ZachXBT reveals Coinbase users lost another $45M in a week to ongoing social engineering scams

Blockchain investigator ZachXBT revealed that Coinbase users lost another $45 million over the past week due to coordinated social engineering scams. 

The update, shared on his Telegram channel, identifies multiple wallet addresses connected to the theft and links the latest activity to a broader pattern of crypto heists that has persisted for months.

The report adds to ZachXBT’s previous investigations, which have attributed over $300 million in annual losses to similar scams targeting Coinbase customers. 

Working with fellow researcher Tanuki42, ZachXBT traced the latest thefts across multiple blockchains, finding that attackers exploit weaknesses in Coinbase’s user verification and compliance processes.

Theft addresses disclosed include several Bitcoin and Ethereum wallets allegedly connected to coordinated phishing and impersonation operations. 

According to the findings, victims are contacted via spoofed phone numbers and persuaded, using stolen personal data, to verify suspicious activity on their accounts.

Scammers then send fraudulent emails that appear to be from Coinbase, complete with fake case IDs. Users receive instructions to move their assets into a Coinbase Wallet and whitelist an address, unknowingly giving the attackers control over their funds.

Persistent issue

ZachXBT has previously documented dozens of cases in which a consolidation wallet labeled “coinbase-hold.eth” funneled the funds. In one instance, a user reportedly lost $850,000, with evidence suggesting the wallet had received funds from at least 25 other victims.

The blockchain investigator and theft victims have repeatedly scrutinized Coinbase’s risk controls. Many users report sudden account restrictions and slow customer support response times. 

ZachXBT reiterated that Coinbase has failed to flag or freeze known theft addresses, even weeks after reports of fraudulent activity.

Two main groups are reportedly carrying out the scams: a cohort known as “The Com” and another operating out of India. Both focus primarily on US customers and deploy cloned Coinbase websites, sophisticated phishing panels, and malicious scripts to carry out their attacks. 

To bypass security tools, scammers often design phishing domains to block VPN users, making detection by compliance teams more difficult.

The reports also raise concerns about previous incidents involving Coinbase systems. These include old API key vulnerabilities in tax software that allowed sending verification emails to unauthorized recipients, and a $15.9 million theft from Coinbase Commerce in 2023. 

According to ZachXBT, Coinbase has not publicly disclosed these issues or addressed the security gaps that made them possible.

Changes for safeguarding

To mitigate the problem, ZachXBT recommended various changes to Coinbase’s platform. These include removing the requirement for phone numbers for users with hardware keys or authentication apps, introducing optional “elder” user account types with withdrawal restrictions, and expanding customer support for international users. 

He also advocated for proactive community education, regular incident response updates, and the immediate flagging of known theft addresses.

While ZachXBT acknowledges Coinbase’s broader contributions to the crypto sector, including its Base layer-2 blockchain, asset recovery tools, and active legal defense against the US Securities and Exchange Commission, he argues these advancements have come at the cost of individual user safety.

The disclosure adds to a growing body of evidence suggesting Coinbase has become a recurring target for sophisticated social engineering campaigns. ZachXBT highlights that no other major exchange registers the same problem.

Mentioned in this article