1/ Over the past few months I imagine you have seen many Coinbase users complain on X about their accounts suddenly being restricted.

This is the result of aggressive risk models and Coinbase’s failure to stop its users losing $300M+ per year to social engineering scams.

2/ Myself and @tanuki42_ spent time reviewing Coinbase withdrawals and gathering data from my DMs for high confidence thefts on various chains.

Below is a table we created which shows $65M stolen from Coinbase users in Dec 2024 - Jan 2025.

Our number is likely much lower than the actual amount stolen as our data was limited to my DMs and thefts we discovered on-chain which does not account for Coinbase support tickets and police reports we do not have access to.

3/ Let’s walk through how these Coinbase social engineering scams work.

A victim reached out to me last month after losing ~$850K.

Graphing out this theft lead to a consolidation address with 25+ other victims tied to ‘coinbase-hold.eth’.

Theft address
0xc8234dda2bc3758eb90224d0025871001e8ee7b9
bc1q4ks5gus8uv88vk8yage4r89kv8uxlgwhemz545

5/ They then sent a spoofed email which appeared to be from Coinbase with a fake Case ID further gaining trust.

They instructed the victim to transfer funds to a Coinbase Wallet and whitelist an address while “support” verified their accounts security.

6/ Scammers clone the Coinbase site nearly 1:1 and allow the scammers to send different prompts to the target via spoofed emails using panels.

There are many Telegram channels where scammers advertise them.

See examples of various panels used by scammers below.

7/ Last year I posted multiple examples of Coinbase user thefts all for millions of dollars.

The two main groups conducting these scams are skids from the Com and threat actors located in India both primarily targeting US customers.

8/ The other month a Coinbase employee told people on X to stop using VPNs to avoid being flagged as suspicious meanwhile threat actors will explicitly block VPNs from phishing sites and not use them.

This shows Coinbase’s failure to diagnose the actual problem.

9/ Coinbase has quietly had related security incidents they did not publicly address:

a) For a number of users Coinbase with old API keys used for tax software which were hacked (was supposed to be read only perms)

b) Recent bugs like one which allowed you to send a verification code to any email even if the email did not have an account

c) $15.9M Coinbase Commerce theft last year

d) A threat actor was able to launder $38M from the BTCTurk hack via Coinbase over a few hours.

10/ So where does the blame lie?

a) For the vast majority of the time these theft addresses are not being reported at all by Coinbase in popular compliance tools even after the thefts went on for weeks.

b) Multiple victims who have contacted me get stuck with useless customer support agents who never hear back.

c) Coinbase team can be incredibly hard to reach outside of US hours which is unacceptable when you operate in a 24/7 market as a large business.

The threats in this space are always evolving and you may only have minutes to react.

Competitors like Kraken, OKX, Binance do not have the same issue.

d) Many of the US based threat actors from the Com have bad opsec and Coinbase could easily choose to make an example out of them if they wanted.

13/ Coinbase needs to urgently make changes as more and more users are being scammed for tens of millions every month.

Other major exchanges do not have similar panels created by scammers for fraud.

While the victims are partially responsible it’s unreasonable to expect elderly victims to understand the nuances of email/phone spoofing.

Coinbase is in a position where they have the power to make these changes and set a good example but they have chosen to do little to nothing .