The crypto community has raised the alarm about an ongoing phishing scam targeting crypto investors after scammers posing as crypto exchange Coinbase successfully drained nearly $2 million over the weekend. 

The scam is reportedly related to the CoinTracker security breach from 2022.

$1.7 Million Drained From Ledger Wallet

On Monday, Edge & Node’s CEO, Tegan Kline, reported that a crypto investor had fallen victim to a phishing attack. 

The scammers impersonated a Coinbase security member to target crypto investors. As a result, a user’s self-custody wallet was drained after revealing half of their seed phrase.

Per the report, a crypto investor was contacted via Google Voice by a scammer pretending to be from the crypto exchange’s security team. The scammer, falsely claiming to be named “David Brown,” contacted the victim to “confirm” suspicious transactions from their account.

CT, a member of the community urgently needs your help.

$1.7 Million stolen – A good friend's self custody wallet was drained by a scammer yesterday, July 6th.

TLDR of how it went down below (3 pages)

You can find the Ethereum transactions with links in the comment below.… pic.twitter.com/OTx3wslz6R

— Tegan.eth , (@theklineventure) July 7, 2024

The victim received an email from a fake Coinbase address “verifying” that the person on the phone was an official exchange representative. 

The crypto investor received another email after verification claiming their alleged transaction had been delayed.

The email shows that a transaction for $3,050.87 in Ethereum (ETH) had been delayed for 72 hours for “security reasons.” The scammer continued the call, talking to the victim about their previous addresses, which raised suspicions.

When questioned about their identity and the information he disclosed, the scammer stated that he “knows these things because he is from Coinbase.” The alleged Coinbase representative acknowledged the victim’s concerns but claimed the transaction was still coming through.

The scammer claimed to need the victim’s seed phrase as their Ledger wallet was connecting directly to the blockchain, and he was “trying to disconnect it.” 

After directing the victim to a website, they argued with the scammer about the safety of this action but eventually entered a portion of their seed phrase.

A few hours later, the investor received CoinTracker alerts. Upon checking their Ledger live, the victim saw that $1.7 million had been drained in Bitcoin (BTC), ETH, GRT, MATIC, and DOT.

CoinTracker Breach Linked To New Phishing Scam?

Many community members speculated about the scam, wondering how the scammer obtained some of the victim’s information. 

To some, this scheme was conducted by someone who knew the investor and their holdings.

However, Alex Miller, CEO of Hiro, suggested that the scam was linked to the CoinTracker security breach from 2022. The data breach compromised the information of over 1.5 million users who used the cryptocurrency portfolio and tax management platform.

If your info was in the Cointracker breach a few months ago make sure your Coinbase account is locked down.

Just got a call from Coinbase security that someone was trying to access my account, using info gleaned from that breach.

Specifically they were using the coinbase API…

— Alex Miller (@alexlmiller) July 7, 2024

Miller revealed that someone was trying to access his Coinbase account using information obtained during the CoinTracker breach.

Never enter any information into a site you have a bad feeling on – even if you never hit submit, the bad guys are capturing data as you enter it.

sounds like this user put in part of his seed phrase, which was enough to reduce the entropy and the bad guys brute force the rest. https://t.co/NMpeLcHmdv

— Alex Miller (@alexlmiller) July 8, 2024

The scammers seemingly used Coinbases’ API key, alongside other information, to verify they were the CEO. Nonetheless, the crypto exchange’s security team informed him of the ongoing login attempt.

An X user informed the community that scammers were able to “generate a (legitimate) support ticket + email” that could be used to “reference when calling you posing as Coinbase support.”

as of a few months ago they were also able to generate a (legitimate) support ticket + email which they could then reference when calling you posing as coinbase support which seems like a massive security flaw, not sure if they still allow ticket creation with just an email

— █̶̳̘͛̄̃͒̄̃͜█̴͇̱̅͒̅█̵̻̣̝͒̈̄̈͝͝█̴̞̜̻̝͍̂̽͜█̴̵̴̶̸̡̨̢̞̜ (@SHL0MS) July 8, 2024

Other users shared their scamming attempts from this month. Several investors reported receiving calls from alleged Coinbase representatives to confirm suspicious transactions or login activity.

Ultimately, Miller suggested users “make sure your Coinbase account is locked down” and “cycle your API keys if you have been using cointracker.”