Coinbase's Chief Information Security Officer Discusses Fraud Prevention Strategies Amidst Reported $300 Million Annually in Losses to Scams

Coinbase's Chief Information Security Officer Discusses Fraud Prevention Strategies Amidst Reported $300 Million Annually in Losses to Scams

Title: Plundering Coinbase Users: A Deep Dive into the Rising Social Engineering Scams

Subtitle: Taking a Closer Look at the Millions Lost to Sneaky Manipulations and How Coinbase Is Stepping Up Its Game

Social engineering scams have been a menacing thorn in the side of Coinbase users since the last quarter of 2024, causing a jaw-dropping loss of over $100 million in assets from December 2024 to March 2025. That's not all, the annual losses reach a mind-boggling $300 million!

While sifting through user complaints, BeInCrypto got the lowdown from Coinbase's Chief Information Security Officer (CISO), Jeff Lunglhofer. We wanted to know what makes Coinbase users so vulnerable to these scams, how they're being pulled off, and what Coinbase is doing to put a stop to this plunder.

Just How Serious Is This Scam Pandemic?

Over the course of the first quarter of 2025, numerous Coinbase users fell victim to social engineering scams. Given that Coinbase is the leading centralized exchange in an industry that's increasingly seeing its hacking attacks grow in complexity, it's not a huge shock.

Researcher ZachXBT has been digging deep into these scams, and his findings are eye-opening. He's reported on numerous messages he's received from Coinbase users about major withdrawals from their accounts. On March 28, ZachXBT exposed a significant social engineering exploit that left one individual out-of-pocket to the tune of nearly $35 million. Further investigations revealed more victims of this same exploit, amounting to more than $46 million lost in March alone!

A month prior to that, ZachXBT reported that $65 million had been stolen from Coinbase users between December 2024 and January 2025. To add insult to injury, he also shared that Coinbase has been grappling quietly with a social engineering scam issue for years, costing its users $300 million annually.

It's not just Coinbase that's been targeted; centralized exchanges in general have suffered significant harm from these increasingly cunning attacks.

The Big Picture: The Social Engineering Landscape

Data on the evolution of social engineering scams in recent years is limited and dated, but the numbers in the available reports are shocking.

In 2023, the Internet Crime Complaint Center (IC3) under the US Federal Bureau of Investigation (FBI) released its inaugural cryptocurrency report. Investment fraud accounted for the largest share of cryptocurrency-related complaints, representing a staggering 46% of the 69,500 complaints filed, approximately 33,000 cases.

Investment fraud, also known as pig butchering, involves seductive promises of high returns with minimal risk to lure investors, particularly newcomers driven by FOMO (the fear of missing out). These schemes rely on social engineering and building trust, with criminals using platforms like social media, dating apps, professional networks, and encrypted messaging to connect with their targets.

These scams resulted in losses of a whopping $3.96 billion for users in 2023, representing a 53% increase from the previous year. Other social engineering scams, like phishing and spoofing, accounted for additional losses of $9.6 million.

Without a doubt, Coinbase users have experienced their fair share of these scams in recent years.

Zooming In on New Tricks Social Engineers Use

Coinbase scammers are experts at crafting fake emails, mimicking legitimate appearance through cloned website images and false Case IDs. They contact users via spoofed calls, using private information to gain trust before sending deceptive emails.

Once they've convinced users of the genuine nature of these interactions, they exploit the opportunity to convince victims to transfer funds.

The impressive sophistication of these scams highlights both the manipulation involved and the vulnerability of victims. They give evidence that centralized exchanges like Coinbase are prime targets for these exploits.

ZachXBT's investigations and user reports expose a gap between the extent of social engineering scams and Coinbase's apparent ability to manage them.

Public discussion suggests that Coinbase has not flagged theft addresses in typical compliance tools. Victims of scams and users whose funds have been frozen are pushing Coinbase to take stronger action against this growing issue. Understanding how these scams transpire is crucial to effectively combating them.

How Do Coinbase Users Become Victims?

In January, a victim contacted ZachXBT after losing $850,000. In this instance, a scammer contacted the victim via a spoofed phone number, gathering personal information from private databases to build trust. The scammer swayed the victim by sending a spoofed email claiming their account had suffered multiple unauthorized login attempts. The scammer instructed the victim to safelist an address and transfer funds to another Coinbase wallet as part of a bogus security procedure.

Last October, another Coinbase user lost $6.5 million after a scammer posing as Coinbase support called from a spoofed number. The victim was tricked into using a phishing site. Eight months earlier, another victim lost $4 million after a scammer convinced them to reset their Coinbase login.

ZachXBT raised concerns about Coinbase's lack of reporting the theft addresses in common compliance resources and perceived inadequate handling of the escalating social engineering issue.

In a conversation with BeInCrypto, Jeff Lunglhofer, Coinbase's Chief Information Security Officer, shared his take on the situation.

Coinbase CISO: Social Engineering Scams: A Collective Battle

Despite acknowledging the widespread harm caused by social engineering scams to its users, Lunglhofer emphasized that the broader crypto community should shoulder this issue collectively rather than placing the burden on a single entity. "In the context of the broader social engineering challenge that's out there, of course, Coinbase customers are impacted. We're keenly aware of it. We've been rolling [out] a number of control improvements to help protect our users, and, I think more importantly, we are working with the broader industry to bring these ideas and these control uplifts across the industry, across all crypto exchanges, across everything," Lunglhofer told BeInCrypto.

Coinbase's CISO referenced the exchange's collaborative efforts with other platforms to combat this issue in his reply. Specifically, Lunglhofer pointed to the "Tech Against Scams" initiative, a partnership with industry players like Meta, Kraken, Ripple, Gemini, and Match Group to fight online fraud and financial schemes.

