Original author: Christoper Rosa
Original translation: AididiaoJP, Foresight News
Even this cybersecurity expert almost got caught
Over the weekend, news broke that a massive dataset of 16 billion user identities, including both past breaches and newly stolen login data, began circulating online. Its unclear who updated the dataset and republished it. While much of the database is a rehash of past breaches, the fact that it was updated again is disturbing. The dataset is considered one of the largest single collections of compromised accounts ever .
Hackers are using this data to carry out various attacks, and I have become one of their targets.
The phishing attack on my personal devices and accounts on June 19th was the most sophisticated I have ever encountered in my decade-long cybersecurity career. The attackers first created the illusion that my accounts were being attacked on multiple platforms, then posed as Coinbase employees and offered to help. They combined classic social engineering tactics with coordinated tactics across text messages, phone calls, and fake emails, all designed to create a false sense of urgency, credibility, and scale. The reach and authority of this fake attack was key to its deceptive nature.
Below I will detail the attack process, analyze the red flags I noticed during the process, and the protective measures I took. At the same time, I will share key lessons and practical suggestions to help crypto investors stay safe in an ever-escalating threat environment.
Historical data and recently leaked data can be used by hackers to carry out highly targeted multi-channel attacks. This once again confirms the importance of layered security protection, clear user communication mechanisms, and real-time response strategies. Both institutions and individual users can gain practical tools from this case, including verification protocols, domain name identification habits, and response steps, which can help prevent momentary negligence from turning into major security vulnerabilities.
SIM hijacking
The attack began around 3:15 p.m. ET Thursday with an anonymous text message saying someone was trying to trick mobile carriers into giving my phone number to someone else, a tactic known as SIM swapping.
Please note that this message is not from an SMS number, but a regular 10-digit phone number. Legitimate businesses use short codes to send SMS messages. If you receive a text message from an unknown standard-length number claiming to be from a business, it is most likely a scam or phishing attempt.
The messages also contained contradictions: The first text message indicated the breach originated in the San Francisco Bay Area, while a subsequent message said it occurred in Amsterdam.
SIM swapping is extremely dangerous if successful, as attackers can obtain one-time verification codes that most companies use to reset passwords or access accounts. However, this was not a real SIM swap, and hackers were laying the groundwork for a more sophisticated scam.
One-time verification code and password reset
The attack then escalated, and I began to receive one-time verification codes purportedly from Venmo and PayPal, sent via SMS and WhatsApp. This led me to believe that someone was trying to log into my accounts on various financial platforms. Unlike suspicious carrier SMS messages, these verification codes did come from short codes that looked legitimate.
Coinbase Phishing Call
About five minutes after receiving the text message, I received a call from a California number. The caller who called himself Mason spoke with a pure American accent and claimed to be from the Coinbase investigation team. He said that in the past 30 minutes, there have been more than 30 attempts to reset passwords and hack into accounts through the Coinbase chat window. According to Mason, the so-called attacker has passed the first level of security verification for password reset, but failed at the second level of authentication.
He told me that the other party could provide the last four digits of my ID card, full drivers license number, home address and full name, but failed to provide the full ID card number or the last four digits of the bank card associated with the Coinbase account. Mason explained that it was this contradiction that triggered the alarm of the Coinbase security team, prompting them to contact me to verify the authenticity.
Official exchanges like Coinbase will never proactively call users unless you initiate a service request through the official website. To learn more about exchange customer service regulations, please read thisCoinbase document .
Security Check
After informing me of the bad news, Mason proposed to protect my account by blocking additional attack channels. He started with API connections and associated wallets, claiming that they would be revoked to reduce risk. He listed multiple connections, including Bitstamp, TradingView, MetaMask wallets, etc., some of which I didnt recognize, but I assumed that I might have set them up and forgotten.
At this point, my guard had been lowered, and I even felt reassured by Coinbases active protection.
So far, Mason has not asked for any personal information, wallet addresses, two-factor verification codes or one-time passwords, which are usually common requests from phishers. The entire interaction process is highly secure and preventive.
Hidden pressure tactics
Then came the first attempt at pressure, by creating a sense of urgency and vulnerability. After completing the so-called security check, Mason claimed that my account protection for the Coinbase One subscription service had been terminated because my account had been flagged as high risk. This meant that my Coinbase wallet assets were no longer covered by FDIC insurance, and I would not be able to receive any compensation if the attacker successfully stole the funds.
In retrospect, this argument should have been a glaring flaw. Unlike bank deposits, crypto assets are never protected by FDIC insurance, and while Coinbase may hold customer dollars at FDIC-insured banks, the exchange itself is not an insured institution.
Mason also warned that the 24-hour countdown had begun and overdue accounts would be locked. Unlocking would require a complicated and lengthy process. Even more frightening, he claimed that if an attacker obtained my full social security number during this period, they could even steal funds from the frozen account.
