- Over $45M was stolen from Coinbase users in one week through impersonation scams.
- Scam kits mimicking Coinbase tools are sold on Telegram, enabling widespread fraud.
- ZachXBT estimates $300M in yearly losses with few safeguards to block outbound scam transfers.
According to blockchain investigator ZachXBT, over $45 million in digital assets has been withdrawn from Coinbase users in less than one week. The losses stem from a series of highly coordinated social engineering scams in which victims were tricked into authorizing large transactions to fraudulent addresses. The attackers used impersonation tactics, fake interfaces, and duplicated communications to mislead users into sending their entire holdings without performing test transactions.
ZachXBT detailed how attackers pretending to be Coinbase Support agents contacted victims directly. These impersonators convinced users that their accounts were compromised and needed immediate intervention. The scammers used spoofed websites and pre‐designed email templates to guide victims through transferring their money to what the scammers claimed were ‘secure’ wallets. At least in reality, the wallets were in the hands of the attackers.
Coinbase systems could not easily spot such impacted funds because the victims personally authorized them despite the unusual volume. Once transferred, the funds were moved from the destination wallets to anonymous addresses and decentralized exchanges.
Fraud Infrastructure Circulated via Telegram
Investigators found plenty of tools that allow these impersonation scams to be carried out, and they spread widely on Telegram. These are generally referred to as ‘Coinbase panels’ and are akin to fake dashboards, call scripts and user interfaces copied to look exactly like the exchange’s real systems. This infrastructure enables many attackers to execute identical scams without any technical capability.
ZachXBT reported that no other platform appeared to be affected like Coinbase, as no similar impersonation toolkits have been spotted for different platforms. Therefore, the continued targeting and volume of fraud associated with its user base may be attributed to the availability of Coinbase-specific panels.
Scam Activity Surpasses $300 Million Annually
This recent $45 million in losses adds to an already growing trend. In March 2025, Coinbase disclosed having lost $46 million to identical scams. The estimated $65 million in illicit outflows occurred in December 2024 and January 2025. According to ZachXBT, Coinbase users are plagued by social engineering attacks that could cost $300 million each year.
However, multiple reports don’t seem to have been able to isolate the worst of the bad addresses, and the destination wallet addresses from these incidents remain active and have not been blacklisted. While Coinbase has clamped down on compliance in the past, freezing accounts for minor discrepancies, there are currently no safeguards against outbound transactions from a user’s account to a scam address.
U.S. Wallets Remain Key Targets
The majority of victims appear to be U.S.-based retail investors. These accounts are often targeted in “pig butchering” scams, which rely on extended communication and trust-building. According to ZachXBT, these users are greatly affected by the large amount of accessible wealth and relatively low awareness of such schemes.
The largest known case involved a single Coinbase user who was later convinced to transfer 3,520 BTC in a single transaction. The attacker guided the entire process, from the spoofed support call to the final transaction. After their theft, they sent the funds through THORChain, swapped them into Ethereum-based tokens like DAI, and mixed this bitcoin through Tornado Cash to obscure its origin.
These scams have repeatedly happened with insufficient outbound fraud detection mechanisms. ZachXBT has urged Coinbase to adopt more proactive security features, including outbound address verification, scam address alerts, and more real-time fraud flags. He suggested that better education and outreach would help users recognize impersonation tactics and avoid high-risk behaviour.
