A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. Instead, the phishing email includes a recovery phrase, which the phishing email says should be used to set up your new Coinbase Wallet. What makes this phishing campaign stand out is that there are no phishing links present within the email, and all links go to Coinbase's legitimate Wallet page. "Akamai is aware of reports regarding a potential phishing scam targeting Coinbase users that involves an Akamai email domain. Following a class action lawsuit alleging unregistered securities and unlicensed operations, the court has mandated that users manage their own wallets," reads the Coinbase phishing email. "We're aware of new phishing emails going around pretending to be Coinbase and Coinbase Wallet. The emails have a subject of "Migrate to Coinbase Wallet" and state that all customers must transition to self-custodial wallets. Anyone who knows this recovery phrase can import the wallet onto their own devices, allowing them to steal any cryptocurrency and NFTS stored within it. Coinbase is aware of the scam, pointing BleepingComputer to a post on X where saying they will never recovery phrases to customers. The email also provides instructions on how to download the legitimate Coinbase Wallet. While the rule has always been to never share your recovery phrase with another person or a website, it should now be expanded to never use a recovery shared with you via emails and websites, as they are likely used to steal your cryptocurrency. Recovery phrases, also known as "seeds," are a series of words that function as a human-readable version of a cryptocurrency wallet's private key. As the email appears to have been sent directly through SendGrid and what appears to be Akamai's account, it passes the SPF, DMARC, and DKIM email security checks, bypassing spam filters on many accounts. "Phishing scams remain a prevalent cyber threat, and we urge all users to exercise caution if they receive unsolicited emails, especially those requesting personal or account information. "Reminder: Beware of recovery phrase scams," Coinbase posted on X. This phishing email is very clever, as instead of stealing your phrase, they are giving you one that is already known and controlled by the attacker. Once a user sets up a new wallet with that phrase and transfers funds into it, all of the assets will now be available to the threat actor who can then transfer them to another wallet they control. "Your unique recovery phrase below is your Coinbase Identity.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 14 Mar 2025 22:40:12 +0000