A new phishing scam targeting Coinbase users has emerged, tricking victims into setting up cryptocurrency wallets that are secretly controlled by cybercriminals. The sophisticated campaign relies not on malicious links or fake websites, but on a deceptive email that convinces users to migrate their funds into a wallet built with a pre-generated recovery phrase — one that is already known and controlled by the attackers.
According to cybersecurity researchers and an official warning issued by Coinbase, the phishing emails began circulating in mid-March. Disguised as legitimate communications from the exchange, the messages falsely claim that due to a recent legal decision tied to a class-action lawsuit, users must transfer their assets to a self-custodial wallet. The email goes on to provide instructions for downloading the official Coinbase Wallet app and setting up a new wallet using a recovery phrase included in the message.
However, the recovery phrase provided in the email is not generated randomly during wallet creation — as is standard practice — but has been pre-created and stored by the attackers. Once users follow the instructions and configure their wallets using the compromised seed phrase, they unknowingly hand over control of their funds. Any cryptocurrencies, NFTs, or tokens stored in these wallets become immediately accessible to the scammers, who can move the assets without the victims’ knowledge.
This phishing campaign is unique in that it uses links that direct users to legitimate sources — in this case, the official Coinbase Wallet app — avoiding one of the most common red flags associated with phishing attacks. Traditional scams often depend on fake websites to collect credentials or deceive users, but this campaign cleverly avoids those pitfalls by providing accurate and safe download links, further lulling victims into a false sense of security.
“This scam is highly deceptive because it bypasses typical phishing detection methods,” said Ava Rodriguez, a blockchain security analyst. “Instead of asking users to visit a fake website or input private data, it gives them the malware in the form of a ‘trusted’ recovery phrase.”
Coinbase has confirmed the existence of the scam and issued a statement warning users never to trust any recovery phrase sent via email or any other form of communication. The company reiterated that it will never send a recovery phrase to users and that any such message should be treated as suspicious and reported immediately.
For users who may have fallen victim to this phishing attack, time is of the essence. Coinbase urges anyone who created a wallet using a pre-supplied recovery phrase to assume that their assets are compromised. If funds are still present in the wallet, they should be transferred immediately to a newly created wallet generated by the user alone using a secure and unique recovery phrase.
Though the full extent of the scam has not yet been confirmed, anecdotal reports suggest that multiple users have lost significant amounts of cryptocurrency. In many cases, the losses went unnoticed until users attempted to access their funds days later — only to discover their balances had been drained.
The incident is a stark reminder of the rapidly increasing sophistication of cryptocurrency-related cyberattacks. As the popularity of digital assets continues to rise, so does the interest of scammers seeking new and inventive ways to steal them. Phishing attacks have grown substantially in recent years, with reports showing a more than 150% increase in phishing incidents annually since 2019.
The nature of cryptocurrency — where transactions are irreversible and assets are directly controlled by private keys — makes phishing especially dangerous. Once funds are transferred to a hacker-controlled wallet, there is little to no recourse for recovery. That’s why educating users about safe wallet practices is becoming more critical than ever.
This latest phishing attempt capitalizes on the growing adoption of self-custodial wallets and the general push for decentralized finance solutions. By invoking a fictional legal ruling and referencing a class-action settlement, the attackers create a false sense of urgency and legitimacy. Victims are led to believe that failing to take immediate action will result in the loss of their assets, prompting them to follow the provided instructions without verifying the message’s authenticity.
Security experts recommend that users stay vigilant by adhering to a few key practices: never use a recovery phrase provided by another person or a third party; always generate recovery phrases directly from the wallet app itself; avoid acting on unsolicited emails related to wallet changes or legal notices; and enable two-factor authentication wherever possible. Additionally, keeping up with trusted sources of cybersecurity news and updates from wallet providers can help users stay ahead of emerging threats.
Coinbase has stated that it is collaborating with cybersecurity firms to track the perpetrators behind this phishing campaign and investigate any related incidents. The company also reminded users that while crypto offers greater freedom and control, it also demands greater responsibility from users to safeguard their digital assets.
As phishing campaigns evolve, this attack underscores a new era of social engineering. Cybercriminals are no longer just trying to steal your password — they’re tricking users into building the very tools that allow hackers to walk away with their assets.
With more phishing schemes like this expected to surface, experts say that awareness, education, and constant vigilance remain the most effective tools in the fight against crypto theft.