Cryptocurrency users are facing phishing attempts as scammers circulate fraudulent emails disguised as official communications from leading exchanges Coinbase and Gemini.
These messages attempt to manipulate users into setting up new wallets with recovery phrases pre-generated and controlled by the attackers.
The phishing campaign was documented in multiple user reports on social platform X. It falsely claimed that due to recent legal developments, users must transition to self-custodial wallets by April 1.
While directing recipients to download legitimate wallet applications, the emails provide seed phrases. It would give attackers complete control over any funds transferred to compromised wallets.
The Pattern of the Coinbase Impersonation Scam
The Coinbase impersonation emails follow a pattern designed to appear legitimate while setting up victims for theft.
According to screenshots shared on X, the fraudulent messages claim that Coinbase must modify its operating structure due to a class-action lawsuit alleging the platform sold unregistered securities.
“Coinbase will operate as a registered broker, allowing purchases, but all assets must move to Coinbase Wallet,” the counterfeit email states, creating a false premise for the urgent action required. The message then directs users to download the genuine Coinbase Wallet application.
The deception occurs when the email provides pre-generated recovery phrases. These 12-word seed phrases would normally be created securely by the wallet software itself and shown only to the user.
By tricking users into initializing wallets with attacker-controlled recovery phrases, scammers gain backdoor access to any funds later deposited.
The email mentions an April 1 deadline, creating time pressure that may lead users to act hastily without verifying the information through official channels. This urgency tactic is a common element in successful phishing campaigns across various industries.
The email mentions ongoing legal action that in reality was dismissed by the US Securities and Exchange Commission on February 27, when the regulator dropped its lawsuit alleging Coinbase.
Similar Tactics Used in Gemini Exchange Fishing
The phishing campaign has expanded beyond Coinbase, with identical tactics being used against users of the Gemini cryptocurrency exchange.
Multiple victims have reported receiving emails that mimic official Gemini communications. It used the same recovery phrase strategy to potentially compromise users’ funds.
Like the Coinbase variant, these fraudulent messages reference legal proceedings as justification for urgent wallet changes. The Gemini impersonation emails claim users need to set up new wallets because of a recent court decision.
The timing of these scams appears calculated, as they reference actual SEC actions against Gemini that were recently resolved.
The Securities and Exchange Commission had been suing Gemini for allegedly offering unregistered securities through its earn program. However, they opted to end this legal action on February 26.
The identical structure of both the Coinbase and Gemini phishing campaigns suggests they originate from the same group of attackers. These hackers have developed a template that can be easily adapted to target users of different exchanges.
Recent Trend of Crypto Attacks
The recovery phrase email scams targeting Coinbase and Gemini users are part of a larger pattern of increasingly technical attacks against cryptocurrency holders and industry figures.
According to blockchain security firm CertiK’s annual Web3 security report, phishing attacks remain the most crucial security threat in the cryptocurrency space. This has costed users $1 Billion across 296 incidents in 2024 alone.
Beyond the exchange impersonation emails, crypto project founders have reported a parallel campaign using fake Zoom calls as an attack vector.
The Zoom-based attacks begin with scammers reaching out to founders with partnership opportunities.
Once a video call starts, the attackers claim to have audio issues and send a link to a supposedly new call.
However, clicking this link installs malware on the victim’s device, potentially compromising private keys or other sensitive information.