New cybersecurity investigation claims that Coinbase users are collectively losing over $300 million per year to sophisticated social engineering scams
A new cybersecurity investigation claims that Coinbase users are collectively losing over $300 million per year to sophisticated social engineering scams, while the exchange’s leadership allegedly fails to implement adequate security measures.
The report, published by blockchain investigator ZachXBT in collaboration with tanuki42, estimates that at least $65 million was stolen in December 2024 and January 2025 alone. However, the actual losses are likely much higher, as the data is limited to on-chain findings and private reports sent to ZachXBT, excluding Coinbase’s internal support tickets and law enforcement records.
Victims are targeted through a spoofed phone call—often appearing to come from Coinbase—where attackers use publicly available personal data to build trust. They falsely claim the victim’s account has experienced multiple unauthorized login attempts.
Soon after, the victim receives a spoofed email instructing them to transfer their funds to a Coinbase Wallet and whitelist a fraudulent address under the guise of a security verification process.
The primary culprits behind these scams are Com-affiliated cybercriminals and threat actors based in India, who mainly target U.S. customers. Notably, Coinbase recently advised users to stop using VPNs to prevent being flagged as suspicious—an approach that has drawn criticism. According to ZachXBT, this policy is counterproductive, as threat actors explicitly block VPNs on phishing sites, highlighting Coinbase’s failure to address the root issue.
Unaddressed Security Incidents
- The investigation further accuses Coinbase of neglecting multiple critical security incidents, including:
- Hacked API keys used for tax software exploits.
- A bug allowing attackers to send verification codes to any email, even if it wasn’t linked to a Coinbase account.
- The $15.9M Coinbase Commerce theft in 2023.
- A threat actor laundering $38M through Coinbase within hours.
- Additionally, Coinbase allegedly fails to flag theft-related addresses in compliance tools and does not provide adequate victim support.
Calls for Coinbase Leadership to Take Action
While ZachXBT clarifies that not all Coinbase employees are at fault, he criticizes leadership for their inaction. He urges the company to implement specific security improvements, including:
- Making phone numbers optional for users with 2FA via Authenticator apps or Security Keys.
- Introducing a beginner/elderly account type that restricts withdrawals to mitigate high-risk scams.
- Enhancing community outreach and fraud awareness.
- Pursuing legal action against known scammers and illicit actors.
- With the scale of these scams increasing, the report calls on Coinbase leadership to prioritize user security and adopt proactive threat mitigation strategies before further financial losses occur.
