Phishing attempts are being made against cryptocurrency consumers as con artists send out phony emails purporting to be legitimate correspondence from well-known exchanges Coinbase and Gemini. The goal of these messages is to trick users into creating new wallets with recovery phrases that the attackers have pre-generated and control.
Several user reports on social media platform X detailed the phishing campaign. It made the untrue assertion that users have to switch to self-custodial wallets by April 1st because of recent legislative changes.
The emails contain seed phrases and instruct recipients to download authentic wallet software. Attackers would have total authority over any money moved to compromised wallets as a result.
The pattern of Coinbase impersonation emails is intended to look authentic while posing as victims for theft. Screenshots posted on X show that the bogus communications assert that Coinbase is required to change its organizational structure because of a class-action lawsuit that claims the site offered securities that were not registered.
According to the phony email, “Coinbase will function as a registered broker, permitting purchases, but all assets must move to Coinbase Wallet,” setting up a fictitious scenario for the necessary immediate action. After that, the notification instructs users to download the official Coinbase Wallet app.
When the email contains pre-generated recovery words, it is deceptive. Normally, the wallet software would generate these 12-word seed phrases safely and display them exclusively to the user.
Scammers obtain backdoor access to any money subsequently deposited by deceiving users into initializing wallets with recovery phrases controlled by the attacker.
Because of the time pressure created by the email’s April 1 deadline, people can act rashly without first confirming the information through proper means. Successful phishing efforts in a variety of industries frequently use this urgency technique.
The email refers to a litigation that is still pending, although the US Securities and Exchange Commission actually abandoned its complaint against Coinbase on February 27.
The phishing campaign has spread beyond Coinbase, and users of the cryptocurrency exchange Gemini are now being targeted using the same techniques.
Emails imitating official Gemini messages have been reported by several victims. It might have jeopardized consumers’ money by employing the same recovery phrase technique.
These bogus mails use legal processes as an excuse for urgent wallet adjustments, precisely like the Coinbase version. According to the Gemini impersonator emails, a recent court ruling requires users to create fresh wallets.
Given that these scams make reference to recent resolutions of actual SEC actions against Gemini, their timing seems premeditated.
The Securities and Exchange Commission had been suing Gemini for allegedly offering unregistered securities through its earn program. However, they opted to end this legal action on February 26.
The identical structure of both the Coinbase and Gemini phishing campaigns suggests they originate from the same group of attackers. These hackers have developed a template that can be easily adapted to target users of different exchanges.
The recovery phrase email scams that target customers of Coinbase and Gemini are a part of a broader trend of attacks on cryptocurrency holders and industry leaders that are becoming more technical.
Phishing attacks continue to be the most significant security risk in the cryptocurrency field, according to the annual Web3 security report from blockchain security company CertiK. In 2024 alone, 296 events have cost consumers $1 billion.
Founders of cryptocurrency projects have described a parallel campaign that uses phony Zoom calls as an attack vector in addition to the exchange impersonation emails.
Scammers initially approach founders with collaboration prospects in order to launch Zoom-based attacks. Once a video call begins, the attackers offer a link to a purportedly new call while claiming to have audio problems.
But when the victim clicks on this link, malware is installed on their device, which could compromise private keys or other private data.
