Coinbase

Tl;dr Coinbase has seen a concerning increase in fraudulent cryptocurrency investment platforms that are sourcing victims through connections on dating apps and social media. We are encouraging our users to be vigilant against this type of social engineering scam.

The Coinbase Security team has previously submitted the domains in this blog, in addition to several other related domains, to Google Safe Browsing for alerting users when browsing to these sites.

By Coinbase Global Investigations and Threat Intelligence

Coinbase works closely with law enforcement partners across the globe to protect our customers from an array of targeted cyber attacks. Recently, a noteworthy increase in scams purporting to be foreign exchanges or crypto trading platforms that are spread by scammers met on dating apps has been reported. While investment scams and romance scams are not unique to the cryptocurrency ecosystem, the irreversible nature of cryptocurrency transactions can make these scams devastating. This scheme is particularly effective because it relies on a scammer building trust with their victim sometimes over a long time period of weeks or months.

The scam typically follows this chain of events:

• Victims are contacted through social media, have matched with the scammer on a dating app, or have been contacted on instant messaging applications.
• The scammer encourages the victim to migrate their conversation to an encrypted messaging service, such as WhatsApp or WeChat, sometimes communicating for weeks or months before mentioning an investment opportunity.
• The scammer typically claims they have received great financial returns from a cryptocurrency trading or mining platform and convince their victim to co-invest with them or teach them how to trade successfully.
• Victims are directed to visit a fraudulent website that often looks like a legitimate trading platform and coached into depositing funds.
• Some victims even receive a small amount of funds that are claimed to be “returns” on their investment to entice them to invest even larger sums.
• When the victim tries to withdraw funds from the site, they are then often told they owe a tax payment or service fee before their funds will be released in an effort to further extort them for money.

How we have been working to protect our users:

• Teams across Coinbase work to identify and add addresses associated with scams to our products’ blocklists to aid in protecting our customers.
• Security teams frequently conduct scans to identify clusterings of existing scam sites and collaborate with law enforcement to enforce takedowns. These teams have increased monitoring to identify new sites that have the potential to be similarly abused.
• While it is impossible to predict all addresses associated with scams, we conduct blockchain analysis on known scam addresses to map out related wallets and we communicate with other exchanges to inform them when they may be receiving these scammed funds.
• We routinely collaborate with law enforcement to share intel on emerging scams and support their investigations into bad actors.

The following steps can be taken to protect yourself:

• Be skeptical of investment opportunities from people you meet through online forums or dating apps, even if you have been communicating for a while. If they claim to have an exclusive or urgent opportunity, this is a big red flag.
• Don’t disclose your current financial status to people you’ve met online and don’t post any of your financial information on social media.
• Independently research any trading platform you are considering sending money to, including using consumer protection websites.
• Please report any scams including the URL and the receiving cryptocurrency address to security@coinbase.com.
• If you become aware of a scam, please report it to the FBI’s Internet Crimes Complaint Center.
• Report any scam websites to Google Safebrowsing

Investment scam landing pages often look like the following:

Security PSA: Sha Zhu Pan (Pig Butchering) Investment Scams was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Tl;dr: We are excited to announce the expansion of our enhanced password protections. By protecting the first layer of our user’s account protection, their passwords, we are continuing our commitment to offer our customers with the best security tools to protect their funds and accounts.

By Abhishek Agarwal, Group Product Manager

At Coinbase, one of our core pillars has always been the online safety and security of our customers. We believe that our customers need to have access to industry leading security features without sacrificing ease and convenience. Therefore, providing a safe, secure, and easy-to-use customer experience is our continuous commitment to all of our current and future customers.

With multiple online accounts to keep track of, it’s inevitable that our customers find it difficult to manage their passwords and sometimes end up re-using their favorite passwords across multiple online products and accounts. According to Google/Harris Poll data, two in three people re-use the same password across multiple accounts. Of all the survey participants (ages 16–50+), 51% admitted that they use one particular “favorite” password for the majority of their accounts. Unfortunately, this is not the best solution for their online security: by using the same key for multiple accounts, if one password happens to be breached, all of their other accounts are at risk of being compromised too.

Since 2019, Coinbase has been monitoring third-party credential breaches and darknet markets for indications that a reused password might be putting Coinbase accounts at risk. This feature (which automatically monitors existing Coinbase accounts at no additional cost) has helped protect tens of thousands of users since its launch. Today, we are happy to announce that we’re expanding our enhanced password protections to continuously cover users, starting from the moment they sign up to the rest of their journey with us, and protect them from using compromised passwords in their Coinbase accounts.

With this enhanced security measure, every time a customer creates or changes their password, we will automatically check to see if their selected password was exposed in any third party data breach and suggest the usage of a different & more secure password. With this extra protection, we are helping our users to be safer with a safer shield for the first layer of their account security.

Our commitment to our customers’ safety and security is always top of mind, and this update is another step to make our customers experience safer and easier to use. At Coinbase, we’re proud to lead the way in providing the best security protections to all of our 98+ million users.

If you want to learn more about our Password security measures, feel free to access this help center article.

Reinforcing our customers account security with enhanced password protection was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Tl;dr: Ethereum is anticipated to move to Proof-of-Stake (PoS) on or around September 15, 2022 making it more secure, less energy-intensive, and better for implementing new scaling solutions. Rest assured, your assets will be safe and secure during this period and no action is required to upgrade on your part. The following piece outlines what you can expect from Coinbase ahead of The Merge.

By Armin Rezaiean-Asel, Product Manager at Coinbase

On August 10, 2022 Ethereum completed the Goerli public testnet merge — its final trial before making the migration from Proof-of-Work (PoW) to Proof-of-Stake (PoS)* on mainnet (also known as the Merge). Ethereum is now anticipated to complete the Merge on or around September 15, 2022 (TTD 58750000000000000000000). Six years in the making, this milestone will reduce energy consumption for the Ethereum network by a projected 99.95% compared to PoW.

With the rise of DeFi and NFTs, the Ethereum network has endured traffic bottlenecks and unpredictable spikes in transaction (gas) fees. Although PoS on its own does not lower transaction fees, it does set Ethereum up to continue delivering on its scalability roadmap.

At Coinbase, we view this event as a major step toward scaling adoption of the cryptoeconomy and will support it in a variety of ways that align with our mission to increase economic freedom in the world.

What does the Merge mean for Coinbase users?

During the Merge, Coinbase will briefly pause new Ethereum (ETH) and ERC-20 token deposits and withdrawals as a precautionary measure. Although the Merge is expected to be seamless from a user perspective, this downtime allows us to ensure that the transition has been successfully reflected by our systems. We do not expect any other networks or currencies to be impacted and expect no impact to trading for ETH and ERC-20 tokens across our centralized trading products.

You will be informed via Twitter and the status page when ETH and ERC-20 tokens are available for deposits and withdrawals.

It’s important to always be on high alert for scams, but especially leading up to the Merge. We recommend you don’t send your ETH to anyone in an attempt to “upgrade to ETH2” as there is no ETH2 token. Your assets will be safe and secure during this period and no action is required to upgrade on your part.

Once the Merge is complete, you can find your staked ETH (ETH2) balance under your Ethereum (ETH) wallet on the platform. Your staked ETH will be listed separately from any unstaked ETH or dapp wallet ETH balance you might be holding. As a reminder, ETH2 is the ticker Coinbase set ahead of the Merge to represent staked ETH and will no longer be used after the Merge — there is no ETH2 token.

Staked ETH (ETH2) balances won’t be unlocked at the time of the Merge or be available to trade or transfer until the Ethereum protocol upgrade completes. The upgrade is anticipated to be completed by early 2023.

For Coinbase Prime and Coinbase Exchange customers:

Coinbase Prime users with ETH and ERC-20 balances may experience temporary delays in custody withdrawal availability. We recommend initiating any withdrawals or deposits prior to this date, or after the Merge completes. We’ll send specific institutional customer communications before the transition to give our customers specific guidance on timing and SLAs during this time.

For Coinbase Cloud customers:

Customers running their staking or node infrastructure through Coinbase Cloud should expect to experience a routine upgrade with approximately 10 minutes of downtime in advance of the Merge. Customer infrastructure should experience little to no downtime when the Merge block is passed, and changes will be backwards compatible. Our Customer Success team will reach out to inform you of upgrade timelines and if any other actions are required to prepare you for the Merge.

For Coinbase Wallet users:

Coinbase Wallet users with ETH and ERC-20 balances, as well as NFTs or DeFi positions on the Ethereum network, should experience minimal to no impact. Assuming a successful transition, the network will remain operational, and users can continue to transact with their self-custodied crypto on the Ethereum mainnet once the transition is complete. As always, network fees will be set by the network based on demand, and as a reminder, Coinbase neither sets nor collects those fees.

For Coinbase Commerce customers:

During the merge time, we will be temporarily pausing the ability to process new payments as a precautionary measure to ensure that funds are protected. In-process payments will also be delayed. Once the merge is complete, payment processing will be re-enabled. There is no action required by users and in-process payments will be confirmed at this time.

We aim to support the Merge with the least amount of friction possible for our users — without compromising on security. We’ll continue to provide updates on our Twitter and Statuspage as more information becomes available.

As a reminder, the Merge is the culmination of years of work by the Ethereum Foundation, independent researchers, client teams, infrastructure providers like Coinbase Cloud, and many others. At Coinbase, our role is to protect users’ assets and help ensure a seamless transition across Coinbase products. For Ethereum network specific information, you can follow the Ethereum Foundation Blog as well as the Ethereum network on Twitter.

*Proof-of-Work and Proof-of-Stake are the two main consensus mechanisms used to verify new blocks and add them to the blockchain. First pioneered by Bitcoin, PoW consensus mechanisms use mining to achieve these goals. On the other hand, popular PoS blockchains such as Cardano, Avalanche, Polkadot, and Solana utilize staking to achieve similar goals.

The Ethereum Merge is Coming: Here’s what you need to know was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

TL;DR: Coinbase believes crypto will be part of the solution for creating an open financial system that is both more efficient and more equitable. We co-founded the Centre Consortium in 2018 to invest in the build of USDC, and since then it has become the second largest stablecoin by market capitalization. We firmly believe that USDC will be a key component of a new financial paradigm, as it helps to bridge the gap between the worlds of crypto and fiat.

Stablecoins provide a bridge between the traditional financial system and the cryptoeconomy, allowing fiat currencies to exist in a form that can move more freely and more efficiently on blockchains. Unlike conventional payment methods, stablecoin payments require no centralized intermediary. We believe that stablecoins — USDC, most importantly — will be the foundation of a new era of innovation in financial services.

Why USDC?

Back in 2018, we co-founded the Centre Consortium to create the most trusted and reputable digital dollar. Stablecoins have many uses, from trading in digital asset markets to making payments. We launched USDC as a way to simplify these processes so that anyone can participate, continuing to drive towards our goal of economic freedom. Since then, we’ve built a suite of supporting products and systems to enable:

The value of many cryptocurrencies can fluctuate by the minute, so holding an asset like USDC gives buyers and sellers the stability and confidence they need in times of volatility. The stability of USDC comes from the fact that it is backed by one US dollar or asset with equivalent fair value held in accounts with US regulated financial institutions ¹— the defining feature of a fiat-backed stablecoin (as opposed to a crypto-backed or algorithmic stablecoin). These accounts are attested to and verified publicly by an independent accounting firm. The market capitalization of USDC increased from $28 billion to $54 billion between August 2021 and August 2022² which speaks to the confidence in USDC as a high quality liquid asset.

As an active member of the Centre Consortium, Coinbase is continuously developing our USDC product suite to grow the USDC ecosystem for our Retail, Institutional, and Developer customers.

The strength of USDC’s peg to the U.S. dollar, backed by high-quality reserves and with transparent disclosures, makes it a practical option for users who want to remain active in the crypto market during a downturn. We’ve already seen significant adoption of USDC for paired trading with other digital currencies on centralized exchanges, as well as usage in many DeFi protocols, where USDC’s reliability makes it an attractive collateral asset. The top four stablecoins, including USDC, account for almost 80% of centralized exchange trading volume.³ When we look to the future, there is even more untapped potential for stablecoins like USDC within mainstream commercial use cases:

• Increased financial inclusion — Globally, 1.7 billion people do not have access to a bank account.⁴ In the United States, 5% of adults are unbanked and 13% are underbanked.⁵ USDC and other stablecoins have the potential to broaden access to financial services through reduced costs and increased efficiency. All that is required to participate in the crypto economy is internet access via smartphone or computer.
• Faster and cheaper global money transfer — Transfers for stablecoins like USDC can be settled in under 30 minutes or less, whereas international transfers can take multiple business days. Cross-borders transfers can also be prohibitively expensive using conventional methods. Coinbase supports cross-border transfers of digital assets on our platform, including USDC (and other stablecoins). These cross-border transfers can be made at far lower cost than the global average cost of cash transfers, which is closer to 7%.⁶
• On-ramp to web3 — We believe USDC and other stablecoins will play an important role as the fiat onramp into the new web3 digital ecosystem, which will give users more control over their information, data, and digital footprint. DeFi protocols are emerging as part of this decentralization and have the potential to improve economic efficiency in areas like trading, insurance, automatic payments, saving, lending, and borrowing.
• Payments to merchants — Stablecoin payments, including those for USDC, can be conducted on a public blockchain that enables peer-to-peer transfers and users can settle transactions near-instantaneously without an intermediary bank or financial institution to facilitate. The flexibility and low cost of USDC payment methods can benefit consumers and businesses by increasing the competitive pressure on incumbent systems.

USDC for Retail Customers

Customers can feel confident in the value of their digital assets and have the opportunity to earn rewards on their USDC held at Coinbase. Fast processing and low transaction fees make USDC an ideal option for sending money anywhere in the world. USDC is being adopted across multiple chains, fostering more growth for application development. It is quickly becoming the standard stablecoin not just on Ethereum where it originally launched, but across the blockchain ecosystem from Layer 1 networks to side chains to Layer 2 networks. When users purchase USDC on Coinbase, there is no fee and they can earn rewards on their holdings.

USDC for Institutions

Digital stablecoins like USDC have rapidly become foundational assets for trading firms and market makers. Stablecoins allow market participants to price assets in a common currency, settle almost instantaneously, and retain assets on-chain with less exposure to volatility. Coinbase Institutional enables firms to utilize USDC to participate in global crypto asset markets. We provide multi-chain support on Coinbase Exchange, no fees for USDC custody on Coinbase Prime, easy acquisition, and one-to-one conversion between USD and USDC on both platforms.

USDC for Developers

USDC has quickly become the most popular stablecoin in the web3 ecosystem with approximately 30% of the total supply spread between DeFi platforms and Decentralized Exchanges. Coinbase enables developers to utilize USDC for their dapps, services and protocols with multi-chain support, no fees for custody, and a frictionless acquisition path. We’re actively building out our developer tooling and see USDC as a key offering for dapps looking to secure stable revenue, which is why we’ve enabled acceptance of USDC via Coinbase Commerce and conversion of USD to USDC via Coinbase Pay.

We firmly believe that USDC and stablecoins built with the same framework can be the foundation for innovation in a new era of financial services. Visit coinbase.com or review our stablecoin whitepaper for more information on USDC. To start using a more efficient form of dollars, log into your Coinbase.com, Coinbase Prime, or Coinbase Exchange account. If you are an institutional client, you can also review our USDC overview documentation for Coinbase Prime and Coinbase Exchange.

1 https://www.centre.io/usdc-transparency

2 Coingecko, USDC Market Capitalization Chart.

3 Data sourced from CryptoCompare, as of 30 June 2022

4 a16z, State of Crypto (17 May 2022)

5 Board of Governors of the Federal Reserve System, Report on the Economic Well-Being of U.S. Households in 2020, (May 2021)

6 BIS, The journey so far: making cross-border remittances work for financial inclusion (15 June 2022)

USDC: The digital dollar for the global crypto economy was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Around the Block from Coinbase Ventures sheds light on key trends in crypto. Written by Connor Dempsey & Sam Newman

In the 13 years of its existence, Bitcoin has risen from obscurity to $1 trillion highs, settling over $60 trillion in total transfer volume along the way.

Despite these feats, Bitcoin’s decentralized design limits it to a mere 7 transactions per second. In times when demand to use the network exceeds 7 transactions, users experience long wait times and fees as high as $60 per transaction at the extreme. Even with fees recently hovering between $1–2, the network remains unsuitable for buying that proverbial cup of coffee.

Enter the Lightning Network: a layer-2 protocol built on top of Bitcoin that can theoretically scale to millions of instant transactions per second that cost pennies to send. If it gains traction, it can even undercut the fees of giants like Visa and Mastercard, along with the entire global remittance market.

But will it?

Lightning 101

As with most layer-2 solutions, Lightning seeks to increase transaction throughput and lower costs while retaining sufficient decentralization by moving activity to a second network. Once BTC is on the Lightning network, it can be transacted instantly typically at fractions of a penny.

Rather than expensively sending each transaction over the Bitcoin blockchain, users deposit BTC into the Lightning Network and then transact inexpensively through payment channels. As with most networks, the more people and companies that join, the more useful it becomes.

Obviously at <1 cent fees, Lightning transactions are cheaper than using the Bitcoin network. More intriguing however, is that Lightning has the potential to replace existing payment processors for fiat transactions without the consumer knowing that BTC was used as the underlying settlement layer. We’ll explain.

Disrupting the payment giants

Visa and Mastercard are the world’s dominant payment processing networks. By collecting 2–3% transaction fees everytime someone swipes a debit or credit card, they pulled in $24B in 2021. Payment processors leveraging the Lightning Network could undercut that.

Let’s say you want to make a $100 payment to a merchant. Using your credit card would cost the merchant $3, which is then passed along to you via hidden costs. Now what if you converted $100 USD into BTC, transferred it over the Lightning network for less than a penny, before converting the BTC back to $100 USD. A service called OpenNode is able to leverage the Lightning Network to do just that, for a 1% fee. A similar logic can be applied to the $40B global remittance fee market, which averages 6.4% per cross-border transaction.

However economic it may be to replace Visa/Mastercard and international remittance companies with Lightning, it’s easier said than done. The incumbents enjoy large network effects, and like any young network, Lightning faces a cold start problem.

So how’s adoption looking to date?

Lightning adoption

Where the potential to disrupt the incumbents is there, current Lightning adoption is still tiny (but growing!). Arcane Research estimated that in Q1 22, Lightning facilitated $20–30M in monthly payments. That’s a 4x YoY increase, but a far cry from the $866B Visa facilitates each month.

The main way that Lightning growth is measured is by “public node capacity” — essentially how much BTC is locked in public Lightning channels. An estimated 30% of channels are private, making it difficult to state the true value in the network. What we can see however, is that public capacity is growing.

When measured in USD, the network has taken a predictable hit with the overall BTC price decline. However, encouragingly, the amount of total Bitcoins in the network is hitting new all-time highs at over 4,500 BTC (around $100M).

More importantly, as adoption ticks upward, the ecosystem around Lightning is growing as well.

The Lightning stack

The Lightning protocol sits atop of Bitcoin. On top of Lighting, sits core infrastructure. On top of the core infrastructure, are a growing number of payment and financial services, as well as consumer applications.

Core infrastructure consists of Lightning implementations and node & liquidity services. Lightning implementations are the software programs that individuals and businesses can run to connect to the Lightning network — the largest being Lightning Labs’ LND with 70% of the market (as of 2020). Node and liquidity services host hardware, provide user-friendly interfaces, and help manage Lightning payment channels (running your own node is complex).

Built on top of the core infrastructure are a range of payment and financial services as well as consumer apps. For example, Strike is built on an LND implementation that lets users buy and sell BTC, tip creators on Twitter, and allow Shopify merchants to accept BTC.

Also built on core infrastructure, are a growing number of budding consumer use cases. Mash, for example, aims to disrupt the creator subscription model via streaming micropayments — think paying your favorite Twitch streamers a couple cents each minute you watch, rather than buying a one-size-fits-all subscription. Zebedee uses Lightning to enable in-game economies that reward players with small amounts of Bitcoin.

Growing accessibility & momentum

As the Lightning ecosystem steadily grows, so has the access that users have to the network. Between Cash App’s Lightning integration and El Salvador’s rollout of the Chivo wallet, access has exploded from 10M to 80M users (the success of El Salvador’s rollout has been mixed, with research suggesting that only 5% of sales in the country use BTC).

26 exchanges support Lightning as well, with Kraken, Bitfinex, and Bitstamp being among the most prominent. Robinhood also recently announced an integration for 20M+ users, and P2P marketplace Paxful offers support for its 7M+ users. Users of these exchanges can instantly and inexpensively deposit and withdraw bitcoin to and from any Lightning wallet, increasing the speed and lowering the cost compared to a typical BTC transaction.

Funding is picking up as well with OpenNode raising a Series A at a $220M valuation and Lightning Labs raising $70M for its Series B. Notably, former head of Meta’s crypto initiative David Marcus’s Lightspark, raised a Series A at an undisclosed amount to build Lightning infrastructure for companies, developers, and merchants.

Hurdles to adoption

The potential, funding, and momentum is there, however significant hurdles remain. Principally, the lack of developer tooling, demand for payment use cases, technical hurdles, onboarding challenges, as well as compliance and regulatory issues.

Developer tooling still needs to be built out to enable more user friendly applications. With most still treating BTC as an investment, we’re yet to see broad demand to use it for payments (use of Lightning rails for fiat payments remains a compelling opportunity). Despite progress from infrastructure companies, Lightning is still cumbersome for new users and merchants. Additionally, onboarding low income users in developing countries remains a major challenge to fulfilling the promise of Lightning remittances.

Lastly, the lack of compliance and regulatory frameworks limit the ability for existing payment and banking service providers to onboard and serve a global customer base.

Early days

After launching in 2018, it’s still early days for Lightning. With about $100M locked in the network, its size pales in comparison to Ethereum’s billion dollar layer-2 networks, Arbitrum and Optimism. Lightning payment activity, however, is more indicative of real world utility when compared to the more speculative activity driving much of the growth on smart contract platforms.

Humble beginnings aside, the potential to turn crypto’s most valuable asset into a true medium of exchange has the power to bring greater financial inclusion to anyone with a smartphone. The ability to cost effectively route fiat transactions over Lightning rails without users ever knowing they’re using Bitcoin can disrupt $150B+ a year industries.

What Visa/Mastercard is for fiat currencies, Lightning can be for Bitcoin. The combination of a universally accessible payment network atop the world’s first open-source protocol for money can help Bitcoin evolve into a true global reserve currency. Should it happen, look for developing countries with high inflation and more smartphones than bank accounts to lead the way.

When Coinbase?

This article should not be construed as an indication that Coinbase has imminent plans to add support for Lightning. Rather, a few employees at the company simply found its potential compelling enough to research, write, and share.

With that said, it’s hard not to be encouraged by the growth that the Lightning Network is showing — particularly over the past six months. It’s noteworthy that this growth is coming in a bear market, where Bitcoin fees are relatively low. In a future bull market, we could see Lightning activity spike as fees on the base chain rise, sending users looking for cheaper ways to transact.

If growth of the Lightning Network continues, it will have major implications on the future utility and value of the world’s oldest and most valuable digital asset.

H/T Nick Prince, Kevin Choe, and Yash Parikh for also helping inform this article.

For deeper reading on the Lightning Network, check out:

• The State of Lightning Volume 2, by Arcane Research
• A Look At the Lightning Network, by Lyn Alden

This website does not disclose material nonpublic information pertaining to Coinbase or Coinbase Venture’s portfolio companies.

Disclaimer: The opinions expressed on this website are those of the authors who may be associated persons of Coinbase, Inc., or its affiliates (“Coinbase”) and who do not represent the views, opinions and positions of Coinbase. Information is provided for general educational purposes only and is not intended to constitute investment or other advice on financial products. Coinbase makes no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information on this website and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Unless otherwise noted, all images provided herein are the property of Coinbase. This website contains links to third-party websites or other content for information purposes only. Third-party websites are not under the control of Coinbase, and Coinbase is not responsible for their contents. The inclusion of any link does not imply endorsement, approval or recommendation by Coinbase of the site or any association with its operators.

Is the Bitcoin Lightning Network for real? was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Tl;dr: Building a better crypto ecosystem means building a better, more equitable future for us all. That’s why we are investing in the larger community to make sure anyone who wants to participate in the crypto economy can do so in a secure way. In this blog post, we share lessons about the nature of the vulnerability, exploitation methodology, as well as on-chain analysis of attacker behavior during the Nomad Bridge incident.

While the Nomad bridge compromise does not directly affect Coinbase, we strongly believe that attacks on any crypto business are bad for the industry as a whole and hope the information in the blog will help strengthen and inform similar projects about threats and techniques used by malicious actors.

By: Peter Kacherginsky, Threat Intelligence and Heidi Wilder, Special Investigations

On August 1, 2022 Nomad Bridge suffered the fourth largest DeFi hack with more than $186M stolen in just a few hours. As we have described in our recent blog post, from the $540M Ronin Bridge compromise in March to the $250M Wormhole bridge hack in February of 2022, it is not a coincidence that DeFi bridges constitute some of the most costly incidents in our industry.

What makes the Nomad Bridge compromise unique is the simplicity of the exploit and the sheer number of individuals taking advantage of it to empty all stored assets piece by piece.

Vulnerability Analysis

Nomad is a bridging protocol supporting Ethereum, Moonbeam, and other chains. Nomad’s bridging protocol is built using both on-chain and off-chain components. On-chain smart contracts are used to collect and distribute bridged funds while off-chain agents relay and verify messages between different blockchains. Each blockchain deploys a Replica contract which validates and stores messages in a Merkle tree structure. Messages can be validated by either providing proof with the proveAndProcess() call or for already verified messages they can be simply submitted with the process() call. Verified messages are forwarded to a Bridge handler (e.g. ERC20 Router) which can distribute bridged assets.

On April 21, 2022 Nomad deployed a Replica proxy contract to handle processing and validation of users’ claims of bridged assets. This proxy would allow Nomad to easily change implementation logic while retaining storage across upgrades. As part of the proxy deployment, Nomad set initial contract parameters defined in the snippet below:

Notice the highlighted confirmAt map assignment which sets an initial entry for the trusted _committedRoot to the value of 1. The variable _committedRoot is provided as an initialization parameter by Nomad’s contract deployer. Let’s see what it was set to during the initialization:

Interestingly the initialization parameter _committedRoot was set to 0. As a result the confirmAt map now has a value of 1 for a 0 entry that from April to this day:

On June 21, 2022, Nomad performed a series of upgrades to its bridging infrastructure including the Replica implementation. One of the changes included updates to the message verification logic in the process() function:

The message verification flow now includes a call to the acceptableRoot() method which in turn references confirmAt map we mentioned above:

The vulnerability appears in a scenario when fraudulent messages, not present in the trusted messages[] map, are sent directly to the process() method. In this scenario messages[_messageHash] returns a default null value for non-existent entries so the acceptableRoot() method is called as follows:

In turn, the acceptableRoot() method will perform a lookup against confirmAt[] map with a null value as follows:

As we mentioned in the beginning of this section, confirmAt[] map has a null entry defined resulting in acceptableRoot() returning True and authorizing fraudulent messages.

Exploit Analysis

The exploit takes advantage of the above vulnerability by crafting a message which tricks Nomad bridge into sending stored tokens without proper authorization. Below is a sample process() payload in a transaction submitted by 0xb5c5…590e:

The Replica message has the following structure:

The recipient specific _messageBody contains transaction data to be processed by the _recipient. Nomad recipients accept several transaction and message types, but we will focus on the transfer type:

Decoding the above payload illustrates how 0xb5c55f76f90cc528b2609109ca14d8d84593590e was able to steal 100 WBTC by submitting a specially crafted payload to bypass Nomad’s message checks.

In order to better understand the root cause of the exploit we developed a PoC to demonstrate it draining the entire token’s balance on the bridge in just a few transactions:

While writing a PoC we found it curious that attackers chose to extract funds in smaller increments when they could have drained the whole amount in a single transaction. This is likely due to the attackers not crafting bridge messages from scratch, but instead replaying existing transactions with patched receiving addresses.

On-Chain Analysis

Over $186M in ERC-20 tokens were stolen from the Nomad Bridge between August 1, 2022 at 21:32 UTC and August 2, 2022 at 05:49 UTC. The highest volume in stolen tokens were primarily USDC, followed by WETH, WBTC, and CQT. Within the first hour of the exploit, only WBTC and WETH were stolen, then followed by several other ERC-20s.

Source: Dune Dashboard

In analyzing the blockchain data, we see that there were various addresses piggybacking off of the original exploiters and using almost identical input data with modified recipient addresses in order to siphon off the same token for the same amount. Once the WBTC contract was mostly drained, the attackers then went on to drain the WETH contract, and so on.

Further analyzing the first attackers in block 15259101, we find that the initial two attacker addresses leveraged a helper contract to obfuscate the exact exploit. Unfortunately, within that same block, several indexes down another exploiter address seem to have struggled interacting with the helper contract and decided to bypass it — and publicly expose the exploit input data in the process. Other addresses in the same and latter blocks then followed suit and used almost identical payloads to conduct the exploit.

Following the initial exploitation, and due to the ease of triggering the exploit, hundreds of copycats joined a massive exploitation of a single contract. While analyzing the payloads of various future attackers, we found that there was not only the reuse of the same tokens being bridged over and the same amounts, but also that funds were consistently being “bridged” from Moonbeam just like the original exploit.

The attack happened in three stages:the vulnerability testing a day prior to the attack, the initial exploit targeting WBTC stored on the bridge, and the copycat stage involving hundreds of unique addresses. Let’s dive into each of these including partial return of stolen assets.

Vulnerability Testing

Throughout July 31, 2022, bitliq[.]eth was found to trigger the vulnerability using small amounts of WBTC and other tokens. For example, on Jul-31–2022 11:19:39 AM +UTC he sent a transaction to the process() method on Ethereum blockchain with the following payload:

0x617661780000000000000000000000005e5ea959686c73ed32c1bc71892f7f317d13a267000000390065746800000000000000000000000088a69b4e698a4b090df6cf5bd7b2d47325ad30a36176617800000000000000000000000050b7545627a5162f82a992c33b87adc75187b21803000000000000000000000000a8c83b1b30291a3a1a118058b5445cc83041cd9d000000000000000000000000000000000000000000000000000000000000f6088a36a47f8e81af64c44b079c42742190bbb402efb94e91c9515388af4c0669eb

The payload can be decoded as follows:

• Originating chain: “avax”
• Destination chain: “eth”
• Recipient: a8c83b1b30291a3a1a118058b5445cc83041cd9d (bitliq[.]eth)
• Token Address: 0x50b7545627a5162F82A992c33b87aDc75187B218 (WBTC.e on Avalanche)
• Amount: 0.00062984 BTC

This corresponds to 0.00062984 BTC transaction sent to the bridge on the Avalanche chain.

The payload was sent using the process() method as opposed to the more common proveAndProcess() and was not present in the messages[] map in the prior to execution in block 15249928 :

$ cast call 0x5d94309e5a0090b165fa4181519701637b6daeba "messages(bytes32)" "bc0f99a3ac1593c73dbbfe9e8dd29c749d8e1791cbe7f3e13d9ffd3ddea57284" --rpc-url $MAINNET_RPC_URL --block 15249928

0x0000000000000000000000000000000000000000000000000000000000000000

The transaction succeeded even without providing necessary proof by triggering the vulnerability in the acceptableRoot() method by supplying it with a 0x0 root hash value as illustrated in the debugger below:

Source: Tenderly Debugger

Messages not present in the messages[] storage can be validated using the proveAndProcess() method; however, since the address called process() directly they have triggered the vulnerability.

Interestingly enough, it seems that bitliq[.]eth was also likely testing the ERC-20 bridge contract an hour prior to the exploit and bridged over 0.01 WBTC over to Moonbeam. [Tx]

Initial Exploitation

Active exploitation started on August 1, 2022 all within the same block 15259101 and resulted in combined theft of 400 BTC.

All four transactions used identical exploit payloads with the exception of a recipient address as described in the Vulnerability section above:

0x6265616d000000000000000000000000d3dfd3ede74e0dcebc1aa685e151332857efce2d000013d60065746800000000000000000000000088a69b4e698a4b090df6cf5bd7b2d47325ad30a3006574680000000000000000000000002260fac5e5542a773aa44fbcfedf7c193bc2c59903000000000000000000000000f57113d8f6ff35747737f026fe0b37d4d7f4277700000000000000000000000000000000000000000000000000000002540be400e6e85ded018819209cfb948d074cb65de145734b5b0852e4a5db25cac2b8c39a

Some observations on the above:

• The first three addresses were funded by Tornado Cash and have been actively transacting with each other which indicates a single actor group.
• Unlike the first two exploit transactions, 0xb5c5…590e and bitliq[.]eth sent the exploit payload directly to the contract and without the use of flashbots to hide it from public mempool.
• bitliq[.]eth replayed an earlier exploit transaction in the same block 15259101 as 0xb5c5…590e indicating either prior knowledge of the exploit or learning about 0xb1fe…ae28 from the mempool.
• All four transactions used identical payloads, each stealing 100 WBTC at a time.

Copycats

In total, 88% of addresses conducting the exploits were identified as copycats and together they stole about $88M in tokens from the bridge.

The majority of copycats used a variation of the original exploit by simply modifying targeted tokens, amounts, and recipient addresses. We can classify unique payloads by grouping them based on contracts they call and unique method 4bytes invoked as illustrated below:

Based on our analysis, more than 88% of unique addresses called the vulnerable contract directly using the 928bc4b2 function identifier which corresponds to the process(bytes) method used in the original exploit. The remainder perform the same call using intermediary contracts such as 1cff79cd which is the execute(address,bytes) method, batching multiple process() transactions together, and other minor variations.

Following the initial compromise, the original exploiters had to compete against hundreds of copycats:

While the majority of valuable tokens were claimed by just two of the original exploiters’ addresses, hundreds of others were able to claim part of bridge’s holdings:

Below is a chart showing the tokens stolen over time in USD. It becomes apparent that the exploiters were going token by token as they were draining the bridge.

The Great Return

To date, 12% stolen from the Nomad Bridge contract has been returned — including partial returns. The majority of the returns took place in the hours following Nomad Bridge’s request to send funds to the recovery address on August 3, 2022. [Tweet, Tx]

Below is a breakdown of the funds returned, which includes ETH and various other tokens, some of which were never even on the bridge:

Funds continue to be sent back to the bridge’s recovery address, albeit more slowly in the recent days than when the address was initially posted:

The majority of returned funds appear to be in USDC, followed by DAI, CQT, WETH, and WBTC. This is notably different from the breakdown of the tokens exploited. The reason being that the initial original exploiters primarily drained the bridge of WBTC and WETH. Unlike later stage exploiters, these exploiters moved funds around with no intent to return them.

Interestingly, one of the original exploiters, bitliq[.]eth, has returned only 100 ETH to the bridge contract, but has begun cashing out the rest of their proceeds through renBTC and burning it in exchange for BTC.

Categorizing the “exploiters”

When assessing the Nomad Bridge exploiters, the attackers were categorized into the following buckets:

• Black hats: Those that don’t return funds and continue moving them onwards.
• White hats: Those that fully send funds back to the recovery addresses
• Please note that while we are using the term white hat for explanatory purposes here, the initial taking of the funds was not authorized and is not an activity we would endorse.
• Grey hats: Those that partially send funds back to the recovery addresses.
• Unknown unknowns: Those that have yet to move funds.

Approximately 24% of funds continue to sit untouched. We suspect these are either attackers waiting out the heat or shrewd degens holding out for a bounty from Nomad. However, the largest volume of funds has moved onwards. As of August 5, we estimate that ~64% has moved onwards.

To stay up to date with the latest in terms of the funds returned, check out this dashboard.

Delving Into the Blackhats

Of those funds that have moved onwards, we have identified several large rings of addresses that all commingle funds. In particular, one cluster of addresses seems to have amassed over $62M in volume. Interestingly, one address within this cluster was the first address to have conducted the exploit [tx hash].

To date, we primarily see these rings following one of the below patterns:

• MEV bot activity
• Commingle and hold on to wait out the heat
• Swapping funds and eventually returning a partial amount of funds to the recovery address
• Swapping funds and investing DeFi projects or cashing out at various CEXs
• Moving funds through Tornado Cash

Below is an example of how some addresses have begun moving funds through Tornado Cash, which as of August 8, 2022, is a sanctioned entity.

Beware of Scams:

Several white hats have already returned over 10% of funds to the bridge contract. However, this wasn’t without hiccups.

Originally, the Nomad team posted on both Twitter and on the blockchain the Ethereum address to send any exploited funds to

However, scammers cleverly followed suit and set up various fraudulent ENS domains to pose as the Nomad team and requested they have funds sent to vanity addresses with the same initial characters as the legitimate recovery address.

For example, below is a message sent by one of the scammers. Note the fraudulent recovery address, ENS domain, and also the 10% bounty off. Nomad has since offered that white hats claim 10% of exploited proceeds. [Tx]

Protecting Yourself

While most contracts are audited extensively by various blockchain auditors, contracts may still contain yet to be discovered vulnerabilities. While you may want to provide liquidity to a particular protocol or bridge over funds, here are some tips to keep in mind:

• When supplying liquidity, don’t keep all of your funds on one protocol or stored in the bridge.
• Make sure to regularly review and revoke any contract approvals you don’t actively need.
• Stay up to date with security intelligence feeds to track protocols you’ve invested in.

Coinbase is committed to improving our security and the wider industry’s security, as well as protecting our users. We believe that exploits like these can be mitigated and ultimately prevented. Besides making codebases open source for the public to review, we recommend frequent protocol audits, implement bug bounty programs, and actively work with security researchers. Although this exploit was a difficult learning experience, we believe that understanding how the exploit occurred can only help further mature our young industry.

References

• Exploit PoC by Peter Kacherginsky
• Dune Dashboard by Heidi Wilder.
• Initial Exploit Analysis by samczsun

Indicators

Initial exploiters:

Ethereum: 0x56d8b635a7c88fd1104d23d632af40c1c3aac4e3
Ethereum: 0xf57113d8f6ff35747737f026fe0b37d4d7f42777
Ethereum: 0xb88189cd5168c4676bd93e9768497155956f8445
Ethereum: 0x847e74d8cd0d4bc2716a6382736ae2870db94148
Ethereum: 0x000000000000660def84e69995117c0176ba446e
Ethereum: 0xb5c55f76f90cc528b2609109ca14d8d84593590e
Ethereum: 0xa8c83b1b30291a3a1a118058b5445cc83041cd9d

See Dune Dashboard for a complete listing of exploiter addresses, transactions, and live status of stolen assets.

Nomad Bridge incident analysis was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Coinbase selected by BlackRock; provide Aladdin clients access to crypto trading and custody via Coinbase Prime

Tl;dr: Coinbase and BlackRock to create new access points for institutional crypto adoption by connecting Coinbase Prime and Aladdin

By Brett Tejpaul, Head of Coinbase Institutional and Greg Tusar, Vice President, Institutional Product

Over the past few years, Coinbase has played a central role in developing and strengthening crypto markets as the safest, most trusted bridge to the cryptoeconomy. Today marks an exciting next step on our journey as we announce that Coinbase is partnering with BlackRock, the world’s largest asset manager, to provide institutional clients of Aladdin®, BlackRock’s end-to-end investment management platform, with direct access to crypto, starting with bitcoin, through connectivity with Coinbase Prime. Coinbase Prime will provide crypto trading, custody, prime brokerage, and reporting capabilities to Aladdin’s Institutional client base who are also clients of Coinbase.

Built for institutions, Coinbase Prime integrates advanced agency trading, custody, prime financing, staking, and staking infrastructure, data, and reporting that supports the entire transaction lifecycle. We combine these capabilities with leading security, insurance, and compliance practices to provide institutional clients of Coinbase with a full-service platform to access crypto markets at scale. Coinbase’s clients include hedge funds, asset allocators, financial institutions, corporate treasuries and other institutions.

Our scale, experience and integrated product offering represented what BlackRock believes to be a logical partner for Aladdin.

“Our institutional clients are increasingly interested in gaining exposure to digital asset markets and are focused on how to efficiently manage the operational lifecycle of these assets,” said Joseph Chalom, Global Head of Strategic Ecosystem Partnerships at BlackRock. “This connectivity with Aladdin will allow clients to manage their bitcoin exposures directly in their existing portfolio management and trading workflows for a whole portfolio view of risk across asset classes.”

The Coinbase partnership between BlackRock and Aladdin is an exciting milestone for our firm. As the trusted partner enabling institutions to participate and transact in the cryptoeconomy, we are committed to pushing the industry forward and creating new access points as institutional crypto adoption continues to rapidly accelerate. We are honored to partner with an industry leader and look forward to furthering Coinbase’s goal of providing greater access and transparency to crypto.

BlackRock and Coinbase will continue to progress the platform integration and will roll out functionality in phases to interested clients. Access is available for institutions contracted with both Aladdin and Coinbase. To gain access or learn more about the capabilities, please reach out to aladdinpartnership@coinbase.com.

About Coinbase Prime

Coinbase Prime is the leading institutional prime broker platform for crypto assets, trusted by over 13,000 institutional clients.

Coinbase Prime is a fully integrated platform built specifically for institutions to support the entire transaction lifecycle including advanced multi-venue agency trade execution for 200 assets, custody for more than 300 assets, prime financing, staking and staking infrastructure, data and analytics, and reporting.

Institutions can access Coinbase Prime directly via a user interface or as an integrated platform via APIs to offer crypto related products such as ETPs and ETFs, custodial solutions, or brokerage for institutional, private wealth, and retail clients.

Coinbase Prime’s custodian, Coinbase Custody Trust Company, is a qualified custodian and a New York limited purpose trust company regulated by the New York Department of Financial Services. Coinbase Custody Trust Company is a fiduciary under New York state banking law.

To learn more about Coinbase Institutional’s solutions, including more information about Coinbase Prime, click here.

Disclaimer: This content is intended for informational purposes only, and does not constitute the provision of investment advice. For more information, please visit www.coinbase.com.

Coinbase selected by BlackRock; provide Aladdin clients access to crypto trading and custody via… was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Tl:dr: We’re launching Ethereum staking to US domestic institutional clients on Coinbase Prime. Using our industry-leading cold storage, clients can now generate yield by staking ETH.

By Aaron Schnarch, Vice President of Product, Custody

Fully-integrated staking on Coinbase Prime

Coinbase Prime provides institutions with an end-to-end staking experience. Clients can create a wallet, decide how much to stake, and initiate staking from the ETH asset page on their Coinbase Prime account.

Securing client funds is our highest priority. We hold withdrawal keys in our cold storage custody vault at all times, meaning staked ETH and accumulated yield are always safe. To further ensure the security of client accounts, staking transactions must first complete consensus before they are executed.

ETH vs ETH2

The term eth2 has been used frequently to describe an upgrade to the Ethereum network that aims to improve the network’s security and scalability. This upgrade involves a shift in Ethereum’s security model from mining (“Proof-of-Work”) to staking (“Proof-of-Stake”).

Once a client stakes their ETH, our system uses the ticker ETH2 to represent those staked ETH tokens. Note that there is no separate/new “eth2” token or asset. The price of ETH and ETH2 is identical. Once the upgrade to the Ethereum network is complete, the tickers ETH and ETH2 will merge into a single ticker: ETH. The merge is currently expected to occur in September 2022, so moving forward you likely will see the term ETH2 fall into disuse.

Why institutions are staking

Staking can offer passive income on assets already held in custody by providing useful work in the form of security to the underlying blockchain. The Ethereum blockchain rewards stakers that do a good job, but also punishes those that fail in their duties, for example by having downtime. This is why it’s important to stake with a reputable and effective provider to earn maximal rewards while minimizing risk.

Staking rewards for most assets can be thought of similarly to compound interest, not unlike in traditional markets when dividends are reinvested. Because staking rewards are paid in the token being staked, users may “reinvest” those tokens to receive a higher payout at the next period. Furthermore, staked tokens are typically stored within their respective wallets, meaning that users earn yield without rehypothecation.

Staking on Coinbase Prime

With Coinbase Prime, institutional customers have the ability to stake their ETH and a number of other assets to begin generating yield. Staking is also supported for Solana, Polkadot, Cosmos, Tezos, Celo, and more. Read more about institutional staking in our Staking 101 for Institutions article.

Coinbase Prime grows its staking offering with ETH was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introducing Coinbase Security Prompt — a safer and easier way of signing into Coinbase

Siyu Liu, Senior Product Manager; Chetan Rane, Product Manager

Tl;Dr: We are excited to introduce the Coinbase Security Prompt: a faster and safer way for our users to verify their identity & activities when interacting with the Coinbase ecosystem.

At Coinbase, we believe that our users need to have access to the best security possible without sacrificing ease and convenience. Providing a safe, secure, and easy-to-use platform that users trust is our continuous commitment to all of our current and future customers. That’s why, we require all Coinbase accounts to use 2-Factor Authentication (2FA). 2FA is a security layer on top of username and password. Accounts with 2FA enabled require users to provide their password (first “factor”) and a 2FA code (second “factor”) when signing in. While Coinbase offers both hardware key and authenticator app support on both web and mobile for 2FA, many customers appreciate the convenience of SMS.

Thinking about that, we’re now going one step further in keeping our users’ accounts secure via Coinbase Security Prompt, a simpler, faster and safer 2FA method that improves overall account security. How? Instead of sending an SMS code, the new Coinbase Security Prompt sends users a push notification to their Coinbase mobile app, asking if they are trying to sign in. Now with Coinbase Security Prompts, users can authenticate a login action with a simple tap on their phone:

Our customers will automatically have a stronger security without losing the ease and convenience of using their phones, from anywhere. Security Prompt is resilient against SIM Swap attacks by removing the mobile carrier as an intermediary from the authentication process. It also reduces the risk of phishing attacks by providing detailed information about where the request is coming from, such as the location or browser type.

Starting in July through the rest of 2022, all of our eligible* users will gradually start to be automatically enrolled to complete their 2FA via Security Prompts. Users who are still receiving SMS codes as their 2FA method can get access to Coinbase Security Prompts by downloading the Coinbase app.

*Eligible users are those who have an active mobile login session, trying to login from a second device and are using our latest Coinbase app version.

Introducing Coinbase Security Prompt — a safer and easier way of signing into Coinbase was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Tl;dr: Search engine phishing exploits the trust we have in search engines and the convenience of searching for something rather than remembering the domain. The following piece outlines what search engine phishing attacks may look like and how Coinbase users can avoid them.

By Coinbase Security Team

How do you log in to Coinbase? If you’re like many people, you open your preferred browser and type “Coinbase” or “Coinbase login” in the address bar. You expect to get results like this:

But sometimes you may get results like this:

The second set of screenshots show an example of phishing links. This is called search engine phishing and it has become a trend for attackers targeting Coinbase accounts.

When most people think of phishing, email or SMS phishing comes to mind. However, phishing can take many forms. Search engine phishing exploits the trust we have in search engines and the convenience of searching for something rather than remembering the domain.

We all do it, but this opens us up to potential search engine phishing attacks if we are not diligent about checking our links and protecting ourselves online. Here are some tips to prevent this from happening to you:

Double-check our naming conventions

Coinbase uses a uniform naming convention for our websites and pages. The convention follows this pattern: [page].coinbase.com. For example, here are some of our pages:

One way to avoid this type of scam is to bookmark the above Coinbase pages that you frequent. Bookmarking removes the need to search for, or manually type, a domain name. Here is a quick tutorial on how to create bookmarks in the most popular browsers.

Know common scam naming conventions

It takes a good amount of work for anyone to get their website ranked high in search engine results. This is called Search Engine Optimization (SEO), which is the process of improving the traffic from search engines to a website. Some website services, including Google Sites and Microsoft Azure, offer built-in SEO functionality.

As seen in the screenshots above, attackers tend to exploit website services like Google Sites and Microsoft Azure — building a false sense of trust in the phishing link.. The naming conventions might follow a pattern like one of the following:

sites.google.com/[phishingpage].com
[phishingpage].azurewebsites.net

These phishing websites will typically then redirect to another phishing page after a victim clicks a button on the site. The redirect will take the victim to a second phishing page where the actual phishing attack happens. Using a second phishing site is a way for attackers to protect the first phishing site and maintain its SEO ranking. So, be aware of redirects as an indication that you may be visiting a phishing website. A typical flow may look like this:

Look for these red flags

Here are some indicators you can look for to protect yourself from search engine phishing:

• Does the naming convention of the search result follow this pattern: [page].coinbase.com? If not, it is likely a phishing page.
• When you click on a search result, are you redirected to a website with a different domain than what you expected? If so, it is likely a phishing page.
• When you click on a search result, does the website look different than the last time you logged in to Coinbase? If so, this could be a phishing page which is using an older version of our website theme.
• When you visit the website from the search results and click on a button, are you redirected to a website with a different domain than the first page? If so, it is likely a phishing page.
• After you enter your credentials, are you prompted to call Coinbase because of some sort of error? Does a live chat box automatically open? This tactic is commonly paired with phishing attacks and is known as a “support scam” attack.

Here is an example of what a scam error may look like and a live chat box which may follow the error:

Remember, think before you click! Our US support phone number is 1–888–908–7930 and you can find other ways to contact us at help.coinbase.com. If you are suspicious of activity on a “Coinbase” website, go to our Help page and initiate a conversation there with our Support team.

We are constantly monitoring the internet to identify phishing domains and take them down, but we need your help. Please help us by reporting any suspicious domains to security@coinbase.com.

Security PSA: Search engine phishing was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.