A new and dangerously convincing phishing campaign is targeting cryptocurrency users across platforms like Coinbase, Gemini, and Trust Wallet.
This time, it’s not asking for your recovery phrase, it’s giving you one. 🚩
"Use This Seed Phrase to Secure Your Account"
• Did you call the number and transfer funds to secure them?
• Did you use a seed phrase provided in an email?
Researchers have identified this threat as PoisonSeed ☠️
Crypto scams have been making headlines for wallet draining, protocol hacks and billion dollar heists.
Today we are tackling the threat of convincing users to transfer their funds to wallets or provide seed phrases under the ruse of securing them.
Unlike most threats, an email or text message bypasses many of the established efforts of Web3 Security. There are no firewalls, browser extensions, advanced AI tooling, or multi-factor authentication to stand between you, your email, and a phishing attempt that leads to a phone call.
Let's dive into the issue and how you can stay safe while keeping your crypto safer.
What's really happening? ⬇️
Users on Reddit, X and other platforms have reported being emailed (or texted) about security of their accounts and crises with their wallet provider. Some of the screenshots are shared here and most of the comments assure them it's a scam.
I have news for you: “Coinbase will never ask for or provide anyone with a seed phrase”. This is a statement on the official Coinbase website. Gemini and Trust Wallet have similar statements advising users of a critical step in "Protecting Your Crypto".
Rule 2️⃣: Read again rule 1️⃣.
The communication begins advising a customer to transfer funds to a "secure wallet" which ultimately will be controlled by the attacker.
To detail this: once you’re on the phone, scammers pretend to be real customer service agents. They spin a convincing story, maybe claiming Coinbase is upgrading its system or that there was a login attempt. Sometimes they say your funds are at risk because Coinbase can no longer hold them. They may transfer you to another department, but that is just another fraudster. Any money you send goes straight to the scammers. In most cases you won’t get it back through normal channels.
Imagine walking your money out of the bank in a shoe box and handing it to an officer.
Hard to imagine you would believe the police operate that way right? That is the idea of what's happening to crypto users who immediately follow instructions of the email, or whomever they call. Scammers actively recruit social engineers to call you and they have one job, sound legit.
After crafty word salad and a little peer pressure, the funds are sent to perceived safety. In the case of an email (above and below image) a seed phrase would be provided or a number to call to resolve the issue. They sound professional and use urgency and pressure tactics to disarm you. Any of these alerts would be alarming understandably. It is important to reiterate that many users are aware to never share their seed phrase, but it can be disarming to be provided one. Users are doing the right thing by sharing the scripts and raising awareness of this reverse play by scammers.
(Screenshots from Reddit of emails sent to users)
Take a look at the screenshots provided and you will notice the inconsistent stories being sold to users.
So what happens to the funds? Doesn't Coinbase know who scammed me? And where do I report this?
These are all good questions asked by a victim I had the chance to speak with. Luckily, the same exact advice applies as if you were targeted with a wallet drainer or other malware.
• For US based victims, filing an IC3 report is still suggested, or your equivalent of cyber crime authority elsewhere.
• For a Coinbase user, it is recommended to contact them and provide the transaction hashes so they can catalog the wallets being used.
If you called the number given to you and were given a wallet to use, that wallet should be reported as well. As mentioned before, there are no alerts, AI tools or Wallet Guard to stop or warn you. This is important because nobody else knows you have been scammed except you. So far I have only confirmed one major loss of about $145,000.
Digging Into The Wallets
For research, I imported the wallet using the seed phrase. This allowed me to find the exact wallets being used and transactions made. The Coinbase seed phrase is linked to a wallet that has already received two transactions on Litecoin (LTC) and Ethereum (ETH). The ETH wallet was funded from a Kraken Hot Wallet at this transaction hash. This was only a small amount of $10 USD in this case. Screen snip provided by Metasleuth.
There are two available phrases for Trust and neither of them have any transaction history. Ironically, during this process I came across a warning for Trust and Coinbase advising if this phrase was given to you, your funds will be stolen. Since the seed phrases were shared, there may be limited accuracy to the shared findings.
How to Avoid This Scam
✅ Never import a wallet you didn’t create. Recovery phrases should only come from you — not from emails, DMs, or texts.
✅ Always check sender addresses and avoid clicking links in emails. Instead, open your wallet app directly or use a trusted bookmark.
✅ Check headers if suspicious. Even if the email looks legitimate, a mismatched return-path or failed DMARC can be a giveaway (guide for Outlook and Gmail).
✅ Call known numbers — not the one in the email. Coinbase has official contact info on their website. Don’t trust the one a scammer gives you.
‼️ Never call the number provided in an email or text. ‼️
Call the number you have saved from previous contact. Coinbase has a list of numbers on their official website, otherwise you can use the support chat to avoid any potential phishing links. Hovering over links can show where it will actually take you and can expose the common typos associated with malicious urls.
The email is also seemingly from Coinbase or another legit entity. The SPF, DKIM and DMARC checks are all PASSED, evading spam filters in this article, provided by Bleeping Computer from March.
Crypto is already heavily reliant on user awareness but since most important communications happen over email in daily life, it becomes riskier responding or acting without verifying. While the spam filters may not have caught this, you as a user can still take a look at the reply section and you would notice an odd email such as "support@coinbase-secure[.]com", or an email that is clearly not associated with your wallet like "noreply@akami[.]com". SilentPush covered this campaign in detail and more information for researchers can be found here from April.
Resisting phishing attempts is sometimes as easy as checking your app. Whenever you receive an alert, open the app and see what is there.
If you normally receive a text alert for a login but an email is warning you of an attempt, this should be a sign to look further. You should check your app and see if any changes have been made. Logging in from another device to check could reveal your password was safely intact and unchanged. Any notices about your login could also confirm your account security.
Google was recently the target of a phishing campaign using sites[.]google[.]com where emails could bypass normal filters in place.
More info on this tweet: Sophisticated Google Phishing Campaign
🛡️ A great defense would be to log into the application, not using the link provided, but the one you hopefully have bookmarked. Even if the notice seems alarming, if it’s not showing in your web portal or application you should do a little diligence.
🎬 Resume
The new PoisonedSeed phishing campaign is a reminder that in crypto, you are your own bank, and the security of your assets depends on staying informed, skeptical, and cautious. While there are many scams to be mindful of, protecting your seed phrase from them has always been, and will continue to be, important. Scammers are always coming up with new ways to navigate security measures in place but phishing emails are not fresh.
If Coinbase was all of a sudden unable to hold funds, your email would not be the only source of that information.
Stay aware, Stay mindful, stay vigilant.
🔗 Sources
• BleepingComputer: PoisonedSeed phishing campaign, https://www.bleepingcomputer.com/news/security/poisonseed-phishing-campaign-behind-emails-with-wallet-seed-phrases/
• Silent Push: PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation, https://www.silentpush.com/blog/poisonseed
• Coinbase Security Tips, https://www.coinbase.com/en-nl/security/security-tips
• Etherscan Transaction Example, https://etherscan.io/tx/0x3dddec615c2c949b9b0c20c61f6d09a5bc0e76599266e02cf36c0e03b81cb637
• Reddit Post, https://www.reddit.com/r/CryptoCurrency/comments/1jb6141/phishing_coinbase_wallet_scam/