--- **INTRO:** Hey, this is Brett Miller contacting you from the Coinbase security team. Do I have the pleasure of speaking with [NAME] today? Alright, perfect. Please note that I am calling from a recorded line for quality assurance purposes. The reason for the call today, [NAME], is that we’ve noticed some suspicious activity involving your Coinbase account, associated with your email address [EMAIL]. I can see that a new device logged in from Richmond Virginia, as well as an attempted withdrawal from a flagged IP address. Just to confirm, was this you? Okay, that’s not good to hear. I also see an attempted email change and password reset for your Coinbase account, the email change being to a Mohammad25@gmail.com. Was that you? Got it. Well, [NAME], I see that your normal login location is from [LOCATION], and this new device is from Richmond, Virginia. This is definitely fraudulent activity. [SIR/MAM], in case this call gets disconnected, are you able to write down this ticket number for me? Perfect. Let me know when you're ready. The ticket number is 5292809. Please make sure not to share this ticket number with anyone else, as it is used by our support team to verify your identity. Of course, Coinbase will never ask for this ticket number via email. Perfect! For your safety, [NAME], we are able to place a 24-hour disable towards your Coinbase account. This will not only secure your account, but it will also revert any changes this person may have made. This includes unauthorized purchases, sells, send-outs, or account changes. Those would all go back to how you left it. I also see a support ticket was made on this Coinbase account, requesting an increase in daily purchase limits. This was submitted about 12 minutes ago. It's safe to assume that was not you, [NAME]? Alright, what I can do right now is mark this ticket as fraudulent and close it out for you. Please allow me a few moments. Additionally, for your safety, [SIR/MAM], since they gained unauthorized access to your Coinbase account, they may have also gained access to your payment methods. Would you like me to temporarily disable them, just so they aren't able to purchase anything. Okay, please give me a few more moment. --- **QUESTIONS TO ASK:** 1. Am I speaking with the primary account holder of the Coinbase account? 2. In case we get disconnected, the number on file ending in [LAST 4 OF PHONE #] would be the best way to reach you, correct? 3. Do you use your Coinbase account frequently, and do you remember the last time you signed in? --- **IF THEY SAY "I DON’T USE MY COINBASE ACCOUNT":** - "Okay, and do you happen to know the current amount invested in your Coinbase account?" (If they don’t know, have them go to their Coinbase app and check:) - "Okay, just so we're looking at the same numbers here, could you go to the Coinbase app and confirm your current balance?" (If they have little to no funds in Coinbase, proceed with the "seed" script on line ___.) [Go to coinbase.com/bytes and subscribe their email to the newsletter. Once done, say:] Okay, done. Also, for your safety, we've subscribed you to Coinbase Bytes. Coinbase Bytes is our free email alert system that notifies you about any crypto related database breaches and provides updates on the latest security features we have to offer. So we’ve sent you a confirmation welcoming you to Coinbase Bytes. Can you confirm you’ve received that? Thanks! This is also a great way to verify that you are speaking to us, as the confirmation email is sent from our official Coinbase email address, which you're able to verify on coinbase.com/help. Alright, please allow me a few moments to secure your account. [1 MIN] Alright! So [NAME], for the next 24 hours, I’ve initiated the disable of your Coinbase account that we discussed earlier. This means absolutely no one, including yourself, will be able to make any changes to your Coinbase account via the app or website as it is now in a high-security stage. However, since this person gained access to your personal information, I can generate a one-time login portal for you to reset your Coinbase password and secure your assets. This will be sent via email, so please give me a moment to get that to you.** Are you still with me, [NAME]? Thanks for your patience! The email was successfully sent from our end, so go ahead and refresh your inbox and navigate to that page. When you get to the secure access portal, please make sure you're not using a VPN. Once you're there, let me know what it shows on your screen. **[Tell dead/hostage Once You Send Panel Email / When They Are On Panel]** [NAME] Please make sure to choose a unique one that you don’t use on any other website, and make sure the password meets all the requirements. (if they ask: Needs to be at least 8 characters long, with 1 uppercase letter, 1 number, and 1 symbol). Okay, now your screen is showing all actions taken towards your account within the past hour, please approve all actions you've made, and deny any action that's unfamiliar. Now it will ask to confirm your activity and balance, please follow all prompts and let me know what your screen shows after. --- **DOWNLOADING CBW AND GETTING SEED:** Okay, moving on, we need to secure your funds. Right now, your Coinbase account is compromised, so we’ll temporarily transfer your funds from your Coinbase account to a Coinbase Wallet. So your account should have automatically created you a wallet Recovery Phrase? Do you see that on your end. Do you know what a Coinbase Wallet is, [SIR/MAM]? **IF NO:** A Coinbase Wallet is a very secure way to store your cryptocurrencies offline, making it impossible for a hacker to simply log in and send out your assets, which is what this person attempted to do. So go ahead and copy your Coinbase's Recovery