Fake CAPTCHA Scam Delivering Coinbase Account-Stealing Malware
Malicious websites branded to look like Coinbase login or verification pages present fake CAPTCHA challenges that, when 'completed,' inject a system command into the clipboard. Running the command installs malware that steals Coinbase session cookies and browser-stored credentials.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
A growing category of account-takeover attack pairs fake CAPTCHA widgets with clipboard injection to install malware that targets browser sessions on platforms like Coinbase. The victim believes they are completing a routine human-verification step before being allowed to access a 'Coinbase promotion' or 'account review' page, but the CAPTCHA's 'verify' button silently writes a malicious command to the clipboard.
The page then instructs the user to press Windows Key + R (or open a terminal on Mac/Linux) and paste the code to 'complete verification.' Running the pasted command downloads a payload designed to extract browser session tokens, cookies, saved passwords, and any cached exchange authentication data — including active Coinbase sessions.
With a stolen session cookie, the attacker can often access the victim's Coinbase account without needing the password at all, bypassing 2FA by riding on an already-authenticated session.
How this scam works on the Coinbase brand
Real Coinbase account access and security verification never require you to run a command on your operating system. Coinbase's legitimate CAPTCHA — where it uses one — appears within the official coinbase.com login flow and is handled entirely inside the browser.
The fake-CAPTCHA attack typically reaches victims via search-engine advertisements for 'Coinbase login' or 'Coinbase customer support,' via phishing emails linking to a 'Coinbase security review,' or via Discord and Telegram messages claiming a Coinbase airdrop requires verification. The page is crafted to look like coinbase.com, including correct colours, fonts, and logos.
After running the clipboard-injected command, the malware operates silently, harvesting session tokens and forwarding them to the attacker. The attacker then imports the session cookie into their own browser and gains instant access to the Coinbase account, changing the email and 2FA before the victim notices.
Common red flags
- A page claiming to be Coinbase presents a CAPTCHA, then instructs you to open your computer's Run dialog or terminal to 'complete verification'
- The URL is not coinbase.com or accounts.coinbase.com
- You arrived via a search ad or unsolicited message rather than your own Coinbase bookmark
- The CAPTCHA widget design differs from standard Google reCAPTCHA or Cloudflare Turnstile
- Any page — regardless of branding — that says 'press Win+R and paste this to verify you are human' is running a scam
- Your clipboard contains an unfamiliar command string after interacting with the page
How to protect yourself
- Never run a command from your clipboard as part of a CAPTCHA or account-verification process
- Navigate to Coinbase only via your own bookmark at coinbase.com — avoid clicking search ads for Coinbase
- Use a dedicated browser profile for Coinbase with no other logged-in sessions to limit cookie exposure
- Enable hardware-security-key 2FA on Coinbase; session-cookie attacks are harder to exploit when hardware keys are required for new logins from unfamiliar devices
- Regularly clear browser cookies for financial sites and log out of Coinbase when not actively using it
- Run up-to-date security software capable of detecting clipboard-based payload delivery
How to report it
- Report the phishing site to Coinbase's security team at help.coinbase.com
- Submit the URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- File a report with the FTC at reportfraud.ftc.gov
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- If your account was accessed, contact Coinbase support immediately to freeze the account and revoke sessions
Frequently asked questions
Can running a pasted command really steal my Coinbase login?
Yes. Browser session cookies, including those for Coinbase, are stored in known file locations on your computer. Malware delivered via a clipboard-paste command can read, copy, and exfiltrate these cookies, giving the attacker access to your logged-in session without needing your password.
Does two-factor authentication protect against session cookie theft?
It depends. If the attacker imports a stolen session cookie into their browser, the browser already appears authenticated — 2FA was completed during the original login. Hardware-security keys offer stronger protection because they bind authentication to the physical device, but this protection varies by implementation.
How do I clear session cookies for Coinbase if I suspect compromise?
In most browsers you can clear cookies for a specific site via Settings > Privacy > Cookies and site data > search for coinbase.com and remove. More importantly, change your Coinbase password and revoke all active sessions in your Coinbase security settings immediately.