Coinbase’s security failures have led to millions in user losses, sparking frustration and criticism. Over the past few months, many users on X have reported sudden account restrictions. According to ZachXBT, Coinbase’s aggressive risk models and lack of effective scam prevention have left users vulnerable, with over $300 million lost each year to social engineering scams.
ZachXBT and researcher @tanuki42_ investigated these scams by analyzing blockchain transactions and collecting reports from victims. Their findings showed that scammers stole at least $65 million from Coinbase users between December 2024 and January 2025.
ZackXBT mentioned that the real figure is probably significantly larger, as their study focused solely on direct messages and on-chain thefts, leaving out Coinbase support tickets and police reports.
Scammers employ a well-organized method to steal funds. One victim, who lost approximately $850,000, recounted how the attacker called from a spoofed phone number, posing as a Coinbase representative.
Using stolen personal information, the scammer gained trust and falsely claimed that the victim’s account had experienced multiple unauthorized login attempts.
Following the call, the scammer sent a fake email that closely resembled an official Coinbase message, complete with a case ID. They instructed the victim to transfer funds to a Coinbase wallet and whitelist an address for supposed security verification.
The victim noted that these scammers also clone Coinbase’s website almost perfectly, enabling them to deceive victims with fake security prompts. These phishing sites proliferate through Telegram channels, where cybercriminals share tools and strategies.
Research by ZachXBT identified two major groups behind these scams: cybercriminals from “The Com” and threat actors in India, both primarily targeting U.S. customers.
Despite repeated incidents, Coinbase has overlooked several major security failures, according to a Web3 security expert. Attackers have exploited old API keys set up by users for tax software, even though these keys were intended to be read-only.
Additionally, a recent bug allowed hackers to send verification codes to any email, regardless of its connection to a Coinbase account. Last year, scammers stole $15.9 million from Coinbase Commerce, while hackers laundered $38 million from the BTCTurk hack through Coinbase in mere hours.
The expert added that Coinbase’s inadequate response has left victims stranded. Many users report that customer support is slow, unhelpful, or unreachable outside U.S. hours—an unacceptable situation for a company in a 24/7 global market.
Coinbase also fails to report theft addresses in compliance tools, allowing scams to persist for weeks. Competitors like Kraken, OKX, and Binance do not experience such widespread fraud issues.
Read also: Coinbase scammer targets crypto CEOs for 5-figure weekly earning
While Coinbase has made positive contributions, such as providing a stablecoin on-ramp, attracting developers to build on Base, and introducing a recovery tool for unsupported asset deposits, these efforts do not excuse its failure to protect users.
Coinbase must take immediate action, according to ZachXBT. Advanced users utilizing security keys or authenticator apps should have the option to disable phone numbers on their accounts. The company should also introduce an account type for beginners and elderly users that blocks withdrawals to prevent scams.
Coinbase needs to enhance its community outreach by publishing security guides, launching 24/7 incident response, flagging theft addresses, and blocking phishing domains.
Additionally, it should pursue legal action against data providers like TLOxp and TransUnion, whose negligence allows scammers to access victims’ personal information. Taking legal action against U.S.-based scammers would also help set a strong precedent.
If Coinbase does not act, users will continue to lose tens of millions of dollars each month, ZachXBT warned. While individuals must remain vigilant, it is unreasonable to expect elderly or inexperienced users to recognize and avoid sophisticated scams.
He noted that the company has the power and resources to resolve these issues, but so far, its leadership has chosen to do little.
