Blockchain investigation uncovers a $2 million Coinbase scam case—The reality of social engineering attacks

Through the investigation by blockchain researcher ZachXBT, it was revealed that a Canada-based scam group impersonated Coinbase for over a year, deceiving victims out of more than $2 million (approximately 200 million yen) in cryptocurrency assets. This crackdown serves as a warning about the increasing severity of social engineering scams targeting major exchange users.

Classic Tactics to Steal Funds One After Another

The scammers relied not on advanced technical exploits but on simple yet effective classic scam tactics. Operating under aliases such as “Haby” or “Havard,” the suspects impersonated Coinbase customer support, convincing victims that their accounts were at risk, thereby extracting login credentials and two-factor authentication codes.

Subsequently, the scammers transferred the stolen funds from the users’ wallets to addresses under their control, then quickly converted them into Bitcoin via instant exchange services, making transaction tracing difficult.

On-Chain Analysis and Bragging Posts Pinpoint the Scammers

ZachXBT succeeded in visualizing the scammers’ activities by combining screenshots of their bragging posts on Telegram group chats, social media traces, and on-chain transaction data.

On December 30, 2024, a record was found showing the scammer boasting about a theft of 21,000 XRP (worth about $44,000 at the time, approximately $43,470 at current rates). Further analysis revealed that the same XRP address was linked to multiple Coinbase thefts totaling around $500,000.

Tracking transaction timing and wallet balances in detail led to an address holding approximately $237,000 worth of Bitcoin (about 2.26 million yen at current rates) as of February 2025. This address matched exactly with the screenshots the scammer shared in private chats showing off the funds.

Tracing further back, three additional impersonation thefts worth over $560,000 emerged, revealing a pattern of multiple scams.

Call Recordings as Evidence

A leaked screen recording shared by ZachXBT shows the suspect impersonating Coinbase support, instructing the victim on false security procedures. The audio also captured the scammer inadvertently revealing the email address and Telegram account used for the scam.

The suspect attempted to cover their tracks by purchasing a high-profile Telegram username and deleting the old account, but persistent bragging posts on the internet made it easier for investigators to track them down.

Industry-Wide Crisis Seen in Indian Authorities’ Crackdown

This incident is set against the backdrop of a major crackdown by Indian authorities. A former Coinbase support staff arrested in Hyderabad was involved in leaking information of about 70,000 users. This leak stemmed from a bribery scheme involving overseas support staff, costing Coinbase approximately $370 million in remediation and refunds.

Coinbase CEO Brian Armstrong refused to pay a $20 million ransom and instead launched a reward program to support the investigation.

Similar Incidents Continue in the U.S.

Following the arrest of the Canadian scammer, similar impersonation scams have also been cracked in the U.S. Prosecutors in Brooklyn charged a 23-year-old man who used social engineering techniques to steal about $16 million from roughly 100 Coinbase users.

This investigation heavily relied on blockchain analysis, leading to the seizure of cash and digital assets, paving the way for asset recovery.

Over $3.4 Billion in Cryptocurrency Theft in the Industry

Industry data shows that cryptocurrency theft remains a serious issue. From January to early December 2025 alone, over $3.4 billion worth of assets have been stolen across the sector.

Measures Users Should Take

Security experts strongly recommend users adopt the following precautions:

• Do not respond to unsolicited messages (phone calls, emails, social media)
• Never share passwords, recovery phrases, or private keys with anyone
• Contact support only through official websites or official apps
• Never disclose two-factor authentication codes requested by support
• Be especially cautious of messages that create a sense of urgency

The case uncovered by ZachXBT demonstrates that the damage caused is not due to technical vulnerabilities but human manipulation. Cryptocurrency users must understand these tactics and remain vigilant at all times.