Key points to remember:
-
A convincing “Support Coinbase” impersonation campaign has been linked by on-chain investigator ZachXBT to approximately $2 million in stolen crypto.
-
Attribution was based on corroboration of multiple signals, including on-chain activity and Telegram or social media footprints, rather than a single “magic” transaction.
-
Coinbase claims that its real support team will never ask for your password or 2FA codes, or ask you to transfer funds to a so-called “safe” address.
-
These schemes are part of a larger wave of fraud. The FBI reported more than $16 billion in losses from internet crime in 2024, based on 859,532 complaints.
A caller claiming to be “Coinbase support” may seem polished, patient, and strangely urgent, which is exactly the mix that makes smart people act too quickly. In a recent case, on-chain investigator ZachXBT said this type of spoofing campaign netted an alleged scammer about $2 million in crypto from Coinbase users and that the suspect’s own online footprint helped connect the dots.
Indeed, some of the biggest threats in crypto are not smart contracts or zero-day exploits, but routine social engineering. These are the same low-tech pressure tactics that are appearing on a large scale on the Internet. According to the U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), reported cybercrime losses in 2024 have exceeded $16 billion, and many schemes start with nothing more than a convincing message or scam call.
Did you know? In 2024, the FBI said people ages 60 and older were hit hardest overall, reporting losses of nearly $5 billion.
What happened?
The case reported by ZachXBT was an old-fashioned trust trick disguised as “customer support.”
According to ZachXBT, an alleged scammer posed as a Coinbase help desk employee and used social engineering tactics to convince victims that he worked for the exchange, with losses totaling approximately $2 million over the past year.
ZachXBT said he was able to target the suspect by cross-referencing screenshots of Telegram group chats, social media posts and channel activity, and sharing a leaked video that appeared to show the alleged scammer speaking with a victim while offering fake support.
The scam relied on urgency and authority, including warnings of suspicious access, a so-called “security procedure” and pressure to act immediately.
Coinbase has repeatedly warned that scammers could spoof phone numbers and pose as employees, attempting to trick users into “protecting” their funds by moving them. The company claims that legitimate support will never ask for passwords, two-factor authentication (2FA) codes, seed phrases, or transfers to a “safe” address or new wallet.
Did you know? ZachXBT also claimed that the operator attempted to cover its tracks by purchasing “expensive Telegram usernames” and repeatedly deleting old accounts; however, it was still “easy” to focus on the individual due to their frequent online gloating and lifestyle posts that ignored basic operational security.
Who is ZachXBT?
ZachXBT is a pseudonymous onchain investigator who has built a reputation for posting detailed public threads about hacks, scams, and suspicious fund movements, often before exchanges or authorities comment.
Major media outlets presented him as an independent “crypto detective” and his work was cited in real-life cases where investigators then spoke to suspects.
This is why a post from ZachXBT can travel through the industry in a matter of hours. When it posts an attribution claim, it can trigger new victim reports, push platforms to scrutinize accounts linked to the activity, and shape how the broader market talks about an incident.
Coinbase’s own warnings and the hard truth about ‘support’
Coinbase’s security advice on identity theft scams is unusually blunt. If someone contacts you claiming to be from Coinbase and pressures you to act quickly, assume they are malicious until proven otherwise.
Coinbase warns that scammers regularly pose as employees and attempt to pressure users into moving funds. The company claims that no one will ever ask you for your password or 2FA codes or ask you to transfer assets to a specific or “new” address, account, vault, or wallet.
In a blog post dedicated to customer support scams, Coinbase emphasizes the same model: don’t share login information or verification codes, don’t click on third-party links or install software at a caller’s request, and contact support only through official channels, not numbers or links given to you out of the blue.
Adopt a default reflex: slow down, end the conversation and check independently. Social engineering works when the attacker controls the tempo. Coinbase’s tips are designed to break that rhythm before the money moves.
When access to data fuels social engineering
One reason “support” scams can seem so convincing is that criminals sometimes present themselves with real context, such as a name, phone number, partial identifiers, or account clues that make the call appear legitimate.
In May 2025, Coinbase revealed an extortion attempt linked to dishonest foreign support agents who were allegedly bribed or recruited to extract customer data from internal support systems, specifically to enable social engineering attacks. Coinbase said passwords, private keys and wallet access were not compromised, but added that it would reimburse customers who were tricked into sending funds to attackers.
For identity theft teams, personal data is a force multiplier fuel. This makes the lie easier to sell and the hesitation harder to maintain.
The “medium” is the attack surface, and stolen context makes it worse
When someone claims to be “Coinbase Support” and tries to pressure you into making a decision, the general safest assumption is that you are dealing with an imposter.
Coinbase says it will never ask you to move or “secure” funds, ask for a seed phrase, ask for your password or two-step verification codes, or push you to install software on your device. The company also warns that scammers can spoof legitimate phone numbers, making caller ID a weak signal.
This is why Coinbase’s own consumer protection posts always come back to the same principle: breaking the attacker’s rhythm. End the call or chat and then verify independently through official channels rather than using a number, link, or “case ID” provided to you in the moment.
The uncomfortable reality is that these scams can become much more convincing when criminals have real personal information to incorporate into their pitch.
You don’t need to be smarter on-chain to lose money in crypto. In many cases, it’s just a matter of being bumped at the wrong time by someone who seems credible, and sometimes that credibility is based on stolen context.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research before making a decision. Although we strive to provide accurate and timely information, Cointelegraph does not guarantee the accuracy, completeness or reliability of the information contained in this article. This article may contain forward-looking statements that are subject to risks and uncertainties. Cointelegraph will not be liable for any loss or damage arising from your reliance on such information.
