Key takeaways:

• A convincing “Coinbase support” impersonation campaign has been linked to approximately $2 million in stolen cryptocurrencies by onchain researcher ZachXBT.

• Attribution was based on confirmation of multiple signals, including online activity and traces on Telegram or social media, rather than a single “magic” transaction.

• Coinbase says its real support team will never ask for your password or 2FA codes, or ask you to transfer funds to a so-called “secure” address.

• These schemes are part of a broader wave of fraud. Based on 859,532 complaints, the FBI reported more than $16 billion in cyber crime losses in 2024.

A caller claiming to be “Coinbase support” may seem polished, patient, and strangely urgent, which is exactly what makes shrewd people act too quickly. In a recent case, onchain investigator ZachXBT said this type of impersonation campaign netted the alleged fraudster about $2 million in cryptocurrency profits from Coinbase users, and the suspect’s online trail helped connect the dots.

Indeed, some of the biggest threats in cryptography are not shrewd contracts or zero-day exploits, but routine social engineering. These are the same technology-driven pressure tactics that appear on a vast scale on the Internet. The U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) says reported cybercrime losses in 2024 exceeded $16 billionand many schemes begin with a convincing message or a bogus phone call.

Did you know? In 2024, the FBI found that overall, those aged 60 and older were hardest hit, recording nearly $5 billion in losses.

What happened?

The case flagged by ZachXBT was an old-fashioned trust trick disguised as “customer service.”

According to ZachXBT, the alleged scammer posed as a Coinbase support employee and used social engineering tactics to convince victims he worked for the exchange, with losses totaling approximately $2 million over the past year.

ZachXBT said it was able to narrow down the suspects, citing screenshots from Telegram group chats, social media posts and onchain activity, as well as sharing a leaked video that allegedly showed the alleged scammer talking to the victim while offering bogus support.

The scam was based on urgency and authority, including warnings about suspicious access, so-called “security procedure” and pressure to act immediately.

Coinbase has done this many times warned that fraudsters may spoof phone numbers and pose as employees in an attempt to trick users into “protecting” their funds by transferring them. The company says legitimate support will never ask for passwords, two-factor authentication (2FA) codes, seed phrases, or transfers to a “secure” address or fresh wallet.

Did you know? ZachXBT also claimed that the operator tried to cover its trail by purchasing “expensive Telegram usernames” and repeatedly deleting ancient accounts; however, it was still “easy” to track down the individual due to his constant online bragging and lifestyle posts that ignored basic operational security.

Who is ZachXBT?

ZachXBT is a pseudonymous onchain researcher who has built a reputation for publishing detailed public threads about hacks, scams, and suspicious fund movements, often before comment from exchanges or authorities.

Mainstream media portrayed him as an independent “crypto detective” and his work was cited in real-life cases where investigators later pursued suspects.

This is why a ZachXBT post can break through the industry in a matter of hours. When it releases an attribution statement, it could trigger fresh victims to be reported, prompt platforms to check accounts associated with the activity and influence how the broader market talks about the incident.

Coinbase Warnings and the Strenuous Truth About ‘Support’

Coinbase’s security guidelines regarding impersonation scams are extremely explicit. If someone contacts you pretending to be from Coinbase and trying to get you to act quickly, assume it’s malicious until proven otherwise.

Coinbase warns that fraudsters regularly pose as employees and try to pressure users to transfer funds. The company says no one will ever ask for your password or 2FA codes or ask you to transfer assets to a specific or “new” address, account, vault or wallet.

On a dedicated blog post when it comes to customer service scams, Coinbase emphasizes the same pattern: don’t share login credentials or verification codes, don’t click on third-party links or install software at the caller’s request, and only contact support through official channels, not numbers or links provided to you out of the blue.

Adopt your default reflex to sluggish down, end the conversation, and self-check. Social engineering works when the attacker controls the pace. Coinbase’s guidance aims to break this momentum before the money moves.

When access to data powers social engineering

Part of the reason “support” scams can seem so convincing is that criminals sometimes show up with real context, such as a name, phone number, partial identifiers, or account clues, that make the call seem legitimate.

In May 2025, Coinbase revealed extortion attempt linked to rogue foreign support agents who were allegedly bribed or recruited to extract customer data from internal support systems, in particular to enable social engineering attacks. Coinbase said passwords, private keys and wallet access were not compromised, but added that it would refund customers who were tricked into sending funds to the attackers.

For crews impersonating other people, personal data is a force multiplier. This makes lies easier to sell and hesitation harder to maintain.

“Support” is the attack surface, and stolen context makes this situation worse

When someone contacts you claiming to be “Coinbase support” and tries to trick you into making a decision, the safest general assumption is that you’re dealing with a scammer.

Coinbase says it will never ask you to transfer or “secure” funds, ask for a seed phrase, ask for a password or two-step verification codes, or trick you into installing software on your device. The company also warns that scammers may spoof legitimate phone numbers, making caller ID a delicate signal.

Therefore, Coinbase’s own consumer protection positions return to the same principle: interrupt the attacker’s momentum. End the call or chat and then verify yourself through official channels, rather than using the number, link or “case ID” provided to you at the time.

The uncomfortable reality is that these scams can become much more convincing when criminals have real personal information to weave into the content of the message.

You don’t have to be outsmarted online to lose money in cryptocurrencies. In many cases, you just need to be rushed at the wrong moment by someone who seems credible, and sometimes that credibility is based on stolen context.