- Cryptocurrency investigator ZachXBT has reported that Coinbase users have lost over $300 million annually to social engineering scams
- Scammers employ spoofed communications to deceive users into transferring funds to fraudulent accounts
- Criticism has been directed at Coinbase for inadequate customer support and failure to promptly address these security issues
Cryptocurrency investigator ZachXBT has revealed that Coinbase users have suffered losses exceeding $300 million annually due to sophisticated social engineering scams. These scams involve fraudsters impersonating Coinbase representatives through spoofed calls and emails, convincing users to transfer funds to fraudulent accounts. The investigator argues that Coinbase’s aggressive risk models and insufficient customer support have exacerbated the problem, with the company denying any malpractice.
Scammers Spoofing Coinbase Support
In a detailed analysis, ZachXBT described how scammers contact victims using spoofed phone numbers and personal information obtained from private databases to gain trust. They inform the victim of unauthorized login attempts on their account and follow up with a spoofed email appearing to be from Coinbase, complete with a fake case ID.
Victims are then instructed to transfer funds to a “secure” Coinbase Wallet and whitelist a specific address for verification purposes. Unbeknownst to them, these actions grant scammers access to their assets.
Through collaboration with researcher @tanuki42_, ZachXBT compiled data indicating that approximately $65 million was stolen from Coinbase users between December 2024 and January 2025 alone. This figure is likely conservative, ZachXBT said, as it is based solely on accessible data and does not account for unreported cases or those documented exclusively through Coinbase support channels.
Criticism of Coinbase’s Response
ZachXBT criticized Coinbase’s response to these scams, highlighting several areas of concern:
- Lack of Reporting: The majority of theft addresses are not reported by Coinbase in popular compliance tools, even after weeks of fraudulent activity.
- Customer Support Challenges: Victims often encounter unresponsive or ineffective customer support, leaving them without recourse.
- Limited Availability: Coinbase’s support team can be difficult to reach outside U.S. hours, which is problematic for a global, 24/7 market.
In contrast, competitors like Kraken, OKX, and Binance reportedly do not face similar issues, suggesting that improvements are achievable.
To address these vulnerabilities, ZachXBT proposed several measures:
- Optional Phone Numbers: Allow advanced users who are fully verified to opt out of providing phone numbers, utilizing authenticator apps or security keys instead.
- Beginner Account Types: Introduce account types for novice or elderly users that restrict withdrawals to prevent unauthorized transactions.
- Enhanced Community Outreach: Improve communication regarding fund recovery processes, establish 24/7 incident response teams, proactively flag theft addresses, and block known phishing domains.
- Legal Action: Pursue legal action against negligent data providers and domestic threat actors to deter future scams.
ZachXBT emphasized the urgency of implementing these changes, noting that other major exchanges do not face similar levels of fraud. While acknowledging that victims bear some responsibility, he argued that it is unreasonable to expect all users, particularly the elderly, to recognize sophisticated spoofing attempts. He concluded that Coinbase is in a position to enact meaningful changes and set a positive example within the industry but has thus far failed to do so.
Coinbase has yet to respond to the allegations, although it has persistently denied any wrongdoing regarding individual cases when addressed online.