Coinbase Got Hacked. Do This Now.

May 28, 2025

Chris Campbell

A guy named Dave once lost $87,000 in crypto because he clicked the wrong link.

That’s how most of these stories start—not with a hack, but with misguided trust.

A well-crafted email. A fake sense of urgency. A familiar logo and a message that says, “Click here to secure your funds.”

Dave clicked it. Because why wouldn’t he?

The site looked identical to the real one. He logged in, and boom. Money gone.

Hundreds of Australians were recently targeted by text messages impersonating Binance. Same trick: “Account compromised. Move your funds here.” But “here” was a scam wallet.

The recent Coinbase breach is concerning, but not new. Hackers didn’t break in—they paid off insiders.

And, unfortunately, this is more common than most think. It happens to phone carriers more than anyone realizes.

Someone who works there will get bribed, then swap a SIM card to the attacker’s phone.

Then? He can unlock every account connected to that number by text verification.

With Coinbase, it’s concerning because it’s crypto.

And the hackers got names, addresses, emails, phone numbers, Social Security digits, government IDs, account balances—even home addresses.

These aren’t smash-and-grab hackers.

These are social engineers.

They roleplay. They tag-team. They don’t break in—they wait for you to open the door. So let’s go over basic security tips to keep from ending up crypto roadkill.

1. Trust the App. Not the Inbox.

If you get an email, text, or call saying “your Coinbase is at risk”… Don’t click. Don’t reply. Don’t even blink.

2. Seed Phrase = Sacred Scroll

If you’re taking custody of your assets, the seed phrase is the sacred scroll.

If anyone—anyone—asks for your seed phrase, it’s a scam. Not Coinbase. Not MetaMask.

Don’t give it to anyone.

3. Never Let Someone “Help” You Set Up a Wallet

This is the new trick. They pretend to save you. Walk you through creating a new wallet. Even give you the seed phrase.

Guess what? They just gave you their wallet—and you filled it for them.

4. Use a Burner Email. Or Three.

Hackers love reused emails. Spin up a fresh one for Coinbase. Password manager. Random logins.

Your digital hygiene should look like you’re in witness protection.

5. 2FA or You Already Lost

Use Yubikey when you can. If you can’t? Use Google Authenticator or Authy. Not SMS (text-based).

SIM swapping is real. And brutal.

If you’re not using 2FA, it’s like walking around with a “Mug Me” sign taped to your back.

6. Bookmark the Real Websites

Phishing sites are shockingly good. They look real. They feel real. Until you’ve already lost.

Bookmark the official site: https://www.coinbase.com

Only use that.

7. Urgency Is the Red Flag

If something screams “act NOW!”—that’s your cue to stop and take a breath.

Scammers thrive on adrenaline and fear. Slow kills their whole business model.

Here’s What to Do Now:

Assume your data’s already out there.

Even if you didn’t get a message yet, check for emails from no-reply@info.coinbase.com sent around May 15th at 7:20 a.m. ET. Spam folder too.

Coinbase reportedly notified affected users via this sender and timestamp. If you received this email (or it landed in spam), it’s a strong sign that you’re in the 1% of users whose data was compromised.
Enable withdrawal allow-listing.

This feature delays any change to your withdrawal address. Gives you time to notice if someone tries to hijack your funds.

To enable it in your Coinbase account, go to Settings > Security, turn on “Withdrawal Whitelisting,” and add your trusted wallet address. If someone tries to change or add a new address, withdrawals are blocked or delayed—giving you time to react.

Something not right? Lock down your account.

If you suspect suspicious activity, go to your Coinbase Security Settings and immediately disable trading or lock your account (you may see a “Lock My Account” option under “Help”). Then, change your password and revoke any connected devices or API keys.

Finally, email security@coinbase.com with your account details and what happened—they’ll guide the next steps.
Never trust the call. Ever.

Coinbase doesn’t call. Neither does your wallet. If someone says they’re from Coinbase and wants you to “verify” something, hang up.
Get dark web alerts.

One website, Aura (www.aura.com), works by constantly scanning the dark web, data breach forums, and hacker marketplaces for your personal information—like your email, SSN, passwords, or bank details.

If it finds a match, it sends you a real-time alert so you can take immediate action (like changing a password or freezing your credit). It also includes extras like a VPN, antivirus, and identity theft insurance to help protect you before and after something goes wrong.

Get Yubikeys

YubiKeys are one of the most powerful tools you can use to protect your online accounts—especially crypto.

Unlike 2FA codes sent to your phone (which can be hacked via SIM swap), a YubiKey is a physical device that plugs into your computer or phone and verifies it’s really you logging in. Even if a hacker knows your password, they can’t get in without your key.

No code to steal. No app to spoof. Just you and your key. It works with Coinbase, Gmail, Twitter, and most major crypto wallets. Think of it like a house key for your digital life—if you’re serious about security, it’s non-negotiable.

Get comfortable with self-custody.

“Cold” wallets, also known as hardware wallets, are still the gold standard of security for taking custody of your assets. Why? Because your private keys (the keys that unlock your wallet) are generated offline.

BUT… you have to be smart.

The biggest mistake I’ve seen people make? They buy hardware wallets from third-party vendors like Amazon. These are impossible to vet properly and could include backdoors that allow hackers to steal your crypto.

Always buy directly from the manufacturers. Although I’m testing a few new wallets, my favorites are still Trezor and Ledger (in that order).