Phishing attack impersonating Coinbase
Take action: If you receive an email claiming your account is restricted or locked (on whatever platform), never click on links or attachments in the email – instead, open your browser and manually enter the website of the claimed platform, log in and check your account status directly. Alternatively, call the support phone from the website - not from the email (that is also a fake number)
Learn More
An active phishing campaign targeting Coinbase users. Coinbase is a popular cryptocurrency exchange and digital wallet platform that allows the general public to buy, sell, store, and trade various cryptocurrencies like Bitcoin and Ethereum.
The attack is designed to steal login credentials, 2FA codes, phone number, ID documents and Biometric data (photos) for Coinbase account takeover, theft or sale of the stolen data for account breaches and identity theft. The message is carefully crafted professional-looking HTML email.
The attack starts with an email that appears to be from Coinbase, with the subject line "Security Update: Your Account Information to Avoid Restrictions." The email was sent through a self-built mailing infrastructure (likely AWS servers) and sent through multiple servers to obscure the origin.
Red Flags in the Email
- The attacker sender email makes no sense -
info@schwedenbleche.debut claims to be from Coinbase. - The email tries to create urgency claiming account restrictions and locked deposits/withdrawals
- Uses threatening language about financial regulations to pressure victims
- The "Confirm your info" button leads to a suspicious URL:
home.security.3-145-29-81.cprapid.com(not coinbase.com) - Uses obfuscated HTML character codes to hide the malicious URL from email scanners
The scam website
The attackers have created an elaborate multi-step phishing website that clones the Coinbase login page design and emulates a step-by-step verification process to collect:
- Email and password
- Phone number
- Email provider credentials (Gmail, Yahoo, Outlook, etc.)
- 2FA verification codes
- Identity documents (driver's license/ID card)
- Selfie photos
On each step the website appears to try to abuse the collected data immediately (by trying to log as soon as the victim submits the data), then retires to check with the victim. But even if the attempts to abuse the data fail, the scam website continues with the next step to collect as much data as they can.
The site shows fake "verification processing" to prevent users from realizing they've been compromised
Potential Impact
With this information, attackers can:
- Take over the victim's Coinbase account and drain cryptocurrency funds
- Access linked bank accounts or cards
- Commit identity theft using the collected documents
- Potentially access other accounts using the same credentials (mail, social media etc)
- Make scam phonecalls to the victim to try different fraud techniques directly via a voice conversation, abusing the collected documents to establish legitimacy.
- Sell all this data for profit to other criminals
How to protect yourself?
- ALWAYS be suspicious of unexpected messages
- Don't rush - nothing is as urgent as the scammers wand you to thing.
- Don't get emotionally triggered or fear that you are missing out - those are basic techniques to case you to make quick and potentially bad decisions.
- Check the sender email address - if it's not from the claimed company, it's a scam
- Never click links or attachments or call numbers in the unexpected emails; go directly to the claimed company website and verify any messages with official support contact from the official website.