Lunglhofer also hinted at Coinbase's similar approach when flagging theft addresses.

Why Does Coinbase Treat Theft Addresses Differently?

When asked why Coinbase doesn't publish theft addresses across popular compliance tools, Lunglhofer explained that the exchange has a different protocol for these scenarios. "We will communicate with other exchanges directly [and] let them know the addresses that we've seen where assets have been withdrawn," he said. "When we see that there's, in fact, fraudulent activity, we will pull back all the wallets that are associated with the fraud and we'll push those out to the other exchanges that we have communications with," he said.

Lunglhofer also mentioned Crypto ISAC, an intelligence and information-sharing group established by Coinbase in collaboration with various other crypto exchanges and organizations to distribute information related to scams.

When it comes to spoofed emails, phone numbers, or phishing sites, Coinbase delegates responsibility to third-party service providers.

Coping with the Deluge of Spoofed Content

Lunglhofer admitted that the number of spoofed emails that Coinbase identifies or receives in the form of user reports exceeds the exchange's capacity to take them down. "Regrettably, they’re a dime a dozen. I can open ten of them in five minutes. It’s super easy to do. So there's not a lot we can do about that. But, when we identify them [or when] a customer reports them, we do have them taken down," he said.

Coinbase contracts various vendors to eliminate circulating spoofs or phishing campaigns in these instances.

"We have several vendors that we use to do takedowns. So anytime we see a fraudulent phone number pop up, anytime we see a fraudulent URL [or] a fraudulent website get established, we will issue those for takedown. We’ll use our vendors to work with the DNS providers and others to bring those down as quickly as possible," Lunglhofer told BeInCrypto.

While these preventative measures are crucial for the future, they offer limited relief to users who have already lost millions to scams.

Whose Responsibility Is It? User vs. Exchange

Coinbase did not respond to BeInCrypto's inquiry about developing an insurance policy for users who lost fortunes to social engineering scams, leaving their stance on this matter unclear.

Social engineering scams are a devilishly intricate dance of emotional manipulation, relying on heavy trust-building. The intricacy of these scams raises questions concerning the degree of responsibility that falls on user vulnerability versus potential shortcomings in a centralized exchange’s user protection measures.

Experts suggest that more educational materials are necessary to help users distinguish legitimate communications from deceptive ones.

Regarding this issue, Lunglhofer stressed that Coinbase will never reach out to users unexpectedly due to security concerns. He also shed light on recent features that act as warnings for users when they interact with potentially suspicious transactions.

Not only has Coinbase implemented a "scam quiz," an educational tool that appears as a real-time banner when a user undertakes a questionable transaction, but it also uses a 'safelist' feature that allows users to list approved recipient addresses, helping users deter transactions with unfamiliar addresses.

Although this feature is advantageous, its ability to protect users is questionable, especially regarding its efficiency in flagging suspicious activity. Coinbase didn't reply when BeInCrypto asked if the exchange internally tracks data related to social engineering scams.

Similar issues arise with Coinbase's safelist feature.

The Staggering Loss of $850,000 on Coinbase

While Coinbase offers a safelist feature that enables users to create lists of permitted transaction recipients, its effectiveness is limited when it comes to safeguarding users.

Discover & Trade with Uphold

• Early Access to New Tokens - Be among the first to trade emerging assets.
• One-Step Trading - Easily exchange between any supported assets.
• Multi-Asset Support - Trade crypto, stocks, and precious metals in one place.

Join Uphold Today! "We offer every retail customer the ability to create 'allow lists' for wallets they’re permitted to transfer assets to. On my personal account on Coinbase, I have 'allow listing' turned on, and I only have three wallets that are allowed," Lunglhofer explained.

A downside of this feature was exposed in the $850,000 scam case where the victim added a theft address, even though this addition happened through manipulation, effectively neutralizing the intended protection.

Can Coinbase Do More to Protect Users?

Sophisticated social engineering scams pose a nagging challenge, leaving crypto users and centralized exchanges like Coinbase in a precarious position. Despite Coinbase's efforts, the destructive financial losses experienced by its users highlight the limitations of current industry-standard measures against determined scammers.

Although cooperation is vital, Coinbase, as a leading platform, must also devote additional resources and proactive efforts to educate its users. Given the user-focused nature of social engineering schemes, platforms like Coinbase bear a significant responsibility to lead industry-wide initiatives against these threats.

The millions lost are a stark reminder that vigilance and collective action are vital in safeguarding users against these increasingly refined and frequent attacks.

1. The annual losses caused by social engineering scams on Coinbase reach an astounding $300 million.
2. Researcher ZachXBT has been exposing social engineering exploits targeting Coinbase users, resulting in substantial losses.
3. Coinbase's Chief Information Security Officer (CISO), Jeff Lunglhofer, has acknowledged the issue of social engineering scams and the need for collective efforts to combat them.
4. These scams often involve fake emails, mimicking legitimate appearance, and contacting users via spoofed calls, using private information to gain trust before sending deceptive emails.
5. Coinbase users are urged to be cautious of strange transactions and unexpected security-related emails or calls.
6. The widespread harm caused by social engineering scams has led to discussions about the development of insurance policies for users who lost fortunes to these scams.
7. Coinbase has implemented educational tools such as a "scam quiz" and a 'safelist' feature, but their effectiveness in flagging suspicious activity and protecting users is questionable.
8. The staggering loss of $850,000 on Coinbase highlights the limitations of current industry-standard measures against determined social engineering scammers. Coinbase, as a leading platform, must provide more resources and proactive efforts to educate its users to ensure their security in the ever-evolving world of cryptocurrencies.

Read also: