Security PSA: Airdrop Phishing Campaign

By Coinbase Security Team

As a part of our mission to build a safe and open financial system, we actively monitor for any security threats not only to Coinbase but to the crypto ecosystem as a whole. As we have discussed in our previous blog post on industry-wide crypto security threats, malicious threats against any crypto user or business are bad for the industry. With this community mindset, we do our best to inform and to defend our community from bad actors.

Over the past month, Coinbase Threat Intelligence, Special Investigations, and Global Intelligence teams have been tracking an ongoing phishing campaign on Ethereum, Polygon, Binance Smart Chain, and other EVM-compatible platforms which has unfortunately resulted in the theft of more than $15M in various crypto assets to date. The phishing campaign does not affect customers who custody funds on Coinbase.com. However, anyone who uses self-custody wallets (e.g. Coinbase Wallet, Metamask, etc.) may be at risk.

The campaign works by airdropping fictitious coins into victim wallets and enticing them to visit specially-crafted malicious websites. Below is an example of one such coin:

Source: Polygonscan

When users attempt to interact with the airdropped tokens such as transferring them to a Decentralized Exchange (DEX), they are presented with an error message encouraging them to visit a malicious phishing website:

Source: Polygonscan

The website presents users with a Decentralized Application (DApp) interface supposedly meant to connect their wallets and approve trading of the airdrop tokens. However, when users approve any transactions on the phishing website, in reality they are unknowingly approving a transfer of their personal tokens to the scammers.

Source: Phishing Site

The scammers change airdrop token names and phishing websites frequently to evade blocklists; however, they still use the same tactics to steal tokens using fake airdrops and malicious Dapps. Nevertheless, you can take the following security steps to defend your assets:

  • Be wary of airdrop tokens received from an unknown source. It is highly likely these unsolicited tokens are part of a phishing campaign.
  • Do not visit or connect self-custody wallets to any websites advertised by airdropped tokens through error messages, token names, or other methods.
  • Do not interact with airdropped tokens (e.g. approving, transferring, swapping, etc.). As annoying as it sounds, it’s best to just leave them sitting in your wallet.
  • Do not hold high value assets in the same wallet used to regularly interact with Dapps. Use cold storage or custodial solutions such freely available Coinbase Vault or Custody.

Coinbase is working with industry partners to help limit the damage caused by the scam and we are planning to publish a more detailed analysis of the campaign in the near future.


Security PSA: Airdrop Phishing Campaign was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.