A new large-scale phishing attack is targeting Coinbase users, luring them with a fake wallet migration email designed to steal their cryptocurrency. This sophisticated scam tricks recipients into setting up a new crypto wallet using a recovery phrase secretly controlled by hackers.
Deceptive Email Claims Mandatory Coinbase Wallet Migration
The phishing email, titled “Migrate to Coinbase Wallet”, falsely informs users that Coinbase is shifting all accounts to self-custodial wallets. The message further claims this transition is a result of a class-action lawsuit over unregistered securities and unlicensed operations.
“As of March 14th, Coinbase is transitioning to self-custodial wallets. Following a court order, users must now manage their wallets directly,” the phishing email reads.
The scammers state that Coinbase will continue operating as a registered broker but require all assets to be moved into the Coinbase Wallet. The email then provides a “unique recovery phrase”, urging users to import it to the Coinbase Wallet app and promising it acts as their new “Coinbase Identity.”
However, this recovery phrase is pre-generated and fully controlled by the attackers.
Phishing Emails Bypass Spam Filters with Valid Security Checks
One of the most alarming aspects of this scam is how well-crafted it is from a technical standpoint. The emails are sent from the address [email protected] using the IP 167.89.33.244, a legitimate SendGrid IP resolving to o1.soha.akamai.com.
Because the campaign appears to run through Akamai’s SendGrid account, it successfully passes SPF, DMARC, and DKIM security checks. This means the emails land directly in user inboxes, bypassing most spam filters.
In response to the incident, Akamai said, “Akamai is aware of reports about a potential phishing scam targeting Coinbase users involving our email domain. We take information security seriously and are actively investigating. We advise all users to stay cautious with unsolicited emails, especially those requesting sensitive information.”
What sets this phishing campaign apart is its clever psychological trick—there are no malicious links in the email. Instead, every link directs recipients to the legitimate Coinbase Wallet page, building trust.
The real danger lies in the recovery phrase provided in the email. Instead of stealing your recovery phrase, as most crypto scams do, this attack flips the script. Victims are handed a recovery phrase that is already under the attacker’s control.
Recovery phrases—also known as “seed phrases”—serve as the master key to cryptocurrency wallets. Anyone with access to this phrase can fully control the wallet and any funds inside.
Once users set up their Coinbase Wallet using the scammer’s recovery phrase and transfer their assets, hackers gain immediate access to those funds and can move them to their own wallets.
Coinbase Warns Users: Never Trust Recovery Phrases from Emails
Coinbase has acknowledged the scam, warning users through a post on X (formerly Twitter): “Reminder: Beware of recovery phrase scams. We’re aware of new phishing emails going around pretending to be Coinbase and Coinbase Wallet. We will never send you a recovery phrase, and you should never enter a recovery phrase given to you by someone else.”
The company emphasizes that recovery phrases are private and should never be shared—or accepted—from any third party, especially via email or websites.
What to Do If You Fell for This Scam
If you’ve fallen for this phishing attack but still have access to the wallet, act quickly. Immediately transfer your cryptocurrency out of the compromised wallet and back into a secure one that only you control.
Remember: in crypto, your recovery phrase is your ultimate safeguard. If someone else knows it, they own your assets.
Going forward, update your personal security rulebook: Never use a recovery phrase shared with you through email or websites. Scammers are increasingly sophisticated, and falling for traps like this could cost you dearly.
