With the rise in social engineering scams, these exploits are specifically targeted to Coinbase users throughout the first quarter of 2025. According to a series of research by ZachxBT, users have lost over $100 million in funds since December 2024, but their annual losses reached $300 million.
After sorting the complaints made by different users, Beincrypto spoke with Coinbase Chief Information Security Officer (CISO) Jeff Lunglhofer to understand why users are vulnerable to these types of attacks, how they happen, and what is happening.
Measure the severity of fraud affecting Coinbase users
Throughout the first quarter of 2025, several Coinbase users have been victims of social engineering scams. This reality is not surprising as a major central exchange of sectors where hacking is becoming more refined over time.
In a recent study, Web3 researcher ZachxBT reported on several messages he received from various X users who received large withdrawals from their Coinbase accounts.
On March 28th, ZachxBT revealed a key social engineering exploit that costs one individual nearly $35 million. Further investigations by Crypto Sleuth during that period discovered additional casualties of the same exploit, pushing the total stolen in March alone to more than $46 million.
In another investigation, which ended a month ago, ZACHXBT revealed that $65 million had been stolen from Coinbase users between December 2024 and January 2025. It also reported that Coinbase is quietly tackling the issue of social engineering fraud, which costs $300 million users per year.
Coinbase users are particularly vulnerable to social engineering scams, but in general, central exchange is heavily affected by these increasingly sophisticated attacks.
How does the broader context reflect this situation?
Public data on the evolution of social engineering fraud in recent years is limited and somewhat outdated. However, the numbers in the available reports are phenomenal.
In 2023, the Center for Internet Crime Complaints (IC3) based on the US Federal Bureau of Investigation (FBI) released its first cryptocurrency report. Investment fraud constitutes the largest category of cryptocurrency-related complaints, accounting for 46% of the nearly 69,500 complaints received, or roughly 33,000 cases.
FBI IC3 reported an increase in crypto-related fraud in 2023. Source: IC3.
Investment fraud, or pig slaughter, involves false promises of low-risk returns to investors, especially crypto newcomers who fear to miss out on significant profits.
According to the IC3 report, these schemes rely on social engineering and building trusts. Criminals use platforms such as social media, dating apps, professional networks, and encrypted messaging to connect to their targets.
In 2023, these investment scams caused a loss of $3.96 billion for users, representing a 53% increase from the previous year. Other social engineering scams, such as phishing and spoofing, accounted for an additional $9.6 million loss.
These scams have had a wide impact on Coinbase users over the past few years.
New fraud tactics targeting crypto users
Coinbase scammers tend to create fake emails that look legal using cloned website images and false case IDs. They then contact users via spoofed calls and leverage their personal information to build trust before sending these deceptive emails.
Once the scammers convince users of the validity of the interaction, they persuade them to misuse the situation and transfer funds.
The increasing sophistication of these scams indicates both the emotional manipulation involved and the specific vulnerability of the victim. They demonstrate that central exchange is often the main platform for these exploitation.
XACKXBT’s investigation and user reports on X reveal the gap between the scope of social engineering fraud and the apparent management effectiveness of Coinbase.
Public discussions show that Coinbase is not flagging stolen addresses with a common compliance tool.
Scam victims and users whose funds are frozen are urging Coinbase to take stronger action on this growing, costly problem. Understanding how these scams are done is essential to dealing with them effectively.
How did Coinbase users create victims?
In January, the victim contacted investigators after losing $850,000. In that example, the scammer contacted the victim through a spoofed phone number to gain trust using personal information that is likely obtained from a private database.
The scammers convinced their accounts had suffered multiple fraudulent login attempts by sending spoofed emails containing fake case IDs. The scammer then instructed the victims to safe-stomp addresses and transfer funds to another Coinbase wallet as part of their regular security procedures.
Last October, another Coinbase user lost $6.5 million after receiving a call from a spoofed figure impersonating Coinbase Support.
Victims were forced to use phishing sites. Eight months ago, another victim lost $4 million after a scammer convinced him to reset his Coinbase login.
Zachxbt raised concerns about Coinbase reporting theft addresses in common compliance resources and awareness of inadequate handling of escalating social engineering issues.
During a conversation with Beincrypto, Coinbase Chief Information Security Officer Jeff Lunglhofer shared his version of the event.
Coinbase CISO deals with social engineering scams
Despite a clear understanding of the widespread harm caused by social engineering scams that affect users, Lunglhofer emphasized that the broader crypto community should address this issue collectively, rather than entrusting responsibility to a single entity.
