The Coinbase "migrate your wallet" email hands you a recovery phrase the scammer already owns
An email titled "Migrate to Coinbase Wallet" says a court order forces Coinbase to move everyone to self-custody, and it helpfully gives you a recovery phrase to write down. That phrase is not yours. It was generated by the attacker, so the instant you fund the new wallet, they drain it. Coinbase has said plainly: it will never send you a recovery phrase.
Is the "Migrate to Coinbase Wallet" email real?
Verdict: no, the "Migrate to Coinbase Wallet" email is a phishing scam, and the recovery phrase it gives you belongs to the attacker. The email invents a court order or class-action lawsuit and claims Coinbase must move all assets into a self-custodial wallet. It then supplies a ready-made "recovery phrase" and tells you to import it and transfer your crypto in. Because the scammer generated that phrase, they can rebuild the wallet on their own device and empty it the moment funds arrive. The one rule that ends it: Coinbase never sends you a recovery phrase, and you should never import a phrase given to you by anyone. Reach Coinbase only at coinbase.com.
What the email actually says
The message is calm and bureaucratic, which is what makes it dangerous. The subject line reads "Migrate to Coinbase Wallet." The body tells a legal-sounding story: following a class-action lawsuit over "unregistered securities and unlicensed operations," a court has supposedly mandated that users take custody of their own funds. Coinbase, it claims, will now operate only as a registered broker for buying and selling, so "all assets must move to Coinbase Wallet" by a stated date.
Then comes the hook, delivered as a favor: "Your unique recovery phrase below is your Coinbase Identity. It grants access to your funds. Write it down and store it securely." A neat block of twelve or twenty-four words follows. The email frames this as Coinbase setting up your new self-custody wallet for you. You just have to import the phrase into the real Coinbase Wallet app and move your coins over.
Every part of that story is fabricated. There is no court order forcing Coinbase to hand users a pre-made seed phrase by email. Coinbase is not shutting down custody and mailing everyone a recovery phrase. The lawsuit framing exists only to make a strange request feel official and urgent.
The trick: they give you the keys, not steal them
This is what makes the scam sharper than a normal phishing email. Most crypto phishing tries to take your recovery phrase, which trained users have learned to guard. This one does the opposite. It gives you a recovery phrase and asks you to use it.
A recovery phrase is the wallet. Whoever knows those words controls every coin in the wallet they unlock, on any device, forever. The attacker generated this phrase in advance, wrote down their own copy, and then sent it out on a mass mailing list. When a victim imports it into a genuine wallet app and deposits Bitcoin, Ether, or USDC, they are funding an account the scammer can open at will. There is no hack, no malware, no login to steal. You are handed a shared safe and told it is yours, and the attacker simply reaches in.
Because the wallet app is real (the official Coinbase Wallet, or MetaMask, or any legitimate wallet) nothing looks wrong. The app never warns you, because importing a valid phrase is a normal action. The betrayal is baked into where the phrase came from, and by the time funds move, it is already too late.
Stop the fake Coinbase migration page before you import a seed
SafeBrowz is a free browser extension for Chrome, Firefox, and Edge, with Safari pending. It flags Coinbase lookalike sites, fake "wallet migration" pages, and any seed-phrase-entry trap the second the link opens, before you paste or import anything. The local layer covers 550+ brands. The AI deep scan (Premium, $14.99/year) reads a page's intent and catches brand-new migration lures the same day they go live, even when no blocklist lists them yet.
Not sure about a crypto link you were sent? Scan it free here first →
Why the links pass every spam filter
Security teams reported that this campaign is unusually clean on the wire. Two details help it slide into the inbox instead of the spam folder.
The links point to the real coinbase.com. Most phishing emails route you to a lookalike domain, which filters and trained eyes can catch. Here, the visible links genuinely go to legitimate Coinbase pages. There is no fake login to flag, because the theft does not depend on a fake site at all. It depends on the recovery phrase printed in the email body.
It passes email authentication. Reporting on the campaign found messages that cleared SPF, DMARC, and DKIM checks by routing through abused third-party sending infrastructure, so the "this sender is verified" signals your mail provider shows can be misleading. Authentication proves an email left a given server intact. It does not prove the content is honest.
What makes this campaign unusual is that it needs no fake site at all. Still, Coinbase-brand lookalike pages are a common crypto-phishing threat in their own right, and any wallet page carrying the Coinbase name on a domain that is not Coinbase should be treated as hostile. A constructed example like coinbase-wallet-migrate.com scans as DANGER for exactly that reason, a brand name on a domain Coinbase does not own. Try it in the checker below, and remember the only official surfaces are coinbase.com and the Coinbase Wallet app reached from it.