Later, I consulted the real Coinbase customer service team and learned that locking the account is the security measure they recommend. The unlocking process is actually simple and safe: provide a photo of your ID and a selfie, and the exchange will verify your identity and quickly restore access.
I then received two emails. The first was a Coinbase Bytes news subscription confirmation letter, which was just a normal email triggered by the attacker submitting my email address through the official website form. This was obviously an attempt to confuse my judgment with Coinbases official email to enhance the credibility of the scam.
The second, more disturbing email came from no-reply@info.coinbase.com, stating that my Coinbase One account protection had been removed. This email, which appeared to be from the legitimate Coinbase domain, was extremely deceptive—it would have been easy to spot if it came from a suspicious domain, but it looked authentic because it appeared to be from an official address.
Suggested Remediation
Mason then suggested transferring my assets to a multi-signature wallet called Coinbase Vault for security. He even asked me to Google “Coinbase Vault” to check the official documentation to prove that this is a legitimate service that Coinbase has provided for many years.
I said I was reluctant to make such a major change without fully investigating. He understood and encouraged me to research carefully, and supported me to contact the carrier first to prevent SIM swapping. He said he would call me back in 30 minutes to continue the next steps. After hanging up, I immediately received a text message confirming the call and appointment.
Callbacks with Coinbase Vault
After confirming that there was no SIM transfer attempt from the carrier, I immediately changed all the account passwords. Mason called back as scheduled and we started discussing the next steps.
At this point I have verified that Coinbase Vault is indeed a real service provided by Coinbase. It is a custody solution with enhanced security through multi-signature authorization and 24-hour delayed withdrawals, but it is not a true self-custodial cold wallet.
Mason then sent me a link to vault-coinbase.com, claiming that he could review the security settings discussed in the first call. Once the review was complete, the assets could be transferred to the Vault, and at this moment, my professionalism in network security finally emerged.
After entering the case number he provided, the page that opened showed the so-called API connection removed and the Create Coinbase Vault button. I immediately checked the websites SSL certificate and found that this domain name, which had only been registered for a month, had nothing to do with Coinbase. Although SSL certificates can often create a false sense of legitimacy, formal corporate certificates have clear ownership, and this discovery made me stop the operation immediately.
Coinbasehas made it clear that it will never use unofficial domain names. Even if a third-party service is used, it should be a subdomain such as vault.coinbase.com. Any operations involving exchange accounts should be performed through the official app or website.
I expressed my concerns to Mason and stressed that I would only operate through the official app. He argued that the APP operation would cause a 48-hour delay, and the account would be locked after 24 hours. I once again refused to make a hasty decision, so he said that the case would be escalated to the Level 3 Support Team to try to restore my Coinbase One protection.
After hanging up the phone, I continued to verify the security of other accounts, and my feeling of uneasiness grew stronger.
Incoming calls from the Tier 3 Support Team
About half an hour later, the Texas number called. Another person with an American accent claimed to be a level 3 investigator and was processing my Coinbase One recovery application. He claimed that a 7-day review period was required, during which the account would still be uninsured. He also kindly suggested opening multiple Vaults for assets on different chains. He seemed professional, but in fact he never mentioned specific assets, only vaguely referring to Ethereum, Bitcoin, etc.
He mentioned that he would apply to the legal department to send the chat records, and then began to promote Coinbase Vault. As an alternative, he recommended a third-party wallet called SafePal. Although SafePal is indeed a regular hardware wallet, it is obviously a prelude to deceive trust.
When I questioned the vault-coinbase.com domain again, the other party still tried to dispel my doubts. At this point, the attacker may have realized that it was difficult to succeed and finally gave up this phishing attack.
Contact Coinbase real customer service
After I finished my second call with the fake customer service representative, I immediately submitted my application through Coinbase.com. The real customer service representative quickly confirmed that there were no unusual logins or password reset requests to my account.
He suggested locking the account immediately and collecting the details of the attack and submitting them to the investigation team. I provided all the fraudulent domain names, phone numbers, and attack vectors, and specifically asked about the sending permissions of no-reply@info.coinbase.com. The customer service acknowledged that this was very serious and promised that the security team would conduct a thorough investigation.
When contacting the customer service of an exchange or custodian, be sure to go through official channels. Legitimate companies will never proactively contact users.
Lessons Learned
Although I was lucky enough not to be deceived, as a former cybersecurity practitioner, this near-falling experience made me feel deeply uneasy. If I had not been professionally trained, I might have been deceived. If it was just an ordinary unfamiliar call, I would have hung up directly. It was the attackers carefully designed chain of actions that created a sense of urgency and authority that made this phishing so dangerous.
I have summarized the following danger signs and protection suggestions, hoping to help crypto investors ensure the safety of their funds in the current network environment.
Red flags
Coordinated false alarms to create confusion and urgency
The attackers first created the illusion of a simultaneous attack on multiple platforms through a series of SIM swap alerts and one-time verification code requests from services such as Venmo and PayPal (sent both via SMS and WhatsApp). These messages were likely triggered with just my phone number and email address, which are easily accessible. At this stage, I don’t think the attackers had access to deeper account data.
