An ingenious phishing scam is targeting cryptocurrency investors, by posing as a mandatory wallet migration.
The emails, which have the subject line “Migrate to Coinbase wallet”, have been sent out at a large scale claiming that court order has forced Coinbase to change the way it operates.
Part of the email reads as follows:
“As of March 14th, Coinbase is transitioning to self-custodial wallets. Following a class action lawsuit alleging unregistered securities and unlicensed operations, the court has mandated that users manage their own wallets. Coinbase will operate as a registered broker, allowing purchases, but all assets must move to Coinbase Wallet.”
The email goes on to list what it claims is the recipient’s “unique recovery phrase” (or seed) which “grants access to your funds” after they have been moved.

Recipients are urged to download the Coinbase Wallet app, and import the sequence of words into it – creating a new wallet for their funds.
Ingeniously, the intent of the email is not to steal the user’s recovery seed (and thus gain access to their Coinbase wallet) but rather trick the user into setting up and transferring their funds into a new wallet, for which the scammer already knows the recovery phrase.
The attacker can then plunder the account for NFTs and cryptocurrency, transferring them into a wallet that they solely control.
And, of course, because of this – the email does not have to link to a bogus phishing page or malicious URL. Instead, all the links in the email really do point to the legitimate coinbase.com site.
However, the scammers didn’t succeed in making their scam message entirely convincing. For instance, examination of the email’s headers reveals that it was not actually sent from Coinbase as it claims, but from an akamai.com address.

Nonetheless, there is a good chance that the email’s deviousness will mean that it has managed to waltz past a good many users’ spam filters.
Coinbase’s support department has posted a warning on social media about the phishing campaign, and reminded users that the company will never send out a recovery phrase and that no users should ever use a recovery phrase given to them by someone else.
If you receive an email like the one described above, just delete it. Otherwise you might just make it all too easy for cybercriminals to steal your cryptocurrency.