The Threat of Social Engineering Eyewash to Coinbase Users and Response Strategies

Recently, social engineering attacks in the cryptocurrency asset sector have become a significant threat to the security of user funds. Since 2025, incidents of social engineering scams targeting users of a certain trading platform have occurred frequently, drawing widespread attention within the industry. Discussions in the community indicate that these incidents are not isolated cases but exhibit characteristics of persistence and organization.

On May 15, a certain trading platform released an announcement confirming previous speculation about the existence of "insiders" within the platform. The U.S. Department of Justice has launched an investigation into the data leak incident.

This article will reveal the main methods used by scammers by整理ing information provided by multiple security researchers and victims, and explore effective response strategies from both the platform and user perspectives.

Historical Review

Security researcher Zach noted in a social media update on May 7: "In just the past week, over $45 million has been stolen from users of a certain trading platform due to social engineering scams."

In the past year, Zach has repeatedly disclosed incidents of user theft on the trading platform on social media, with some victims losing up to tens of millions of dollars. A detailed investigation published by Zach in February 2025 states that between December 2024 and January 2025, the total financial losses from such eyewash have exceeded 65 million dollars. He also revealed that the platform is facing a serious "social engineering fraud" crisis, with attacks continuing to compromise user asset security at an annual scale of 300 million dollars.

Zach pointed out:

• The groups leading this type of eyewash mainly fall into two categories: one is low-level attackers from specific circles, and the other is cybercrime organizations located in India;
• The attack targets of the scam gangs are mainly American users, with standardized methods and mature scripts.
• The actual loss amount may be much higher than what is visible on-chain statistics, as it does not include unpublished information such as customer service tickets and police reports that are not accessible.

eyewash techniques

In this incident, the trading platform's technical system was not breached; rather, the fraudsters exploited the permissions of internal employees to obtain some users' sensitive information. This information includes: names, addresses, contact information, account data, ID card photos, etc. The ultimate goal of the fraudsters is to use social engineering techniques to guide users into transferring funds.

This type of attack has changed the traditional "net fishing" methods and has shifted towards "precision strikes," which can be described as "tailor-made" social engineering scams. A typical modus operandi is as follows:

1. Contact users as "official customer service"

Scammers use a forged phone system to impersonate platform customer service, calling users to claim that their "account has encountered illegal login" or "abnormal withdrawal detected," creating a sense of urgency. They then send realistic phishing emails or text messages that contain fake ticket numbers or "recovery process" links, guiding users to take action. These links may point to cloned platform interfaces and can even send emails that appear to come from an official domain, with some emails utilizing redirect technology to bypass security measures.

2. Guide users to download the official wallet

Scammers will use "asset protection" as a reason to guide users to transfer funds to a "safe wallet". They will also assist users in installing the official wallet and instruct them to transfer assets that were originally held on the platform into a newly created wallet.

3. Inducing users to use the mnemonic phrases provided by the eyewash.

Unlike traditional "eyewash for mnemonic phrases", scammers provide a set of mnemonic phrases they have generated themselves, enticing users to use them as the "official new wallet".

4.eyewash者进行资金盗取

Victims, in a state of tension, anxiety, and trust in the "customer service", are easily lured into traps. To them, the "new wallet provided by the official" naturally seems safer than the "old wallet that is suspected of being hacked". The result is that once funds are transferred to this new wallet, the scammers can immediately take them away. "Keys that are not in your control mean coins that you do not own"—this concept is once again brutally validated in social engineering attacks.

In addition, some phishing emails claim that "due to a class action ruling, the platform will fully migrate to self-custody wallets" and require users to complete asset migration by April 1st. Under the pressure of time and the psychological suggestion of an "official directive," users are more likely to cooperate with the operation.

According to security researchers, these attacks are often organized and planned for implementation.

• Eyewash toolchain improvement: Scammers use PBX systems to spoof caller IDs, simulating official customer service calls. When sending phishing emails, they leverage bots on social platforms to impersonate official email addresses, attaching "Account Recovery Guide" to prompt transfers.
• Targeted Precision: Eyewash relies on stolen user data purchased from social channels and the dark web to pinpoint U.S. users as primary targets. They even use AI tools to process the stolen data by splitting and reassembling phone numbers, generating TXT files in bulk, and then using brute force software to send SMS scams.
• Coherent deception process: From phone calls, text messages to emails, the scam path is usually seamless. Common phishing phrases include "Account has received a withdrawal request", "Password has been reset", "Account has abnormal login activity", etc., continuously inducing victims to perform "security verification" until the wallet transfer is completed.

