The cryptocurrency community was rocked by the news that Coinbase users lost an additional $45 million in a week due to coordinated social engineering scams, according to blockchain investigator ZachXBT. This update, shared on his Telegram channel, revealed multiple wallet addresses linked to the theft and connected the latest activity to a broader pattern of crypto heists that have been ongoing for months.
ZachXBT’s investigations have pointed to over $300 million in annual losses attributed to similar scams targeting Coinbase customers. Collaborating with researcher Tanuki42, they traced the latest thefts across multiple blockchains, uncovering how attackers exploit weaknesses in Coinbase’s user verification and compliance processes.
The theft addresses disclosed include Bitcoin and Ethereum wallets allegedly connected to coordinated phishing and impersonation operations. Victims are contacted via spoofed phone numbers and coerced, using stolen personal data, to verify suspicious activity on their accounts. Subsequently, scammers send fraudulent emails posing as Coinbase, complete with fake case IDs, instructing users to move their assets into a Coinbase Wallet and whitelist an address, unknowingly giving control over their funds to the attackers.
ZachXBT’s previous investigations have shown that a consolidation wallet labeled “coinbase-hold.eth” frequently receives stolen funds. In one case, a user lost $850,000, with evidence indicating the wallet had received funds from at least 25 other victims. Concerns have been raised regarding Coinbase’s risk controls, with many users reporting sudden account restrictions and slow customer support responses.
It has been noted that Coinbase has failed to flag or freeze known theft addresses, even after reports of fraudulent activity for weeks. Two main groups, known as “The Com” and an Indian-based operation, focus on US customers and utilize cloned Coinbase websites, sophisticated phishing panels, and malicious scripts to carry out attacks. To evade security measures, scammers often design phishing domains to block VPN users, complicating detection by compliance teams.
Past incidents involving Coinbase systems have also been highlighted, including vulnerabilities in tax software that allowed sending verification emails to unauthorized recipients and a $15.9 million theft from Coinbase Commerce in 2023. Despite these issues, Coinbase has not publicly disclosed or addressed the security gaps that enabled them.
To address these challenges, ZachXBT recommended changes to Coinbase’s platform, such as removing the phone number requirement for users with hardware keys or authentication apps, introducing optional “elder” user account types with withdrawal restrictions, and expanding customer support for international users. He also called for proactive community education, regular incident response updates, and immediate flagging of known theft addresses.
While acknowledging Coinbase’s contributions to the crypto sector, including its Base layer-2 blockchain and asset recovery tools, ZachXBT emphasized that these advancements have come at the expense of individual user safety. This disclosure underscores the growing concern that Coinbase has become a recurring target for sophisticated social engineering campaigns, unlike any other major exchange in the industry.