“Of course, in the context of the broader social engineering challenges that Coinbase customers are being affected, we are very aware of that. We have rolled a lot of control improvements to protect our users.
Coinbase’s CISO referred to in his reply to combat this issue, referring to the collaboration in exchange with other platforms.
Specifically, Lunglhofer pointed to the “Tech Against Scams” initiative, a partnership with industry players such as Match Group, Meta, Kraken, Ripple and Gemini.
Lunglhofer also added that Coinbase takes a similar approach when flagging stolen addresses.
Why Coinbase handles theft differently
When Beincrypto asked Coinbase why they don’t publish stolen addresses with popular compliance tools, Lunglhofer explained that exchanges have different steps for these scenarios.
“We communicate directly with other exchanges (and) let them know the address where the assets were withdrawn,” he said, “In fact, when we see that there is fraud (activity), we pull back all the wallets related to fraud and we push them out into other exchanges,” he said.
Lunglhofer also mentioned Crypto ISAC, an intelligence and information sharing group founded by Coinbase in collaboration with various other crypto exchanges and organizations to distribute information related to fraud.
For spoofed emails, phone numbers, or phishing sites, Coinbase delegates the responsibility of external service providers.
Coinbase’s struggle against flooding of spoofed content
Lunglhofer acknowledged that the number of coinbases in spoofed emails is far greater than the ability to identify or receive in the form of reports to defeat them.
“Unfortunately, they’re a dozen. You can open 10 in five minutes. It’s very easy. So there’s not much you can do about it.
Coinbase uses vendors to eliminate spoofing or phishing campaigns that circulate in these cases.
“There are several vendors that we use to do takedowns. So whenever a fraudulent phone number pops up, whenever a fraudulent URL (or) sees a fraudulent website being established, we use the vendor to take the DNS provider and others.
These precautions are essential for the future, but offer minimal replies to users who have already lost millions of dollars from fraud.
Who is that responsible? User vs. Exchange
The approach in this area is unknown as Coinbase did not respond to Beincrypto’s investigation into the development of insurance contracts for users who have lost their savings for social engineering fraud.
However, social engineering fraud is complex and relies on important emotional manipulation to build trust. This complexity raises questions about the extent of liability that falls into user vulnerabilities and potential shortcomings in centralized exchange user protection measures.
The broader cryptocurrency community generally agrees that more educational materials are needed to help users distinguish between legitimate communication and attempts at fraud.
Regarding this issue, Lunglhofer revealed that Coinbase never suddenly calls a user. He also noted that Coinbase recently implemented various features that act as warnings for users who may interact with fraud.
Additionally, CISO cited a “scam quiz,” an educational tool that appears as a real-time banner when users are about to undertake a transaction that has been flagged as suspicious by the exchange.
While this feature is an advantage, its ability to protect users is difficult to quantify, especially in terms of how efficiently they flag suspicious activities. Coinbase did not respond when asked if Beincrypto exchanged internally tracked data related to social engineering scams.
I get a similar problem with Coinbase’s “allow list”.
Coinbase loss of $850,000
Coinbase provides the ability to allow users to create SAFELISTs of approved recipient addresses to prevent transactions to unfamiliar or unverified addresses. Lunglhofer is urgently urging Coinbase users to adopt this scale.
“It provides all retail customers with the ability to create a “permission list” of wallets that are allowed for assets. My personal Coinbase account “Allow Listing.”
However, as ZachxBT revealed, the $850,000 fraud loss suffered by Coinbase users in January indicates a significant safe list limit.
Even after the victim adds a stolen address, operations that lead to this addition can still occur, which neutralizes the intended protection.
Is there anything more you can do to protect your users?
Sophisticated social engineering fraud is an increasing threat and creates a major challenge for crypto users. In general, central exchanges with Coinbase users are particularly affected.
Despite Coinbase’s overview efforts, significant financial losses highlight the limitations of current industry standard measures against determined fraudsters.
Cooperation is entirely important, but as a major platform, Coinbase must put more proactive effort and resources into educating its users.
Social engineering is primarily a user-driven issue and not a security failure in exchange. However, platforms like Coinbase have a critical responsibility to lead industry-wide initiatives to address these threats.
Millions of lost are a clear reminder that vigilance and group action are paramount in protecting users against these increasingly sophisticated and frequent attacks.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
