Coinbase Account Takeover Scams
Criminals combine phishing, SIM swapping, and social engineering to take over Coinbase accounts and liquidate holdings. Understanding Coinbase's security layers helps identify when something unusual is happening.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Account takeover attacks on Coinbase users are among the most financially damaging crypto frauds because they target custodial holdings — assets that are easier to access than self-custody wallets but that can also be liquidated quickly once an attacker is inside. Unlike a hack of Coinbase's own systems, these attacks exploit the victim's credentials and authentication methods directly.
The most common approach involves multiple coordinated steps: obtaining login credentials via phishing or data breaches, defeating 2FA by SIM swapping the victim's phone number or tricking them into revealing OTPs, and then rapidly converting and withdrawing assets before Coinbase's fraud systems flag the activity.
Coinbase provides several security tools specifically designed to counter account takeovers: authenticator-app-based 2FA (more resilient than SMS), biometric device lock, withdrawal address whitelisting, and security alerts. Users who enable these features present a significantly harder target.
How this scam works on the Coinbase brand
A Coinbase phishing email mimics a genuine account alert — 'Your password was reset from a new device' — and includes a 'Revert This Change' link. The link leads to a fake Coinbase login page that captures the user's email and password. If the attacker also has the victim's phone number (obtained separately), a SIM swap redirects the SMS 2FA code to the attacker's device.
A social engineering call variant has the attacker call the victim while simultaneously attempting to log into Coinbase. When Coinbase sends the user an OTP to confirm the login, the attacker claims to be from Coinbase's fraud team and asks the victim to read the code 'to verify your identity' on the call. The user complies, unwittingly handing over the account.
Coinbase's real security alerts direct users only to coinbase.com. A genuine Coinbase session-alert email tells you what device initiated the action and from what location; it does not ask you to click a link to 'revert' anything — instead it tells you to visit coinbase.com's device management settings directly.
Common red flags
- An email claiming your Coinbase password was reset and asking you to click a link to revert it
- A caller claiming to be Coinbase fraud support asking you to read back an OTP or verification code
- Unexpected SMS messages for Coinbase logins you did not initiate
- Coinbase security emails from [email protected] addresses
- Withdrawal confirmation emails for amounts or addresses you do not recognize
- A Coinbase login page with a URL that is not exactly coinbase.com
How to protect yourself
- Switch Coinbase 2FA from SMS to an authenticator app to eliminate SIM-swap vulnerability
- Enable withdrawal address whitelisting in Coinbase settings so new addresses require a 48-hour review
- Set up a security key (hardware key) for Coinbase if supported on your plan
- Never share an OTP or verification code with anyone over the phone
- Review Coinbase's active device list regularly and remove unrecognized devices
- Contact your mobile carrier to add a SIM lock PIN to prevent unauthorized SIM swaps
How to report it
- Report immediately at coinbase.com/help — select 'I think my account has been compromised'
- Forward phishing emails to [email protected]
- Report SIM swap to your mobile carrier's fraud department
- File a report with IC3.gov (US), Action Fraud (UK), or your national cybercrime authority
Frequently asked questions
What is a SIM swap attack and how does it affect Coinbase accounts?
A SIM swap attack involves tricking a mobile carrier into transferring your phone number to a new SIM card controlled by the attacker. Once they have your number, they can receive SMS-based 2FA codes for Coinbase and other accounts. Switching to an authenticator app eliminates this risk.
Will Coinbase refund stolen funds from an account takeover?
Coinbase's terms and the regulatory environment make this complex. In some cases, where the company's systems were demonstrably at fault, remediation may be possible. For user-side credential compromises, recovery is not guaranteed. Acting quickly — reporting and freezing the account — gives the best chance.
How fast do attackers drain a Coinbase account once they are in?
Account takeover attacks are typically automated and move within minutes of gaining access. Enabling withdrawal whitelisting creates a 48-hour delay for new addresses, which can prevent funds from leaving during a takeover if you act quickly.