A large-scale phishing attack targeting Coinbase users has emerged, and it’s sneakier than most. Unlike typical scams that create fake websites, this one directs victims to download the actual Coinbase Wallet app. Clever, right? Wrong.
The deceptive emails arrive with an urgent subject line: “Migrate to Coinbase Wallet.” They claim users must switch to self-custodial wallets due to some vague legal issues. Complete with Coinbase’s logo and professional formatting, these messages look legit at first glance. They even pass technical email security checks like SPF, DMARC, and DKIM. No wonder they’re slipping through spam filters.
Don’t be fooled by the professional appearance—these phishing emails are wolves in Coinbase clothing, slipping past your security safeguards with alarming ease.
But here’s the trap: the recovery phrase included in the email. It’s pre-generated and controlled by the attackers. Import that phrase into your new wallet, and you’ve basically handed over the keys to your crypto kingdom. Any funds you transfer? Gone. Your NFTs? Same story.
The scammers use SendGrid infrastructure with an IP address of 167.89.33.244. They’re sending from [email protected] rather than an actual Coinbase domain. Red flag city, folks.
Coinbase has acknowledged the scam through their social media channels. They’re reminding everyone they NEVER send recovery phrases. Ever. Period. This is consistent with legitimate security practices as real Coinbase communications will never request your login credentials through email or any other channel.
What makes this attack particularly devious is the absence of suspicious links. Everything points to the legitimate Coinbase Wallet page. The scammers are betting on victims not realizing that importing someone else’s recovery phrase is basically creating a wallet that someone else controls.
The emails contain other tell-tale signs: grammatical errors, lack of personalization, and fake urgency. “Migrate now or lose access!” Yeah, sure. This scam is just one tactic in the arsenal that contributes to the over $300 million stolen annually from Coinbase customers through various impersonation schemes.
Real Coinbase communications don’t include threatening deadlines or mandatory account migrations. They don’t send recovery phrases. They use @coinbase.com email domains exclusively.
Cryptocurrency phishing remains a major threat. These scammers keep advancing their tactics, this time skipping the fake websites entirely and going straight for control of your wallet.