ZachXBT Exposes $2-Million Coinbase Impersonation Scam Onchain Clues

Key takeaways:

• A convincing “Coinbase support” impersonation campaign was linked by onchain investigator ZachXBT to roughly $2 million in stolen crypto.

• The attribution relied on corroboration across multiple signals, including onchain activity and Telegram or social media footprints rather than a single “magic” transaction.

• Coinbase says its real support team will never ask for your password or 2FA codes or request that you move funds to a so-called “safe” address.

• These schemes are part of a broader fraud wave. The FBI reported more than $16 billion in internet crime losses in 2024 based on 859,532 complaints.

A caller claiming to be “Coinbase support” can sound polished, patient and strangely urgent, which is exactly the mix that makes smart people move too fast. In a recent case, onchain investigator ZachXBT said this kind of impersonation campaign netted an alleged scammer roughly $2 million in crypto from Coinbase users and that the suspect’s own online footprint helped connect the dots.

Indeed, some of the biggest threats in crypto are not smart contracts or zero-day exploits, but routine social engineering. These are the same low-tech pressure tactics appearing across the internet at scale. The US Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) says reported cybercrime losses in 2024 exceeded $16 billion, and many schemes begin with nothing more than a convincing message or a spoofed call.

Did you know? In 2024, the FBI said people aged 60 and older were hit hardest overall, reporting nearly $5 billion in losses.

What happened?

The case ZachXBT flagged was an old-school confidence trick dressed up as “customer support.”

According to ZachXBT, an alleged scammer posed as a Coinbase help desk worker and used social engineering tactics to convince victims he worked for the exchange, with losses totaling roughly $2 million over the past year.

ZachXBT said he was able to narrow in on the suspect by cross-referencing Telegram group chat screenshots, social media posts and onchain activity, and by sharing a leaked video that appeared to show the alleged scammer speaking with a victim while offering fake support.

The scam leaned on urgency and authority, including warnings about suspicious access, a so-called “security procedure” and pressure to act immediately.

Coinbase has repeatedly warned that scammers may spoof phone numbers and pose as employees, attempting to push users into “protecting” their funds by moving them. The company says legitimate support will never ask for passwords, two-factor authentication (2FA) codes, seed phrases or transfers to a “safe” address or new wallet.

Did you know? ZachXBT also claimed the operator tried to muddy the trail by buying “expensive Telegram usernames” and repeatedly deleting old accounts; however, it was still “easy” to hone in on the individual due to their frequent online gloating and lifestyle posts that ignored basic operational security.

Who is ZachXBT?

ZachXBT is a pseudonymous onchain investigator who has built a reputation by publishing detailed public threads about hacks, scams and suspicious fund movements, often before exchanges or authorities comment.

Major outlets have profiled him as an independent “crypto detective,” and his work has been cited in real-world cases where investigators later moved in on suspects.

This is why a ZachXBT post can race through the industry in hours. When he publishes an attribution claim, it can trigger new victim reports, push platforms to review accounts linked to the activity and shape how the wider market talks about an incident.

Coinbase’s own warnings and the hard truth about “support”

Coinbase’s security guidance on impersonation scams is unusually blunt. If someone contacts you claiming to be from Coinbase and pushes you to act fast, assume it is malicious until proven otherwise.

Coinbase warns that scammers regularly pose as employees and attempt to pressure users into moving funds. The company says no one will ever ask for your password or 2FA codes or request that you transfer assets to a specific or “new” address, account, vault or wallet.

In a dedicated blog post about customer support scams, Coinbase emphasizes the same pattern: Do not share login details or verification codes, do not click third-party links or install software at a caller’s request, and only reach support through official channels, not numbers or links provided to you out of the blue.

Adopt a default reflex to slow down, end the conversation and verify independently. Social engineering works when the attacker controls the tempo. Coinbase’s guidance is designed to break that tempo before money moves.

When data access feeds social engineering

One reason “support” scams can feel so convincing is that criminals sometimes show up with real context, such as a name, phone number, partial identifiers or account hints that make the call feel legitimate.

In May 2025, Coinbase disclosed an extortion attempt tied to rogue overseas support agents who were allegedly bribed or recruited to pull customer data from internal support systems, specifically to enable social engineering attacks. Coinbase said passwords, private keys and wallet access were not compromised but added that it would reimburse customers who were tricked into sending funds to attackers.

For impersonation crews, personal data is force-multiplying fuel. It makes the lie easier to sell and hesitation harder to sustain.

“Support” is the attack surface, and stolen context worsens it

When someone reaches out claiming to be “Coinbase support” and tries to rush you into a decision, the safest general assumption is that you are dealing with an impostor.

Coinbase says it will never ask you to move or “secure” funds, request a seed phrase, ask for your password or two-step verification codes, or push you to install software on your device. The company also warns that scammers can spoof legitimate phone numbers, making caller ID a weak signal.

That is why Coinbase’s own consumer protection posts keep returning to the same principle: Break the attacker’s tempo. End the call or chat, then verify independently through official channels rather than using any number, link or “case ID” given to you in the moment.

The uncomfortable reality is that these scams can become far more persuasive when criminals have real personal details to weave into the pitch.

You do not need to be outsmarted onchain to lose money in crypto. In many cases, you only need to be rushed at the wrong moment by someone who sounds credible, and sometimes, that credibility is built on stolen context.