Why Recent Coinbase Phishing Thefts Have Been So Effective

May 16, 2025 | Cryptocurrency exchanges, Cryptocurrency Theft, Fraud, Security | 0 comments

Coinbase phishing attack caller

There has been a noticeable uptick in the number of sophisticated and targeted Coinbase phishing attacks that employ social engineering against Coinbase users in recent months resulting in losses into the hundreds of millions of dollars.

These phishing attacks are more convincing and effective than phishing attacks normally are for a few key reasons, a key one being a data breach at Coinbase that resulting in the exfiltration of customer data for a portion of Coinbase customers.

On a May 14 2025 SEC Form 8-K filing, Coinbase recently publicly disclosed this data breach, and also recently disclosed a $20 million ransom demanded by the attackers that was demanded on May 11.

Types of Cryptocurrency Scams That Exchanges Can Help Prevent

What Information Was Obtained in the Coinbase Data Breach?

According to Coinbase, the following information was exfiltrated for some of their users in the data breach:

  • Name, address, phone, and email;
  • Masked Social Security (last 4 digits only);
  • Masked bank-account numbers and some bank account identifiers;
  • Government‑ID images (e.g., driver’s license, passport);
  • Account data (balance snapshots and transaction history); and
  • Limited corporate data (including documents, training material, and communications available to support agents).

At Cryptoforensic Investigators, we are in possession of additional intelligence suggesting that some additional information was obtained about certain Coinbase customers as well which has included:

  • Bank accounts names connected to user Coinbase accounts.
  • Customer nationality
  • Customer dates of birth
  • Coinbase account balances
  • Customer-reported expected trading volume
  • Answers to certain customer onboarding questions
  • Employment status & employer
  • Actual trading volume of Customers
  • Coinbase account password quality rating
  • Former email addresses associated with Coinbase account

According to Coinbase, the following information was not compromised (which is correct as far as we can tell):

  • Coinbase user account passwords
  • User Private Keys / Seed phrases (which would be applicable to a Coinbase wallet, not a Coinbase account)

Coinbase did has not elected to pay the $20 million ransom demanded but has instead offered a $20 million bounty for information leading to the arrest of the persons responsible. Coinbase has already noted in their disclosure that they expect costs arising from this data breach to be in the range of $180 million to $400 million and have offered to ‘make users whole’ who lost funds as a result of phishing losses deriving from the data breach.

In response, the attackers have doubled down on their demands and are now threatening to publicly release this customer information.

This Coinbase Data Breach is NOT Recent

While the $20 million ransom may be quite recent (May 11), what has not been made so clear in Coinbase’s disclosure is that the data breach is not nearly as recent. Select attackers have been targeting higher net worth users for quite a few months using info gleaned in the data breach. And with great success since these attackers appear to have stolen tens of million dollars has in sophisticated phishing campaigns.

At least $46 million in March 2025 alone was identified as having been stolen in Coinbase phishing and social engineering campaigns, including a single user that lost 400 BTC from Coinbase through such an attack.

The reality is that many investigators (including all of us at Cryptoforensic Investigators) have noticed a considerable uptick in specific type of theft from Coinbase users, with a specific MO, which combines phishing, social engineering, and vishing.

It has been clear to us that given a major uptick in Coinbase phishing thefts for many months now, along with the information the attackers mention on calls with victims while pretending to be ‘Coinbase support’ (such as customer account balances) which is used to convince the Coinbase users that the caller is from Coinbase (they aren’t), that there was an underlying data breach happened months ago. We are not sure exactly how long ago, but it appears it could have could have occurred as many as 8-10 months ago. And many victims have been targeted since then, in a highly effective way.

While phishing attacks on Coinbase users have been ongoing for many years, it is abundantly clear that many of the successful phishing attacks in recent months would not have happened if not for the Coinbase data breach.

Characteristics About Recent Coinbase Phishing Attacks

The phishing attacks employing social engineering that have resulted from the Coinbase data breach have certain common characteristics that differ from other Coinbase phishing attacks that are unrelated. The common characteristics from what we have seen are:

  1. The phishing attacks incorporate use of convincing phishing emails that appear from Coinbase (we have many records of examples that have striking similarities) where it lists the ‘name’ and ‘title’ of the ‘support agent’ calling the victim as a form of authentication to make the victim feel more secure.
  2. The phishing attacks also always involve vishing calls (phone calls impersonating Coinbase support) to the victims whereby the caller speaks perfect English (unlike the Indian tech support calls). In many cases, but not always, the caller has been a female.
  3. The victims are told there is some type of security issue involving their Coinbase account, and that the victim needs to quickly set up a ‘safe’ wallet to move their funds to. In most cases, the attackers have referred the victim to Coinbase wallet (a self-custodial wallet), which is different from the Coinbase account. The victim is told to send cryptocurrency from their Coinbase account to the ‘safe’ wallet they created. Which is of course promptly stolen by the attacker once sent to the wallet. The exact way in which the wallet has been compromised can differ from time to time but has often involved a compromised seed phrase.
  4. The attacks rely on social engineering. The attackers do not hack into the victim’s Coinbase exchange account. The victims perform the withdrawal transactions from their Coinbase account to a wallet of theirs that they believe is ‘safe’ through their own volition.
  5. The incidents often have an on-chain connection that can be ascertained through blockchain forensic analysis to other attacks by the phishing attackers whereby funds end up in wallets or accounts that the proceeds of other phishing attacks of this same typology have ended up. There are also certain exchanges and services the attackers like to use to launder the funds that we are familiar with.
  6. The emails sent from to victims are sent from email addresses associated with phishing domains (not free email accounts like Yahoo/Protonmail/Hotmail).

Consequences of Data Breaches

Data breaches and privacy breaches have unfortunately become a common reality in our day to day lives that many have simply come to accept. However, the reality is that some data breaches are relatively minor or insignificant as far as the victim should be concerned, while others can be incredibly damaging. Not all data breaches are equal with respect to damages or consequences; far from it. The Coinbase data breach was especially damaging because:

  1. Attackers can use information about the Coinbase customer to better convince prospective victims they are with Coinbase, since only the victim and Coinbase should know much of this information.
  2. Since the since the victim is included in the Coinbase breach, it also reveals that the victim is a cryptocurrency investor, and that they have a Coinbase account. Thus, it ties a lot of key information together with the fact that they the victim has a Coinbase account which cryptocurrency could be stolen from, and it even gives the attack an idea of how much could potentially be stolen or how much cryptocurrency assets a person may have.

These factors can and have led attackers to focus on ‘higher value’ targets which they can identify because of the data breach.

Comparison to the Ledger Data Breach

An interesting parallel can be drawn here with respect to the 2020 Ledger data breach. While no account balances were exfiltrated in that data breach (unlike the Coinbase data breach), anyone with a few braincells can deduce that a cryptocurrency user who own Ledger device more likely than not has a sizable amount of crypto, or even a lot of crypto, to the extent that it was worthwhile for them to invest in the costs of a hardware wallet device. In other words, the Ledger data breach is effectively a ‘rich list.’

This is precisely why the Ledger data breach has resulted an incredibly high amount of phishing message, but also extortion attempts, and threats of harm (or even death). And it has likely played a role in some burglaries, kidnappings, and deaths.

Most data breaches do not result in such consequences of course. But data breaches like this one from Coinbase, and the 2020 Ledger data breach, can be incredibly damaging in ways that other data breaches just aren’t. Data breaches from cryptocurrency exchanges and cryptocurrency-related service providers and tool providers in general should be treated as critical due to the disastrous consequences that may follow.

Even though the information exposed may not give attackers access to the Coinbase account itself, and may not allow an attacker to take and funds out of any account or wallet (and it instead relies on social engineering of the victim for the theft to work) as Coinbase concretely pointed out, the reality is that the information exposed certainly makes it far easier for a victim to have funds stolen through them because the attackers know so much information about their targets, and who to best target.

It is interesting to note however that even if the Coinbase account passwords were breached as well (which they weren’t) that still would not have allowed attackers to drain funds from the Coinbase accounts by since the attackers would still need to pass Multi-factor authentication (MFA), and in many cases Email withdrawal confirmations as well.

Thus far it’s only been phishing and social engineering attacks associated with thefts associated with the Coinbase data breach, but it will be interesting to see if in the future there are any $5 wrench attacks (AKA kidnappings & extortion) against victims using information gleaned from this data breach. Unfortunately, I suspect there will be.