Mixing short codes with regular phone numbers
Phishing messages are sent using a combination of SMS short codes and regular phone numbers. While businesses often use short codes for official communications, attackers can forge or recycle these short codes. But it’s important to note that legitimate services will never use regular phone numbers to send security alerts. Messages from standard-length numbers should always be treated with skepticism.
Requests to operate through unofficial or unfamiliar domain names
The attacker asked me to visit a phishing site hosted on vault-coinbase.com, a domain that looks legitimate at first glance, but is actually not affiliated with Coinbase. Always double-check domain names and SSL certificates before entering any information. Operations involving sensitive accounts should only be performed on official company domains or applications.
Unsolicited calls and follow-up communications
Coinbase and most other financial institutions will never call you without initiating a support request. Getting a call from someone claiming to be from the “Level 3 Investigations Team” is a major red flag, especially when it’s paired with scare tactics and convoluted instructions for protecting your account.
Unsolicited emergency and consequence warnings
Phishing attackers often use fear and urgency to force victims to act without thinking. In this case, threats of account lockout, stolen assets, and insurance coverage cancellation are typical social engineering tactics.
Request to bypass official channels
Any advice to avoid using a company’s official app or website, especially when it claims to offer a “faster” or “safer” alternative, should immediately raise red flags. Attackers may provide links that appear legitimate but actually point to malicious domains.
Unverified case numbers or support tickets
Providing a case number to introduce a custom-built phishing portal creates a false sense of legitimacy. No legitimate service would ask users to verify their identity or take action through an external custom link with a case number.
Mixed true and false information
Attackers often mix real personal information (such as an email address or partial Social Security number) with vague or inaccurate information to enhance credibility. Any inconsistencies or vague references to chain, wallet, or security review should be viewed with suspicion.
Use real company names in alternative proposals
Introducing trusted names like SafePal (even if these companies are legitimate) could be a diversionary tactic that provides the appearance of choice and legitimacy while actually directing victims to malicious operations.
Overzealousness without verification
The attacker was patient, encouraged me to do my own research, and did not initially ask for sensitive information. This behavior mimicked a real customer service agent, making the scam appear professional. Any unsolicited help that seems too good to be true should be viewed with suspicion.
Proactive protection measures and recommendations
Enable transaction-level verification on exchanges
Enable two-factor authentication and captcha-based verification in your exchange settings. This ensures that any attempt to send or transfer funds needs to be sent to a trusted device for real-time confirmation, preventing unauthorized transactions.
Always contact service providers through legitimate, verified channels
In this case, I contacted my mobile service provider and Coinbase by logging directly into the official platform and submitting a support ticket. This is the safest and only appropriate way to interact with customer service when your account security is compromised.
Exchange support will never ask you to move, access or protect your funds
They will not ask for or provide your wallet mnemonic phrase, ask for your two-factor verification code, or attempt to remotely access or install software on your device.
Consider using a multi-signature wallet or cold storage solution
Multi-signature wallets require multiple parties to approve a transaction, while cold wallets keep your private keys completely offline. Both methods are effective in protecting long-term holdings from remote phishing or malware attacks.
Bookmark official websites and avoid clicking on links from unsolicited messages
Manually entering the URL or using a trusted bookmark is the best way to avoid domain spoofing.
Use a password manager to identify suspicious sites and maintain strong passwords
Password managers help prevent phishing attempts by denying autofills on fake or unknown domains. Change your passwords regularly and immediately if you suspect a malicious attack.
Regularly review linked apps, API keys, and third-party integrations
Revoke access to any apps or services that you no longer use or dont recognize.
Enable real-time account alerts where available
Notifications of logins, withdrawals, or changes to security settings can provide critical early warning of unauthorized activity.
Report all suspicious activities to the service provider’s official support team
Early reporting helps prevent wider attacks and contributes to the overall security of the platform.
in conclusion
For financial institutions, IT security teams and executives, the attack highlights how historical data, when repurposed and combined with real-time social engineering, can enable hackers to bypass even the most sophisticated security defenses. Threat actors no longer rely solely on brute force attacks, but instead execute coordinated cross-channel strategies to gain trust and deceive users by mimicking legitimate workflows.
We must not only protect system and network security, but also identify threats and take action to protect ourselves. Whether working in a crypto agency or managing crypto assets at home, everyone must understand how personal security vulnerabilities can evolve into systemic risks.
To protect against these threats, organizations must layer defenses such as domain name monitoring, adaptive authentication, multi-factor authentication to prevent phishing, and clear communication protocols. It is also important that companies cultivate a culture of cybersecurity literacy so that every employee, from engineers to executives, understands their role in protecting the company. In todays environment, security is not only a technical function, but also a responsibility that needs to be shared by individuals and the entire organization.
