims through fake emails and Telegram scam panels.

In addition, according to Cointelegraph, several cryptocurrency users have recently received scam emails impersonating Coinbase and Gemini. Such emails usually claim that due to regulatory requirements, users must transition to self-hosted wallets and set April 1 as a deadline to create a sense of urgency.

A link to download Coinbase Wallet or Gemini Wallet is provided within the email, with a pre-generated recovery phrase. Once users use these phrases to create a new wallet and transfer assets, funds will be instantly emptied by the scammer.

Internal data access issues surface

The core of social engineering fraud lies in accurate information acquisition. In the case of Coinbase users being cheated, the attacker seems to have mastered the victim's personal information, including phone number, email address, transaction history, etc. This raises a key question: How exactly did this data fall into the hands of scammers?

Yesterday, The Block co-founder Mike Dudas said on X platform that he received an email from Coinbase. The content of this email is disturbing and points to internal data access issues. The email reads:

“We write to inform you that we have detected signs that a Coinbase employee may have viewed a small number of Coinbase customers’ account records, including yours, in a way that does not comply with internal policies.”

Although the email stated that "your assets are still safe and your Coinbase account has not been damaged" and emphasized that there is currently no evidence that the data is leaked externally, the email sent a clear warning to users: internal data access issues have been confirmed and are not isolated incidents.

Dudas said this explains those phishing emails and calls sent by fake C oinbase.

However, the scope of the data breach is questionable and may involve a wider range of users. Community user @ghaiankur said: "I don't have any funds on Coinbase and have never used them. But I still received these emails because I have an account, which may not just target a few target accounts, but the entire database."

Data leakage becomes a hidden danger in the industry

Not only Coinbase, other exchanges seem to face similar internal security risks.

After Dudas shared the email, crypto trader Jordan Fish (@Cobie) revealed that crypto exchange Kraken has also recently encountered similar attacks. He speculated: "This may be the attacker's strategy - infiltrating the customer service team and stealing user data from within. "

Meanwhile, on March 27, Dark Web Informer, a dark web news website, disclosed that a hacker code-named AKM69 claimed to have the private information of a large number of users of the crypto exchange Gemini . The database contains 100,000 records involving full names, emails, phone numbers and location information of US users, and even data from some Singaporean and UK users.

Either learn to protect users or be abandoned by users.

Commenting on this incident, Toly, the Solana co-founder, said that the exchange should implement user-controlled time locks to reduce the risk of assets being quickly stolen. However, the essence of this incident is far more than this, but exposes the failure of internal risk control in the exchange and the highly industrialized fraud.

The security of the exchange is no longer a matter of technical protection, but also a matter of management and trust. Under the increasingly complex attack methods, how to establish a more complete risk control system will determine the security benchmark for the future industry.