What Coinbase Can Do To Improve Security and Help Prevent Further Customer Cryptocurrency Losses

There are certain things that Coinbase can do to help safeguard their users in general prevent loss of funds, both from incidents that may be associated with the data breach, but also other incidents and potentially loss vectors wholly unassociated with the data breach. While Coinbase may be already doing some of these things, based on Coinbase account breaches we have seen in the past year and people who have otherwise lost funds from their Coinbase account, the following are the main areas which, if improved, would really help minimize losses:

  1. If a user requests a password reset of their Coinbase account, do not allow any withdrawals from the account for at least 48 hours, regardless of whether or not the password reset was requested by a ‘trusted device’ or not.
  2. Any change to the email account on file should incur a waiting period of 48-72 hours, and once changed, there should be a further waiting period of 24-48 hours before cryptocurrency withdrawals are allowed from the account.
  3. If any 2FA option is added or removed from the Coinbase account, implement a 24-48 hour waiting period before allowing any cryptocurrency withdrawals are allowed.
  4. Any time there is a password reset request, email change request or 2FA change request that resolves either to a new location that account owner doesn’t normally log in from, or resolves to an IP address associated with a VPN network, the change should be treated as high risk
  5. Treat customers differently depending on their level of experience and sophistication dealing with cryptocurrency and depending on the demographic of the customer. Elderly people are often less sophisticated for example so large withdrawal requests from such accounts are sensible to treat with higher risk.
  6. If a customer has a lengthy history of storing funds on their Coinbase exchange account, then suddenly requests to withdraw everything, treat this as high-risk even if the IP address, device and IP address are the same as what is normally used, since the account owner may be being induced into sending funds as part of a con (such as in these recent phishing attacks)
  7. If a customer is trying to withdraw all cryptocurrency from their account, whether over a single transaction or multiple structured transactions, and they have an IP address, different device, and/or different browser fingerprint than what they’ve used before, treat that with higher risk and consider restricting withdrawals from the account.
  8. Be more collaborative and share insight with other relevant industry parties, including forensic software and transaction monitoring providers, reputable investigators, and other exchanges. If a theft or scam is identified, flag the relevant address, not just in Coinbase’s internal systems, but in transaction monitoring software as well. This way the victim doesn’t proceed to continue losing funds to the scam on another exchange they might migrate to after their Coinbase account is locked (this happens all the time frankly). And this furthermore helps prevent other victims from being scammed if there are withdrawal requests to the same address, or to addresses closely connected to reported scam addresses.
  9. Promote and more heavily suggest that users should consider using the Coinbase ‘vault’ security feature.

It is worth noting other exchanges can also take note of these suggestions since Coinbase isn’t the only exchange that could stand to improve, and some of these suggestions could be applied to other exchanges as well for areas of improvement.

User Responsibility

Despite issues on Coinbase’s end, cryptocurrency users also should be aware of their own responsibilities here, since losses from social engineering attacks could be avoided by victims if they were more diligent and skeptical, and if they understood that real Coinbase support does not call Coinbase customers. Specifically, users should

  1. Understand that any caller that calls a Coinbase user claiming to be from Coinbase is not actually from Coinbase. Customers should always be operating under the assumption that any such call is fraudulent.
  2. Do not assume any SMS text claiming to be from Coinbase is actually from Coinbase. Never click on any links in such text messages ever. While SMS texts can sometimes inform users of real access attempts or activity with respect to the Coinbase account (whether legitimate activity, or activity by a hacker), customers are advised log into their Coinbase account themselves and verify if there is an unusual activity on the account. Don’t trust what the text message says, verify if you are unsure.
  3. For any emails claiming to be from Coinbase, check the email headers to verify the email has been sent from @coinbase.com – if sent from any other domain, assume the email is fraudulent.
  4. Do not let someone you don’t deeply trust or who you haven’t even met ‘guide’ you in setting up a self-custodial wallet.
  5. Make use of the many security features that Coinbase exchange offers, including stronger forms of MFA (best to avoid SMS due to risk of SIM Swapping), Coinbase vault, and make sure your email account is secure.

Concluding Thoughts

It is likely that losses deriving in part from the Coinbase data breach will continue to result in sophisticated phishing scams, and considerable customer losses, and potentially losses from other threat vectors as well (e.g. extortion, and in some rare cases maybe even kidnapping).

While Coinbase has offered to make victim’s whole that lose money deriving from this data breach, the $180 million-$400 million cost figure that Coinbase has suggested seems to be a low-end estimate if they plan to make such users whole as they have suggested.

It is also likely that a lot more legal disputes and arbitration matters will be brought against Coinbase since there will likely be situations where it will be disputed about whether or not a theft derives in part from the Coinbase data breach or not, and possibly additional legal disputes if Coinbase doesn’t end up making these victims whole after all.