By rssfeeds-admin .webp?ssl=1 "Hackers Attacking Coinbase Users in a Sophisticated Social Engineering Attack")
Unlike traditional technical breaches, these attacks leverage psychological manipulation to trick users into voluntarily transferring their funds.
The campaign has proven remarkably effective, with individual losses reaching millions of dollars per victim, highlighting an alarming shift from random phishing attempts to precision-targeted attacks.
On May 15, Coinbase confirmed widespread suspicions of insider involvement in a formal statement.
The U.S. Department of Justice has reportedly launched an investigation into what appears to be a significant data leak.
According to Coinbase, compromised data includes names, addresses, contact information, account details, government ID photos, and transaction histories—essentially everything needed for highly convincing impersonation attacks.
SlowMist researchers identified that this attack campaign has been ongoing for months, with on-chain sleuth Zach reporting that over $45 million was stolen from Coinbase users in just one week in early May.
Cyber criminals bribed and recruited rogue overseas support agents to pull personal data on <1% of Coinbase MTUs. No passwords, private keys, or funds were exposed. Prime accounts are untouched. We will reimburse impacted customers. More here: https://t.co/SidVn59JCV
— Coinbase
Their analysis revealed that between December 2024 and January 2025 alone, more than $65 million was stolen through similar tactics, with annual losses potentially reaching $300 million.
These aren’t isolated incidents but part of a coordinated campaign primarily targeting U.S.-based users.
The attacks are carried out by two main groups: low-skill attackers from the Com community and organized cybercrime syndicates operating from India. The stolen funds move through sophisticated laundering processes designed to obscure their trail.
Anatomy of the Attack
The social engineering methodology follows a meticulously crafted four-stage process designed to bypass both technical safeguards and user vigilance.
Initially, attackers place phone calls using spoofed PBX systems that display legitimate Coinbase phone numbers on caller ID.
They create immediate panic by claiming there’s an “unauthorized access” or “suspicious withdrawal” occurring on the victim’s account.
Once the victim is sufficiently alarmed, the attackers follow up with convincing phishing emails containing falsified ticket numbers or “recovery links.”
These communications often include legitimate-looking headers and design elements copied from authentic Coinbase communications.
The messages typically contain urgent language like: “As of March 14th, Coinbase is transitioning to self-custodial wallets. Following a class action lawsuit alleging unregistered securities and unlicensed operations, the court has mandated that users manage their own wallets.”
The attackers then guide distressed users through installing the actual Coinbase Wallet app, but here’s where the deception becomes particularly clever—instead of having users generate a new seed phrase, the scammers provide a pre-generated one that they control.
Users, believing they’re following official security protocols, unwittingly configure their wallet with the attacker’s seed phrase.
When victims transfer their funds from their custodial Coinbase account to this “secure” wallet, the assets are immediately accessible to the attackers who control the seed phrase.
Within minutes, funds are drained and routed through various blockchain bridges and exchanges to obstruct tracking attempts.
This sophisticated campaign underscores how social engineering has evolved beyond simple phishing to become one of the most significant threats to cryptocurrency security today.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
The post Hackers Attacking Coinbase Users in a Sophisticated Social Engineering Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.