Ice Phishing EIP-712 Signature Scams Impersonating Coinbase
Attackers build fake 'Coinbase Wallet Connect' pages that present an EIP-712 off-chain signature request; signing it authorizes the scammer's contract to transfer all of the victim's tokens without further interaction.
Part of: Ice Phishing and EIP-712 Signature Scams
Last reviewed: 8 June 2026
Ice phishing is distinct from traditional credential phishing: the victim's wallet remains secure in terms of seed-phrase secrecy, but the attacker tricks the user into signing a seemingly benign message that grants on-chain spending authority. Because the request appears as a human-readable 'structured data' popup in MetaMask or Coinbase Wallet, and because Coinbase Wallet legitimately uses EIP-712 signatures for various Web3 interactions, this scam is particularly deceptive when it carries Coinbase's branding.
Scammers build convincing pages that claim to represent a new 'Coinbase Earn' feature, a 'Coinbase NFT marketplace beta,' or a 'Coinbase Wallet upgrade' and prompt users to sign an off-chain message for verification. The signature popup shown by the victim's wallet may display fields like 'owner,' 'spender,' and 'value' in plain text — but many users accept it without reading the values, trusting the Coinbase branding on the surrounding page.
The signed message is then submitted by the attacker to a smart contract (such as a Permit2 or permit() function on ERC-20 tokens or an OpenSea-style seaport contract for NFTs) that transfers the victim's assets to the attacker's address. No further wallet interaction is required from the victim after the signature is provided.
How this scam works on the Coinbase brand
The attack sequence typically starts with a targeted social media post, a search result ad, or a link from a compromised Discord. The destination page displays a 'Coinbase Wallet Connect' interface with the Coinbase logo and a description of a new feature the user can access 'for free.'
The page triggers a WalletConnect or direct injected-provider prompt asking the user to sign a structured EIP-712 message. The displayed fields show values such as a large token amount and a spender address that the user does not recognize, but the surrounding Coinbase branding creates false confidence. Once the user clicks 'Sign,' the attacker has everything needed to drain affected token balances.
Legitimate Coinbase Wallet does use EIP-712 signatures, but only on domains the user has explicitly chosen to interact with (e.g., verified NFT platforms, dApps). Coinbase will never send a link via social media or email asking you to sign a message as a standalone 'wallet verification' or 'upgrade' step.
Common red flags
- Prompted to sign an EIP-712 'structured message' on a site other than one you deliberately navigated to and researched
- Signature popup contains fields like 'spender,' 'value,' or 'operator' set to unfamiliar contract addresses with very large token amounts
- The surrounding page claims to be a new Coinbase product not mentioned anywhere on coinbase.com
- You were directed to this page via a social media post, sponsored ad, or DM rather than from the official Coinbase app
- The site URL is not coinbase.com, wallet.coinbase.com, or a verified dApp domain you recognize
- Signing the message has no obvious interactive result — the page does not change, which is typical when the attacker has already harvested the signature
How to protect yourself
- Read every EIP-712 signature popup in full before signing; pay special attention to the 'spender' field and the token amounts — if they are unfamiliar, reject the request
- Only interact with dApps you have researched independently; navigate to them directly rather than via links in messages
- Use a wallet with phishing-site warnings and simulation features (e.g., Pocket Universe, Revoke.cash browser extension) that flag malicious signature requests before you sign
- After any unexpected signature request, check your wallet's allowance list at revoke.cash and revoke suspicious entries
- Store significant assets in a cold (hardware) wallet that requires physical confirmation for signatures, adding a friction layer against accidental approvals
How to report it
- Report the malicious dApp URL to Coinbase at [email protected]
- Submit the site to MetaMask's phishing list at github.com/MetaMask/eth-phishing-detect
- File a report with your national cybercrime agency (IC3.gov in the US; Action Fraud in the UK)
- If NFTs were stolen via EIP-712, report to the OpenSea safety team as well, as the stolen items may be re-listed there
Frequently asked questions
What is EIP-712 and why is it used legitimately?
EIP-712 is an Ethereum standard for signing structured off-chain data in a human-readable format. It is used by legitimate dApps for gasless transactions, permit-based approvals, and order signing. The standard itself is safe; the danger is signing a message on a malicious site.
Does signing an EIP-712 message cost gas?
Signing itself is free and off-chain. However, the attacker submits the signed message in a subsequent on-chain transaction (which they pay gas for) to execute the transfer. This means the drain can happen without any further action from the victim.
Can I recover assets stolen through an EIP-712 signature exploit?
Recovery is extremely unlikely once the on-chain transfer has confirmed. Act immediately upon suspicion: revoke any remaining approvals and transfer other assets to a new wallet. Report to law enforcement, as transaction records on-chain provide evidence trails.