Social engineering attacks threaten encryption asset security, with Coinbase users being the primary victims.

In recent years, social engineering attacks have become a significant threat to the asset security of users in the encryption asset field. Since 2025, there has been a frequent occurrence of social engineering fraud incidents targeting users of a certain trading platform, raising widespread concern. From community discussions, it is evident that these incidents are not isolated cases, but rather a type of scam with persistent and organized characteristics.

On May 15, a trading platform announced and confirmed previous speculation about the existence of "insiders" within the platform. It is reported that the U.S. Department of Justice has initiated an investigation into the data breach incident.

This article will disclose the main methods used by scammers by organizing information provided by multiple security researchers and victims, and will explore how to effectively respond to such scams from both the platform and user perspectives.

Historical Analysis

On May 7, on-chain detective Zach stated in a communication update: "In just the past week, over $45 million has been stolen from users of a certain trading platform due to social engineering scams."

In the past year, Zach has repeatedly disclosed incidents of user theft on the platform, with individual victims losing up to tens of millions of dollars. In February 2025, he released a detailed investigation stating that between December 2024 and January 2025, the total amount stolen due to similar scams had exceeded $65 million, and revealed that the platform is facing a serious "social engineering scam" crisis, which is continuously harming user asset security at an annual scale of $300 million. He also pointed out:

• The groups that lead this type of scam are mainly divided into two categories: one is low-level attackers from specific circles, and the other is cybercrime organizations located in India;
• The attack targets of the fraud gang are mainly American users, with standardized methods and mature scripts.
• The actual loss amount may be significantly higher than the on-chain visible statistics, as it does not include undisclosed information such as inaccessible customer service tickets and police reports.

Scam Techniques

In this incident, the platform's technical system was not breached; the fraudsters exploited the permissions of internal employees to obtain some users' sensitive information. This information includes: names, addresses, contact information, account data, ID card photos, etc. The ultimate goal of the fraudsters is to use social engineering techniques to guide users into transferring funds.

This type of attack method has changed the traditional "net fishing" technique and has shifted to "precision strikes," which can be described as "tailor-made" social engineering scams. The typical modus operandi is as follows:

1. Contact users as "official customer service"

Fraudsters use fake phone systems to impersonate platform customer service, calling users to claim that their "account has encountered illegal login" or "withdrawal anomalies detected," creating a sense of urgency. They then send realistic phishing emails or text messages containing fake ticket numbers or "recovery process" links, guiding users to take action. These links may point to cloned platform interfaces and can even send emails that appear to come from official domains, with some emails using redirection techniques to bypass security measures.

2. Guide users to download a specific wallet

Scammers will use "asset security" as a reason to guide users to transfer funds to a "secure wallet," and will also assist users in installing specific wallets, instructing them to transfer assets originally held on the platform to a newly created wallet.

3. Inducing users to use the mnemonic phrases provided by the scammers.

Unlike traditional "phishing for mnemonic phrases", scammers directly provide a set of mnemonic phrases they generated themselves, luring users to use them as an "official new wallet".

4. The scammer carries out fund theft.

Victims are easily trapped in a state of tension, anxiety, and trust in "customer service." In their view, the "new wallet provided by the official" must be more secure than the "old wallet suspected of being hacked." The result is that once funds are transferred to this new wallet, the fraudsters can immediately move them away. The concept of "not in your control, not in your possession" is once again gruesomely validated.

In addition, some phishing emails claim that "due to a collective lawsuit ruling, the platform will fully migrate to self-custody wallets" and require users to complete asset migration by April 1. Under the pressure of time and the psychological suggestion of "official instructions," users are more likely to cooperate with the operation.

According to security researchers, these attacks are often planned and carried out in an organized manner:

• Fraud toolchain enhancement: Scammers use specific systems to spoof caller ID, simulating official customer service calls. When sending phishing emails, they use bots on social platforms to impersonate official email addresses, attaching "Account Recovery Guide" to lead transfers.
• Target Precision: Scammers rely on stolen user data purchased from communication channels and the dark web, targeting users in the US as their main objective. They even use AI to process the stolen data, segmenting and reorganizing phone numbers to generate text files in bulk, and then use cracking software to send SMS scams.
• Deceptive process is coherent: from phone calls, text messages to emails, the fraud path is usually seamless. Common phishing phrases include "Account has received a withdrawal request", "Password has been reset", "Account has abnormal login", etc., continuously inducing victims to perform "security verification" until the wallet transfer is completed.

