A large-scale Coinbase phishing attack masquerades as a mandatory wallet migration, deceiving recipients into creating a new wallet using a pre-generated recovery phrase controlled by attackers. The emails, titled “Migrate to Coinbase Wallet,” claim that all customers must switch to self-custodial wallets and include instructions for downloading the legitimate Coinbase Wallet. The phishing email states, “As of March 14th, Coinbase is transitioning to self-custodial wallets. Following a class action lawsuit alleging unregistered securities and unlicensed operations, the court has mandated that users manage their own wallets. Coinbase will operate as a registered broker, allowing purchases, but all assets must move to Coinbase Wallet. Your unique recovery phrase below is your Coinbase Identity. It grants access to your funds—write it down and store it securely. Import it into Coinbase Wallet by entering each word followed by a space.”
Although the email appears to come from Coinbase, it lists a reply address of noreply@akamai.com and originates from the IP address 167.89.33.244, a SendGrid IP that resolves via DNS to o1.soha.akamai.com. Sent directly through SendGrid and seemingly tied to Akamai’s account, the email passes SPF, DMARC, and DKIM security checks, allowing it to evade spam filters on many accounts. BleepingComputer reached out to Akamai regarding a potential compromise of one of their SendGrid accounts and received this response: “Akamai is aware of reports regarding a potential phishing scam targeting Coinbase users that involves an Akamai email domain. We take information security very seriously and are actively investigating the matter. Phishing scams remain a prevalent cyber threat, and we urge all users to exercise caution if they receive unsolicited emails, especially those requesting personal or account information. If you suspect that an email may be a phishing attempt, please treat it as such and avoid clicking any links or providing any sensitive information. We are working to address the situation and will continue to monitor and mitigate any related risks. In the meantime, we recommend heightened vigilance to help protect your personal information.”
This phishing campaign is particularly clever because it contains no phishing links—all links direct to Coinbase’s legitimate Wallet page. Instead, it provides a recovery phrase, described as necessary for setting up the new Coinbase Wallet. Recovery phrases, or “seeds,” are word sequences that serve as a human-readable form of a cryptocurrency wallet’s private key. Whoever possesses this phrase can import the wallet onto their device and access any cryptocurrency or NFTs it holds. Unlike typical crypto phishing scams that aim to steal a user’s recovery phrase, this one operates in reverse by supplying a phrase already known to the attacker. If a user sets up a wallet with this phrase and transfers funds into it, the attacker can then move those assets to another wallet under their control.
Coinbase has acknowledged the scam, directing BleepingComputer to a post on X stating, “Reminder: Beware of recovery phrase scams