Key takeaways:
-
A convincing “Coinbase support” impersonation campaign was linked by onchain investigator ZachXBT to roughly $2 million in stolen crypto.
-
The attribution relied on corroboration across multiple signals, including onchain activity and Telegram or social media footprints rather than a single “magic” transaction.
-
Coinbase says its real support team will never ask for your password or 2FA codes or request that you move funds to a so-called “safe” address.
-
These schemes are part of a broader fraud wave. The FBI reported more than $16 billion in internet crime losses in 2024 based on 859,532 complaints.
A caller claiming to be “Coinbase support” can sound polished, patient and strangely urgent, which is exactly the mix that makes smart people move too fast. In a recent case, onchain investigator ZachXBT said this kind of impersonation campaign netted an alleged scammer roughly $2 million in crypto from Coinbase users and that the suspect’s own online footprint helped connect the dots.
Indeed, some of the biggest threats in crypto are not smart contracts or zero-day exploits, but routine social engineering. These are the same low-tech pressure tactics appearing across the internet at scale. The US Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) says reported cybercrime losses in 2024 exceeded $16 billion, and many schemes begin with nothing more than a convincing message or a spoofed call.
Did you know? In 2024, the FBI said people aged 60 and older were hit hardest overall, reporting nearly $5 billion in losses.
What happened?
The case ZachXBT flagged was an old-school confidence trick dressed up as “customer support.”
According to ZachXBT, an alleged scammer posed as a Coinbase help desk worker and used social engineering tactics to convince victims he worked for the exchange, with losses totaling roughly $2 million over the past year.
ZachXBT said he was able to narrow in on the suspect by cross-referencing Telegram group chat screenshots, social media posts and onchain activity, and by sharing a leaked video that appeared to show the alleged scammer speaking with a victim while offering fake support.
The scam leaned on urgency and authority, including warnings about suspicious access, a so-called “security procedure” and pressure to act immediately.
Coinbase has repeatedly warned that scammers may spoof phone numbers and pose as employees, attempting to push users into “protecting” their funds by moving them. The company says legitimate support will never ask for passwords, two-factor authentication (2FA) codes, seed phrases or transfers to a “safe” address or new wallet.
Did you know? ZachXBT also claimed the operator tried to muddy the trail by buying “expensive Telegram usernames” and repeatedly deleting old accounts; however, it was still “easy” to hone in on the individual due to their frequent online gloating and lifestyle posts that ignored basic operational security.
Who is ZachXBT?
ZachXBT is a pseudonymous onchain investigator who has built a reputation by publishing detailed public threads about hacks, scams and suspicious fund movements, often before exchanges or authorities comment.
Major outlets have profiled him as an independent “crypto detective,” and his work has been cited in real-world cases where investigators later moved in on suspects.
This is why a ZachXBT post can race through the industry in hours. When he publishes an attribution claim, it can trigger new victim reports, push platforms to review accounts linked to the activity and shape how the wider market talks about an incident.
Coinbase’s own warnings and the hard truth about “support”
Coinbase’s security guidance on impersonation scams is unusually blunt. If someone contacts you claiming to be from Coinbase and pushes you to act fast, assume it is malicious until proven otherwise.
Coinbase warns that scammers regularly pose as employees and attempt to pressure users into moving funds. The company says no one will ever ask for your password or 2FA codes or request that you transfer assets to a specific or “new” address, account, vault or wallet.
In a dedicated blog post about customer support scams, Coinbase emphasizes the same pattern: Do not share login details or verification codes, do not click third-party links or install software at a caller’s request, and only reach support through official channels, not numbers or links provided to you out of the blue.
Adopt a default reflex to slow down, end the conversation and verify independently. Social engineering works when the attacker controls the tempo. Coinbase’s guidance is designed to break that tempo before money moves.
When data access feeds social engineering
One reason “support” scams can feel so convincing is that criminals sometimes show up with real context, such as a name, phone number, partial identifiers or account hints that make the call feel legitimate.
In May 2025, Coinbase
cointelegraph.com