Phrase. (go to line 81) **IF YES:** Great! Do you already have a Coinbase Wallet? (If not, line 81) **IF THEY ALREADY HAVE A CBW:** Okay, since you already have one, we can use that for convenience. Are there any assets in your current wallet? Okay, give me a moment to speak to my supervisor. [WAIT 30 SECONDS] Alright, with the 24-hour disable I added to your account, we’ll need to manually whitelist your Coinbase Wallet, before we're able to send out your assets to your wallet. Please allow me a few moments to send you an email regarding that. Okay, you should have received an email regarding your wallet. Have you gotten an email? Okay, navigate to that email and let me know what your screen says. Now, do you have an iOS or Android device? **IF iOS:** Okay, make your way to the Coinbase Wallet app icon. Once you're there, hold down the white circle icon until the option "Recover your wallet" appears. Click on that and follow the steps. Once you’re done, click “Copy” and make your way back to the whitelist page in your browser. Paste in your wallet’s phrase to have it whitelisted so we can send crypto freely to your wallet. **IF THEY ARE HESITANT TO PROVIDE THE SEED:** Since we placed your Coinbase account on a 24-hour disablement, you won’t be able to send out any cryptocurrencies unless the wallet is authorized in your account's allowlisting. Please whitelist your wallet so we can properly secure your funds. **IF THEY ARE STILL HESITANT ABOUT GIVING THE SEED:** You’re dealing with our automated system, and absolutely nobody has access to view any sensitive data you enter, including your wallet’s recovery phrase. [NAME], we need to do this as soon as possible, as this person has already attempted to withdraw your funds. **ONCE THEY PROVIDE IT:** Okay, please allow our automated systems a few moments to whitelist your seed phrase. **IF ANDROID:** Okay, go ahead and open up the Coinbase wallet app? Okay, make your way to settings, then click on recurity. And there you should see your wallet, it would even be "Wallet 1" or if you've named your wallet soemthing else, you will see that name. Click on that, and now you will be prompted with your recovery phrase, go on ahead and copy that, and then make your way back to the whitelist page in order to whitelist your wallet! **[IF THEY DONT HAVE A CBW]** **Okay, perfect! Now, [NAME], do you have an iOS or Android device?** Okay, go ahead and make your way to the [App Store/Play Store] app and download the Coinbase Wallet app. Let me know if you need help with that. Once you've downloaded the app, open it up and choose the "I Already Have a wallet" option at the bottom of your screen. Now paste the Recovery phrase you copied earlier. Now add a secure password, and follow the prompts and let me know once you're fully set up in your wallet. --- Alright, so we are going to remove the send restriction from your Coinbase account so that you can safely transfer your funds to your secure Coinbase Wallet. Please give me a few moments. --- **SENDING TO CBW:** Alright, [NAME], are you still with me? Thank you for your patience. , now go ahead and click on the 2 arrows at the bottom middle of your screen. This is the transfer button. Now click on “Receive.” and scroll down till you see the "Connect To Coinbase" Option, click on that, and what does your screen say. then press "Buy Or Transfer From Coinbase Using On-ramp" **[IF THEY HAVE STAKED ETH (ETH2)** Okay I understand. So unfortunately, the Coinbase vault doesnt support [COIN] coin, that is something we're thats in the works, but for now, we will need to convert the [COIN] to one is supported. So please make your way to the Coinbase App on your mobile device. Okay now click on the "Assets" button. This is the 2nd bottom bottom, it should show a pie chart. Okay perfect, now scroll down till you see your Staked Ethereum. Great, now scroll downa bit more till the "Unstake" option shows up. Proceed there, then click on the "Wrap ETH for cbETH" This way, we're able to secure your funds without waiting for the unstaking time and to avoid penelties for unstaking ETH. Now press "Continue", and wrap the max amount of Staked Ethereum you have. Perfect! Okay now we're going to make our way to your email [From here, make them re-go on panel aka "secoure account email" and send out the ETH.] **IF THEY HAVE AN UNSUPPORTED COIN [ADA, TRX, BCH, ETC, ICP, ATOM, XTZ, DOT, XLM, XRP]** Okay I understand. So unfortunately, the Coinbase Wallet doesnt support [COIN] coin, that is something we're thats in the works, but for now, we will need to convert the [COIN] to one is supported. So please make your way to the Coinbase App on your mobile device. Okay, now click on the blue "Buy & Sell" button at the bottom of your screen, then select the "Convert" option. Now we're going to be converting your [COIN] coin to ETH, so select [COIN], and make sure the coin you are transfering "TO" is Ethereum. Okay, click on max, and complete the exchange! Okay now we're going to make our way to your email [From here, make them re-go on panel aka "secoure account email" and send out the ETH.] Okay, now you may need to sign into your Coinbase account. And I'd like to note, after the 24 hour disable, your password will be up to date, but in the meantime, Please make sure to use your old password, Please let me know once you're signed in. **[IF THEY FORGOT PW:]** [SIR/MAM] We have placed that 24 hour disable towards your account, making it difficult for you to reset your password, so please make sure you are typing the password correctly, and you are trying the correct password. and let me know if you have any luck with that. **[IF THEY STILL DONT REMEMBER:]**Okay, so considering we have verifified your identity, I'm going to ask my supervisor if