On-chain Analysis

We analyzed some scammer addresses and found that these scammers have strong on-chain operation capabilities. Here is some key information:

The attackers' targets include various assets held by users, with the active time of these addresses concentrated between December 2024 and May 2025. The main target assets are BTC and ETH. BTC is currently the primary target for scams, with multiple addresses profiting up to hundreds of BTC at once, with a single transaction worth millions of dollars.

After obtaining the funds, the scammers quickly use a set of laundering processes to exchange and transfer the assets, with the main patterns as follows:

• ETH-related assets are often quickly exchanged for DAI or USDT through a certain DEX, and then dispersed and transferred to multiple new addresses, with some assets entering centralized trading platforms;

• BTC is mainly transferred to Ethereum through cross-chain bridges and then exchanged for DAI or USDT to avoid tracking risks.

Multiple scam addresses remain in a "dormant" state after receiving DAI or USDT, and have not been withdrawn.

To avoid interaction between your address and suspicious addresses, which may lead to the risk of asset freezing, it is recommended that users conduct a risk assessment on the target address before trading to effectively mitigate potential threats.

Countermeasures

platform

Current mainstream security measures are more focused on "technical level" protection, while social engineering fraud often bypasses these mechanisms, directly targeting users' psychological and behavioral vulnerabilities. Therefore, it is recommended that platforms integrate user education, security training, and usability design to establish a "human-centric" security defense.

• Regularly push anti-fraud education content: Improve users' phishing prevention capabilities through App pop-ups, transaction confirmation interfaces, emails, and other channels;
• Optimize risk control models by introducing "interactive anomaly behavior detection": Most social engineering scams will induce users to complete a series of operations (such as transferring funds, changing whitelists, binding devices, etc.) within a short period. The platform should identify suspicious interaction combinations (such as "frequent interactions + new address + large withdrawals") based on behavior chain models, triggering a cooling-off period or manual review mechanism.
• Standardize customer service channels and verification mechanisms: Scammers often impersonate customer service to confuse users. The platform should unify phone, SMS, and email templates, and provide a "customer service verification entry" to clarify the unique official communication channel and avoid confusion.

user

• Implement identity isolation policies: Avoid using the same email address or phone number across multiple platforms to reduce associated risks. You can use leak checking tools to regularly check if your email has been compromised.

• Enable transfer whitelist and withdrawal cooldown mechanism: preset trusted addresses to reduce the risk of fund loss in emergencies.

• Stay updated on security information: Keep informed about the latest attack methods through security companies, media, trading platforms, etc., and remain vigilant. Currently, several security organizations are launching a Web3 phishing simulation platform that will simulate various typical phishing techniques, including social engineering poisoning, signature phishing, malicious contract interactions, etc., and will continuously update scene content based on historical cases. This allows users to enhance their identification and response capabilities in a risk-free environment.

• Pay attention to offline risks and privacy protection: Personal information leakage may also lead to personal safety issues.

This is not a case of unnecessary worry; since the beginning of this year, encryption practitioners/users have encountered multiple incidents threatening personal safety. Given that the leaked data includes names, addresses, contact information, account data, and ID photos, relevant users should also remain vigilant offline and pay attention to safety.

In summary, remain skeptical and continuously verify. For any urgent operations, be sure to ask the other party to prove their identity and independently verify through official channels to avoid making irreversible decisions under pressure.

Summary

This incident has once again exposed the obvious shortcomings in client data and asset protection in the industry when facing increasingly sophisticated social engineering attack methods. It is worth noting that even if relevant positions on the platform do not have financial authority, the lack of sufficient security awareness and capability may still lead to serious consequences due to unintentional leaks or coercion. As the platform continues to expand, the complexity of personnel security management increases, making it one of the most challenging risks in the industry. Therefore, while strengthening on-chain security mechanisms, the platform must also systematically build a "social engineering defense system" that covers both internal personnel and outsourced services, incorporating human risks into the overall security strategy.

In addition, once an attack is found to be not an isolated incident but rather an organized and large-scale persistent threat, the platform should respond immediately, proactively checking for potential vulnerabilities, alerting users to take precautions, and controlling the extent of the damage. Only by addressing both the technical and organizational levels can we truly maintain trust and uphold the bottom line in an increasingly complex security environment.