On-chain Analysis

By analyzing the addresses of certain scammers through the on-chain anti-money laundering and tracking system, it was found that these scammers possess strong on-chain operation capabilities. Here is some key information:

The attack targets of the scammers cover various assets held by users, with the active time of these addresses concentrated between December 2024 and May 2025. The main target assets are BTC and ETH. BTC is currently the primary target for scams, with multiple addresses profiting up to hundreds of BTC at a time, with individual transactions valued at several million dollars.

After obtaining the funds, the scammers quickly use a set of laundering processes to exchange and transfer the assets, mainly in the following pattern:

• ETH assets are often quickly exchanged for stablecoins through a certain DEX, then dispersed and transferred to multiple new addresses, with some assets entering centralized trading platforms.
• BTC is mainly bridged to Ethereum through cross-chain bridges and then exchanged for stablecoins to avoid tracking risks.

Multiple eyewash addresses remain in a "static" state after receiving stablecoins and have not been withdrawn.

To avoid interactions between your address and suspicious addresses, which may lead to the risk of asset freezing, it is recommended that users conduct risk assessments on target addresses using on-chain anti-money laundering and tracking systems before trading, in order to effectively mitigate potential threats.

Countermeasures

platform

Current mainstream security measures are more about "technical layer" protection, while social engineering scams often bypass these mechanisms and directly target users' psychological and behavioral vulnerabilities. Therefore, it is recommended that platforms integrate user education, security training, and usability design to establish a set of "human-oriented" security defenses.

• Regularly push anti-fraud educational content: Enhance users' phishing prevention capabilities through App pop-ups, transaction confirmation interfaces, emails, and other means;
• Optimize risk control models and introduce "interactive anomaly behavior recognition": Most social engineering scams will induce users to complete a series of operations (such as transfers, whitelist changes, device bindings, etc.) within a short period of time. The platform should identify suspicious interaction combinations based on behavior chain models (such as "frequent interaction + new address + large withdrawal") to trigger a cooling-off period or manual review mechanism.
• Standardize customer service channels and verification mechanisms: Scammers often impersonate customer service to confuse users. The platform should unify phone, SMS, and email templates, and provide a "customer service verification entry" to clarify the unique official communication channel and avoid confusion.

user

• Implement identity isolation strategies: avoid using the same email or phone number across multiple platforms to reduce associated risks. You can use leak checking tools to regularly check if your email has been compromised.
• Enable transfer whitelist and withdrawal cooling mechanism: preset trusted addresses to reduce the risk of fund loss in emergency situations.
• Continuously pay attention to security information: Stay informed about the latest developments in attack methods through security companies, media, trading platforms, and other channels. Remain vigilant. Currently, several security organizations are developing a Web3 phishing simulation platform, which will simulate various typical phishing methods, including social engineering poisoning, signature phishing, malicious contract interaction, etc., and will continuously update the scenario content by incorporating real cases collected from historical discussions. This allows users to enhance their recognition and response capabilities in a risk-free environment.
• Be aware of offline risks and privacy protection: Leakage of personal information may also lead to personal safety issues.

This is not an eyewash. Since the beginning of this year, cryptocurrency practitioners/users have encountered multiple incidents threatening their personal safety. Given that the leaked data includes names, addresses, contact information, account data, and ID photos, relevant users should also remain vigilant offline and pay attention to safety.

In summary, stay skeptical and continue to verify. For any urgent operations, be sure to ask the other party to prove their identity and independently verify through official channels to avoid making irreversible decisions under pressure.

Summary

This incident once again exposes the significant shortcomings in the industry's protection of customer data and assets in the face of increasingly sophisticated social engineering attack methods. It is worth noting that even if the relevant positions on the platform do not have financial authority, a lack of sufficient security awareness and capability may still lead to serious consequences due to unintentional leaks or being coerced. As the platform continues to grow, the complexity of personnel security management increases, becoming one of the most challenging risks in the industry. Therefore, while strengthening on-chain security mechanisms, the platform must also systematically establish a "social engineering defense system" that covers internal personnel and outsourced services, integrating human risks into the overall security strategy.

In addition, once it is discovered that the attack is not an isolated incident but rather an organized and large-scale ongoing threat, the platform should respond immediately, actively checking for potential vulnerabilities, alerting users to take precautions, and controlling the scope of damage. Only through dual responses at both the technical and organizational levels can trust and the bottom line truly be maintained in an increasingly complex security environment.