she's able to make an exception for you, to reset your password,Please give me a few moments to ask. [WAIT 30SEC] [you will need to go to coinbase.com/signin and send them pw reset] Okay [NAME] Thanks for patiently waiting. My supervisor approved the password reset, so one was automatically sent towards your email, [EMAIL]. Please let me know once you see it. Okay, go ahead and open up the email and reset your password. I do have to remind you to please make sure you're not using a VPN, and make sure you use the primary device you normally use. Also, when choosing a new password, it is imparitive you choose a unique one not used on any other websites, and that it follows all the criteria listed. [8 Charecters long, 1 uppercase letter, 1 number, 1 symbol IF THEY ASK] Okay perfect, now there should be a "Transfer from coinbase" tab? Do you see that option [NAME]? Okay proceed there. Now what would you say is your largest asset in your Coinbase account. Okay, so in this case we'd click on [COIN THEY MENTIONED], and click on the "Max" option. Now for your security, go ahead and input a 6 digit code either sent to your phone number, or if you have an authenticatior app linked, navigate and input the code displayed the app. Okay, once that's been sent out, please let me know! Perfect! Now do you have any other assets in your Coinbase you'd like to secure? **[IF THEY HAVE MORE ASSETS]** Okay, so we're going to be repeating the same steps used to send out the [COIN THEY SENT] So once again, make your way to the Coinbase Wallet. Okay, no go to the transfer button at the bottom of your screen. Go ahead and click "transfer from coinbase" and now send out the [OTHER ASSET] that you mentioned. Follow all the prompts you followed when you sent out the [FIRST ASSET]. once that's been sent out, please let me know! Perfect! Now do you have any other assets in your Coinbase you'd like to secure? **[IF THEY HAVE EVEN MORE ASSETS]** Okay, we're going to be repeating the process again, so make your way to the Coinbase Wallet and send out the next asset. **TO FIGURE OUT IF IT'S A 3-DAY DELAY OR A SECURITY REVIEW:** Okay, after you’ve sent out all of your funds, Go to the regular Coinbase app. Once you're there, clikc on the assets tab. Now scroll down and click on the [COIN] you just sent out. now scroll down a bit more to "Transactions." What is the status of that transaction? (Now it will either be “DELAYED” for 3 days or “PENDING” for 3 hours.) --- **IF 3-DAY DELAY:** Alright, for the security of your funds, an automatic 3-day delay was added to your send of [COIN]. In order to bypass this, we should have sent you an email. Have you received that? Okay, open it up. In order to comply with KYC standards, we’ll need the front and back of a government-issued ID, as well as a human verification check. Everything you need is linked in that email and can be done securely through our app. Please navigate to that page and follow the necessary prompts. If you need any help, don’t hesitate to ask me. --- **IF MANUAL REVIEW:** Alright, for the security of your funds, a manual review has been applied to your send of [COIN]. We take extra precautions when customers are sending cryptocurrencies to external wallets. An account specialist will review the transaction and confirm whether it's fraudulent or not. This process usually takes between 5 to 20 minutes, but for more complex account histories like yours, it may take longer. Please stay on the line while I update you once the review is complete. --- Once the manual review or 3-day delay has passed, repeat the steps of copying a Coinbase Wallet address and sending to that address via the Coinbase app. You only need to do one $50 test transaction—once that’s done, you won’t need to repeat it. --- **ALWAYS ASK FOR ANOTHER SEED AND SAY THIS AT THE END OF EVERY SE:** Okay, [NAME], please allow me a few moments to run some diagnostic scans on your account. [WAIT 1 MIN] Your Coinbase account seems fine, but our systems are indicating that there’s an external wallet connected to your Coinbase account. I don’t have the specifics of this wallet, but do you have any external wallets like a Ledger, Metamask, or Trezor wallet? --- **SAY THIS ONLY IF THEY HAVE A LEDGER, IF THEY DON’T THEN DON’T SAY IT:** We see that there may have been a breach from a third-party wallet, specifically the Ledger. Sensitive information from Ledger was leaked about 4 months ago, and people have been using this information to gain access to crypto exchanges, which has resulted in an uptick in fraudulent activity. Alright, perfect. For your security, we can remove your external wallet from your Coinbase account. If the hacker gained access to your Coinbase account, they might also have been able to access this external wallet. Of course, you can add it back at any time. I’ll send you an email to initiate that process, so give me a few moments. **If they ask why they have to put in their seed:** If someone gains access to your account again, they could withdraw funds from your external wallet. I highly recommend removing this external wallet from your Coinbase account, as it looks like this person tried to withdraw some cryptocurrencies. --- **VERIFYING COINBASE CALL:** If you want to verify this is the correct call and confirm you’re speaking with a Coinbase representative, I can send you an email from our official support line. Please give me a moment to do that for you. (Once they get the email): Alright, with that email we sent, you can confirm you’re speaking with a Coinbase representative, as it’s coming from one of our official support lines. You can verify this on our official website. Additionally, we’ve included the ticket number in that email, and I’ve signed it with my name for your reference. --