Malicious Actors Target Crypto Wallets of Coinbase Users in New Phishing Campaign

Cybercriminals are targeting Coinbase platform users with phishing campaings in an attempt to steal their account credentials and drain their cryptocurrency wallets, Bitdefender Antispam Lab has learned. According to our latest telemetry, the phishing campaign was noticed since mid-February, targeting over 25,000 users. Sixty-nine percent of the fraudulent correspondence originated from India, 13.73 percent from Brazil, 10 percent from the US and 2.33 percent from Japan.

When analyzing the final destination of the phishing emails, we noticed the following:

  • 54.72 percent reached users from South Korea
  • 12.53 percent reached users from Sweden
  • 7 percent reached users from Ireland
  • 6.78 percent reached users from Japan
  • 5.12 percent reached users from the United States
  • 2.81 percent reached users from Great Britain
  • 2.16 percent reached users from Canada

The crooks are attempting to dupe recipients into accessing a fake login URL to enter their username and password. In both versions of the scam, the threat actors send out fake notifications that warn recipients of unusual activity in their account, requiring immediate verification from users who wish to regain access to the platform.

“We recently detected an unusual activity on your coinbase account,” one of the fraudulent messages reads. “Unfortunately we had to suspend your coinbase in order to ensure the safety of your account. “This suspension is temporary,” the message continues. “We will need some additional information to verify your identity, Please visit the verification form to complete your identity verification and regain access to your coinbase account.”


Sample 1: initial Coinbase phishing email


Sample 2. ongoing Coinbase phishing email


Sample 3. fake Coinbase login page

Throughout 2020 and beyond, fraudsters have sought financial gain by sending legitimate-looking emails that tempt victims to enter their account username and password or provide personally identifiable information.

The trend toward impersonating cryptocurrency trading platforms to steal user information is likely to continue throughout the year. Although this ongoing phishing exercise does not include a malicious payload that could expose recipients to additional threats or file-encrypting ransomware, threat actors may continue to fine-tune their tactics.

What should victims do?

If you’ve already received such a fraudulent email, make sure to delete it. If you’ve submitted your account login information, head to the official website and change the password immediately and enable the two-factor authentication feature to add an additional security layer.

The Coinbase platform also gives you ways to recover or temporarily disable your account in case of compromise. As always, immediately change the passwords for all online accounts that share the same email and password combination (although reusing credentials for multiple accounts is something that’s not usually recommended) to avoid further compromise and account takeover.

Be wary of unsolicited correspondence and double-check page URLs before signing in. The use of industry jargon, official logos, and even similar email addresses does not guarantee an email is legitimate. Take your time to assess the message and the reason behind it. Don’t be tempted to immediately respond or access a link, even if you’re advised to do so under the threat of consequences such as account closures. Go to the official website directly from your browser, log in and look for any associated account notifications

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab.