Over the past month, Coinbase Threat Intelligence, Special Investigations, and Global Intelligence teams have been tracking an ongoing phishing campaign on Ethereum, Polygon, Binance Smart Chain, and other EVM-compatible platforms which has unfortunately resulted in the theft of more than $15M in various crypto assets to date. The phishing campaign does not affect customers who custody funds on Coinbase.com. However, anyone who uses self-custody wallets (e.g. Coinbase Wallet, Metamask, etc.) may be at risk.
The campaign works by airdropping fictitious coins into victim wallets and enticing them to visit specially-crafted malicious websites. Below is an example of one such coin:
Source: PolygonscanWhen users attempt to interact with the airdropped tokens such as transferring them to a Decentralized Exchange (DEX), they are presented with an error message encouraging them to visit a malicious phishing website:
Source: PolygonscanThe website presents users with a Decentralized Application (DApp) interface supposedly meant to connect their wallets and approve trading of the airdrop tokens. However, when users approve any transactions on the phishing website, in reality they are unknowingly approving a transfer of their personal tokens to the scammers.
Source: Phishing SiteThe scammers change airdrop token names and phishing websites frequently to evade blocklists; however, they still use the same tactics to steal tokens using fake airdrops and malicious Dapps. Nevertheless, you can take the following security steps to defend your assets:
Be wary of airdrop tokens received from an unknown source. It is highly likely these unsolicited tokens are part of a phishing campaign.
Do not visit or connect self-custody wallets to any websites advertised by airdropped tokens through error messages, token names, or other methods.
Do not interact with airdropped tokens (e.g. approving, transferring, swapping, etc.). As annoying as it sounds, it’s best to just leave them sitting in your wallet.
Do not hold high value assets in the same wallet used to regularly interact with Dapps. Use cold storage or custodial solutions such freely available Coinbase Vault or Custody.
Coinbase is working with industry partners to help limit the damage caused by the scam and we are planning to publish a more detailed analysis of the campaign in the near future.
was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.