Written by: Fairy, ChainCatcher

"Hello, this is the Coinbase security team. I detected that there was an abnormal login in your account..."

The sound on the other end of the phone is professional and urgent, and can even accurately report your name, registered email and recent transaction records. Would you choose to hang up immediately, or follow the "customer service" guidelines and transfer funds step by step into the so-called "safe wallet"?

Recently, multiple Coinbase users have been cheated one after another, with an astonishing amount of money. In March alone, the stolen funds exceeded $46 million, and the losses caused by Coinbase users by social engineering fraud are as high as $300 million each year.

However, how exactly do these hackers accurately lock in targets? Why can they obtain user personal information? This security crisis may be more serious than expected.

On March 28, on-chain detective ZachXBT disclosed that in the past two weeks, there have been many suspected cases of fraud by Coinbase users, causing the total amount of stolen funds in March to exceed US$46 million.

In fact, there are already traces of such frauds. As early as early February, ZachXBT revealed that between December 2024 and January 2025, Coinbase users lost as much as $65 million due to similar techniques, which put Coinbase in a social engineering fraud crisis of more than $300 million a year. According to ZachXBT's analysis, fraudulent methods have formed a mature industrial chain:

Scammers impersonate Coinbase official

Scammers use fake phone numbers to call victims and use user personal information to gain trust. They claimed that there were unauthorized login attempts for user accounts, inducing victims to cooperate with security verification.

Send phishing email

Scammers send fake Coinbase emails containing fake case numbers (Case IDs).

Guide users to transfer money

Scammers ask victims to transfer funds to Coinbase Wallet and whitelist scam addresses, claiming that this is a security verification method for account.

Clone Coinbase website

Scammers create almost 1:1 copy of Coinbase phishing sites and use fake emails and Telegram The scam panel sends different action prompts to victims.

In addition, according to Cointelegraph, several cryptocurrency users have recently received scam emails impersonating Coinbase and Gemini. These emails usually claim that due to regulatory requirements, users must transition to self-hosted wallets and set April 1 as a deadline to create a sense of urgency.

The email provides links to download Coinbase Wallet or Gemini Wallet, with pre-generated recovery phrases attached. Once users use these phrases to create a new wallet and transfer assets, funds will be instantly emptied by the scammer.

style="text-align: left;">The core of social engineering scams is accurate information acquisition, and in the case of Coinbase users being scammed, the attacker seems to have mastered the victim's personal information, including phone calls, email addresses, transaction records, etc. This raises a key question: How exactly did this data fall into the hands of the scam?

Yesterday, The Block co-founder Mike Dudas said on the X platform that he received an email from Coinbase. The email was disturbing and pointed to internal data access issues. The email read:

"We wrote to notify you that we detected signs that a Coinbase employee might not be internally compatible ”

Although the email stated, "Your assets are still safe and your Coinbase account has not been damaged", and emphasized that there is currently no evidence that the data is leaked externally, the email sent a clear warning to users: internal data access issues have been confirmed and are not isolated incidents.

Dudas said this explains those phishing emails and calls sent by fake Coinbase.

However, the scope of the data breach is questionable and may involve a wider range of users. Community user @ghaiankur said: "I don't have any funds on Coinbase and have never used them. But I still received these emails because I have an account, which may not only be aimed at a few target accounts, but the entire database." Data leakage has become a hidden danger in the industry

Not only Coinbase, other exchanges seem to face similar internal security risks.

Dudas shared the email, crypto trader Jordan Fish (@Cobie) revealed that crypto exchange Kraken has also recently encountered similar attacks. He speculated: "This may be the attacker's strategy - infiltrating the customer service team and stealing user data from within."

At the same time, on March 27, Dark Web Informer, a dark web news website, disclosed that a hacker code-named AKM69 claimed that he had the private information of a large number of users of the crypto exchange Gemini. The database contains 100,000 records involving full names, emails, phone numbers and location information of US users, and even data from some Singaporean and UK users.

Either learn to protect users or be abandoned by users. Commenting on this incident, Solana Co-founder toly said that the exchange should implement user-controllable transfer time locks to reduce the risk of assets being quickly stolen. However, the essence of this incident is far more than this, but exposes the failure of internal risk control in the exchange and the highly industrialized fraud.

The security of the exchange is no longer just a matter of technical protection, but also a matter of management and trust. Under the increasingly complex attack methods, how to establish a more complete risk control system will determine the security benchmark for the future industry.