A sophisticated phishing campaign is targeting Coinbase users, luring them into transferring their funds to a fraudulent self-custodial wallet. The scheme, disguised as a mandatory wallet migration, exploits users’ trust by providing a pre-generated recovery phrase controlled by the attackers.
Fraudulent Emails Masquerade as Official Coinbase Notices
Coinbase customers are receiving deceptive emails with the subject line “Migrate to Coinbase Wallet,” urging them to transition to self-custodial wallets. The message falsely claims that a class action lawsuit has forced Coinbase to require users to manage their own wallets.
The phishing email includes a fabricated announcement:
“As of March 14th, Coinbase is transitioning to self-custodial wallets. Following a class action lawsuit alleging unregistered securities and unlicensed operations, the court has mandated that users manage their own wallets.”
It also falsely asserts that Coinbase will operate as a registered broker, allowing users to make purchases but requiring all assets to be moved to Coinbase Wallet. The message then provides a pre-generated recovery phrase, instructing users to import it into Coinbase Wallet.
Phishing Emails Bypass Security Filters
Unlike traditional phishing attacks that include malicious links, this campaign cleverly avoids common red flags. All the links in the email direct users to Coinbase’s legitimate Wallet page, making it appear credible.
A key detail that exposes the fraud is the sender address: noreply@akamai.com. The email is also being sent from the IP address 167.89.33.244, a SendGrid IP that resolves to o1.soha.akamai.com.
Despite these red flags, the email successfully passes SPF, DMARC, and DKIM security checks, allowing it to bypass many spam filters. This makes the phishing attempt more deceptive, increasing the likelihood that unsuspecting users will fall for it.
Akamai Responds to Potential Email Exploit
Security researchers at BleepingComputer reached out to Akamai to investigate whether one of their SendGrid accounts had been compromised. Akamai responded with the following statement:
“Akamai is aware of reports regarding a potential phishing scam targeting Coinbase users that involves an Akamai email domain. We take information security very seriously and are actively investigating the matter.”
Akamai warned users to remain cautious about unsolicited emails requesting sensitive information. They urged users to report suspicious messages and avoid clicking on links or entering personal data.
A Clever Twist on Crypto Theft
What makes this phishing campaign particularly unique is its method. Instead of tricking users into revealing their own recovery phrases, the attackers provide one themselves.
- The email instructs users to set up a new Coinbase Wallet using a pre-generated recovery phrase.
- This phrase is already controlled by the attackers, meaning they have full access to the wallet.
- If users follow the instructions and transfer funds to the wallet, the attackers can immediately steal the assets.
By flipping the traditional phishing approach, this campaign avoids some of the usual security warnings and makes users feel like they are following legitimate instructions.
Coinbase Warns Users to Stay Alert
Coinbase has acknowledged the scam and issued a warning via its official X (formerly Twitter) account:
“Reminder: Beware of recovery phrase scams. We’re aware of new phishing emails going around pretending to be Coinbase and Coinbase Wallet. We will never send you a recovery phrase, and you should never enter a recovery phrase given to you by someone else.”
For users who have already fallen for the scam but still have funds in the fraudulent wallet, immediate action is required. Transferring assets back to a secure wallet before the attackers access them is the only way to prevent total loss.
How to Protect Yourself from Similar Scams
Phishing attacks targeting cryptocurrency users are becoming increasingly sophisticated. Here are a few key ways to stay safe:
- Never use a recovery phrase provided via email or website. Legitimate wallet setups require users to generate their own phrase.
- Verify email senders. Coinbase will never send wallet recovery phrases via email. Always check the sender’s domain for inconsistencies.
- Use two-factor authentication (2FA). Adding an extra security layer can help prevent unauthorized access.
- Report suspicious emails. If you receive a fraudulent email, report it to Coinbase and your email provider.
This latest scam is a reminder that cryptocurrency users must remain vigilant. The golden rule has always been to never share your recovery phrase—but now, that rule must expand to never use one given to you either.
