Phishing With Coinbase

Coinbase has announced their intention to reimburse a small number of users who were the victim of a phishing attack. The attacker, who emailed users a purported new service agreement from Coinbase, used the Coinbase API to fool users into approving full permissions for his 3rd party app so as to withdraw bitcoins from the Coinbase wallet. As a result of the successful attack, Coinbase now claim they will review the approval process for applications using their API.

A statement from the Head of Support at Coinbase reads:

This morning we discovered a phishing attack that came via email, requesting users to click to accept New User/Service Agreement.

This prompted users to sign in to their accounts and authorize a malicious application to remove bitcoin from their Coinbase Wallet.

We found this malicious application relatively quickly, and we shut it down. Only a small number of users were affected, and we will be reaching out to them directly.

We will be reimbursing the affected users the bitcoin that they lost, while we continue the investigation.

To stop this from happening again, we are reassessing our API/application approval process, as well as re-visiting the limits of money that can be sent over an application.

Lastly, we began to talk about how we can proactively reach out customers and educate them on how to use their Coinbase Vaults as a more secure way of storing their bitcoin.

We appreciate the feedback and patience with this matter.
The Coinbase Team

The decision by Coinbase to reimburse their users despite them willingly providing the attacker with usernames and passwords now opens a window for attackers to commit friendly fraud upon Coinbase. An attacker need only commit the same or similar attack upon himself1 as a zero risk means to double up his own holdings. It remains to be seen if Coinbase will be as favourable to its users in a future where the value of bitcoin is dramatically higher and the cost to cover user error is unlimited.


  1. Don't forget your friends for added effect! 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>