🎉 [Gate 30 Million Milestone] Share Your Gate Moment & Win Exclusive Gifts!
Gate has surpassed 30M users worldwide — not just a number, but a journey we've built together.
Remember the thrill of opening your first account, or the Gate merch that’s been part of your daily life?
📸 Join the #MyGateMoment# campaign!
Share your story on Gate Square, and embrace the next 30 million together!
✅ How to Participate:
1️⃣ Post a photo or video with Gate elements
2️⃣ Add #MyGateMoment# and share your story, wishes, or thoughts
3️⃣ Share your post on Twitter (X) — top 10 views will get extra rewards!
👉
A certain trading platform has encountered a large-scale social engineering scam, with user losses exceeding $45 million.
Social engineering attacks threaten encryption asset security, with Coinbase users being the primary victims.
In recent years, social engineering attacks have become a significant threat to the asset security of users in the encryption asset field. Since 2025, there has been a frequent occurrence of social engineering fraud incidents targeting users of a certain trading platform, raising widespread concern. From community discussions, it is evident that these incidents are not isolated cases, but rather a type of scam with persistent and organized characteristics.
On May 15, a trading platform announced and confirmed previous speculation about the existence of "insiders" within the platform. It is reported that the U.S. Department of Justice has initiated an investigation into the data breach incident.
This article will disclose the main methods used by scammers by organizing information provided by multiple security researchers and victims, and will explore how to effectively respond to such scams from both the platform and user perspectives.
Historical Analysis
On May 7, on-chain detective Zach stated in a communication update: "In just the past week, over $45 million has been stolen from users of a certain trading platform due to social engineering scams."
In the past year, Zach has repeatedly disclosed incidents of user theft on the platform, with individual victims losing up to tens of millions of dollars. In February 2025, he released a detailed investigation stating that between December 2024 and January 2025, the total amount stolen due to similar scams had exceeded $65 million, and revealed that the platform is facing a serious "social engineering scam" crisis, which is continuously harming user asset security at an annual scale of $300 million. He also pointed out:
Scam Techniques
In this incident, the platform's technical system was not breached; the fraudsters exploited the permissions of internal employees to obtain some users' sensitive information. This information includes: names, addresses, contact information, account data, ID card photos, etc. The ultimate goal of the fraudsters is to use social engineering techniques to guide users into transferring funds.
This type of attack method has changed the traditional "net fishing" technique and has shifted to "precision strikes," which can be described as "tailor-made" social engineering scams. The typical modus operandi is as follows:
1. Contact users as "official customer service"
Fraudsters use fake phone systems to impersonate platform customer service, calling users to claim that their "account has encountered illegal login" or "withdrawal anomalies detected," creating a sense of urgency. They then send realistic phishing emails or text messages containing fake ticket numbers or "recovery process" links, guiding users to take action. These links may point to cloned platform interfaces and can even send emails that appear to come from official domains, with some emails using redirection techniques to bypass security measures.
2. Guide users to download a specific wallet
Scammers will use "asset security" as a reason to guide users to transfer funds to a "secure wallet," and will also assist users in installing specific wallets, instructing them to transfer assets originally held on the platform to a newly created wallet.
3. Inducing users to use the mnemonic phrases provided by the scammers.
Unlike traditional "phishing for mnemonic phrases", scammers directly provide a set of mnemonic phrases they generated themselves, luring users to use them as an "official new wallet".
4. The scammer carries out fund theft.
Victims are easily trapped in a state of tension, anxiety, and trust in "customer service." In their view, the "new wallet provided by the official" must be more secure than the "old wallet suspected of being hacked." The result is that once funds are transferred to this new wallet, the fraudsters can immediately move them away. The concept of "not in your control, not in your possession" is once again gruesomely validated.
In addition, some phishing emails claim that "due to a collective lawsuit ruling, the platform will fully migrate to self-custody wallets" and require users to complete asset migration by April 1. Under the pressure of time and the psychological suggestion of "official instructions," users are more likely to cooperate with the operation.
According to security researchers, these attacks are often planned and carried out in an organized manner:
On-chain Analysis
We analyzed some scammer addresses and found that these scammers have strong on-chain operation capabilities. Here is some key information:
The attackers' targets include various assets held by users, with the active time of these addresses concentrated between December 2024 and May 2025. The main target assets are BTC and ETH. BTC is currently the primary target for scams, with multiple addresses profiting up to hundreds of BTC at once, with a single transaction worth millions of dollars.
After obtaining the funds, the scammers quickly use a set of laundering processes to exchange and transfer the assets, with the main patterns as follows:
ETH-related assets are often quickly exchanged for DAI or USDT through a certain DEX, and then dispersed and transferred to multiple new addresses, with some assets entering centralized trading platforms;
BTC is mainly transferred to Ethereum through cross-chain bridges and then exchanged for DAI or USDT to avoid tracking risks.
Multiple scam addresses remain in a "dormant" state after receiving DAI or USDT, and have not been withdrawn.
To avoid interaction between your address and suspicious addresses, which may lead to the risk of asset freezing, it is recommended that users conduct a risk assessment on the target address before trading to effectively mitigate potential threats.
Countermeasures
platform
Current mainstream security measures are more focused on "technical level" protection, while social engineering fraud often bypasses these mechanisms, directly targeting users' psychological and behavioral vulnerabilities. Therefore, it is recommended that platforms integrate user education, security training, and usability design to establish a "human-centric" security defense.
user
Implement identity isolation policies: Avoid using the same email address or phone number across multiple platforms to reduce associated risks. You can use leak checking tools to regularly check if your email has been compromised.
Enable transfer whitelist and withdrawal cooldown mechanism: preset trusted addresses to reduce the risk of fund loss in emergencies.
Stay updated on security information: Keep informed about the latest attack methods through security companies, media, trading platforms, etc., and remain vigilant. Currently, several security organizations are launching a Web3 phishing simulation platform that will simulate various typical phishing techniques, including social engineering poisoning, signature phishing, malicious contract interactions, etc., and will continuously update scene content based on historical cases. This allows users to enhance their identification and response capabilities in a risk-free environment.
Pay attention to offline risks and privacy protection: Personal information leakage may also lead to personal safety issues.
This is not a case of unnecessary worry; since the beginning of this year, encryption practitioners/users have encountered multiple incidents threatening personal safety. Given that the leaked data includes names, addresses, contact information, account data, and ID photos, relevant users should also remain vigilant offline and pay attention to safety.
In summary, remain skeptical and continuously verify. For any urgent operations, be sure to ask the other party to prove their identity and independently verify through official channels to avoid making irreversible decisions under pressure.
Summary
This incident has once again exposed the obvious shortcomings in client data and asset protection in the industry when facing increasingly sophisticated social engineering attack methods. It is worth noting that even if relevant positions on the platform do not have financial authority, the lack of sufficient security awareness and capability may still lead to serious consequences due to unintentional leaks or coercion. As the platform continues to expand, the complexity of personnel security management increases, making it one of the most challenging risks in the industry. Therefore, while strengthening on-chain security mechanisms, the platform must also systematically build a "social engineering defense system" that covers both internal personnel and outsourced services, incorporating human risks into the overall security strategy.
In addition, once an attack is found to be not an isolated incident but rather an organized and large-scale persistent threat, the platform should respond immediately, proactively checking for potential vulnerabilities, alerting users to take precautions, and controlling the extent of the damage. Only by addressing both the technical and organizational levels can we truly maintain trust and uphold the bottom line in an increasingly complex security environment.