Daily News Update: Sunday, March 16, 2025 (Australia/Melbourne)

Coinbase Phishing Attack

A large-scale phishing campaign is targeting Coinbase users with emails disguised as official communications about a mandatory wallet migration. The emails claim that due to a class action lawsuit, users must transition to self-custodial wallets and provide instructions on how to download the legitimate Coinbase Wallet.

What makes this attack unique is that it doesn't use phishing links. Instead, the email provides a recovery phrase, instructing users to set up their new Coinbase Wallet using this phrase. This is a clever twist, as the attackers already control the wallet associated with the provided recovery phrase.

"Your unique recovery phrase below is your Coinbase Identity. It grants access to your funds—write it down and store it securely. Import it into Coinbase Wallet by entering each word followed by a spa"

Once a user transfers funds into the wallet created with the attacker's recovery phrase, the threat actors can then transfer the assets to their own wallet. The email appears legitimate, passing SPF, DMARC, and DKIM email security checks, which allows it to bypass many spam filters. The email claims to be from Coinbase but has a reply address of noreply[at]akamai[.]com and is sent from the IP address 167[.]89[.]33[.]244, a SendGrid IP address that resolves via DNS to o1[.]soha[.]akamai[.]com.

Akamai is investigating the potential compromise of one of their SendGrid accounts.

"Akamai is aware of reports regarding a potential phishing scam targeting Coinbase users that involves an Akamai email domain. We take information security very seriously and are actively investigating the matter,"

Coinbase has issued a warning on X, stating that they will never send recovery phrases and advising users not to use phrases provided by others.

_{Bleeping Computer | "Coinbase phishing email tricks users with fake wallet migration"}