The one rule that ends this scam
Coinbase has stated it directly, and it is worth memorizing because it collapses the entire attack in one line. On its official channels the company said: "We will never send you a recovery phrase, and you should never enter a recovery phrase given to you by someone else."
Hold that against the email. The email's entire purpose is to send you a recovery phrase and get you to use it. So the email is, by Coinbase's own definition, a scam. You do not need to analyze the legal story, check the sender, or inspect the links. A recovery phrase arriving in your inbox, from anyone, for any reason, is the whole red flag.
Red flags that should stop you cold
- The email contains a recovery phrase. No exchange, wallet, or support agent ever sends you a seed phrase. A phrase you did not generate yourself is an attacker's phrase. This single flag ends it.
- A "court order" or "class action" forces a wallet migration. Real legal changes are never delivered as an urgent email that hands you keys. This is a pretext to make a bizarre request feel mandatory.
- You are told to move all your funds by a deadline. Urgency plus "transfer everything now" is the signature of a drain, not a policy update.
- It calls the phrase your "identity" or your "new wallet." Rebranding a seed phrase as an "identity" is meant to make importing a stranger's keys sound normal.
- The links look real. Genuine coinbase.com links are used as cover. Real links do not make the email real when the theft is the phrase itself.
- It arrived unsolicited. You did not request a migration. A self-custody move you never started is not a move you should finish.
What to do if you got the email, or already imported the phrase
The order matters.
If you only received the email, delete it. Do not import the phrase, do not "just test it with a small amount," and do not visit anything to "verify." An email cannot touch your funds on its own. Report it to Coinbase through the app or coinbase.com support so the takedown pipeline catches the sending infrastructure, then move on.
If you imported the phrase but sent no crypto to it, do not send any. The wallet that phrase unlocks is shared with the attacker. Treat it as burned. Never deposit anything into it, and delete it from your wallet app.
If you imported the phrase and already moved funds in, act immediately. Any crypto in that wallet is exposed, and the attacker may be draining it as you read this. There is nothing to "secure" on that wallet, because the seed is shared by design. On a clean device, create a brand-new wallet with a phrase only you generate, and if you have any assets sitting in exchange accounts or other wallets, make sure those keys were never entered anywhere near this scam. Our wallet-drained recovery guide has the full 24-hour and 7-day checklist. Be wary of anyone who then DMs you offering guaranteed "fund recovery" for a fee. That is a second scam stacked on the first.
If you are in the US, file with FBI IC3. The same seed-phrase betrayal shows up in other disguises we have documented, including the fake Ledger email warning and the broader crypto wallet drainer guide.
Where SafeBrowz catches the fake migration page
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. An email in your inbox is not a URL, so the moment SafeBrowz matters is the step where a "migration" link opens a page in your browser, whether that is a lookalike site or a real page carrying a seed-import prompt. That is where the extension sits.
- Layer 1 - Local detection: 60+ URL patterns and a 550+ brand database run in the browser before the page renders. A page carrying the Coinbase brand on a domain that is not the official one trips a brand-on-non-official-domain signal at once, and a recovery-phrase or seed-import layout next to a "migrate" or "restore" prompt matches a known drainer pattern. Newly registered lookalike hosts add weight.
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLD lists server-side. Fresh Coinbase-migration lookalikes tend to surface on these feeds within hours, and a brand-new domain with no history is itself a weighted signal.
- Layer 3 - AI deep scan (Premium): AI content analysis (via our proxy, 100+ languages) reads the page intent, the Coinbase impersonation, the "wallet migration" cover story, and the seed-import request, then returns a danger verdict in seconds rather than trusting official-looking branding.
The honest limit: SafeBrowz protects the browser step. It cannot read the recovery phrase printed inside an email you never open in a browser, so the rule still stands as the last line of defense: a phrase you did not generate is never yours to use. What SafeBrowz does add is a fast verdict on any link before you act.
Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Test a suspicious link right now
Got a "wallet migration" link and unsure where it goes? Click the red-dotted domain above, or paste the link the email sent you. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup. Never import a recovery phrase you were sent, no matter what a page says.
Frequently asked questions
Is the "Migrate to Coinbase Wallet" email real?
No. It is a phishing scam. The email invents a court order or class-action lawsuit and claims Coinbase must move all users to a self-custodial wallet, then supplies a ready-made recovery phrase for you to import. Coinbase is not shutting down custody, no court is forcing it to email you a seed phrase, and Coinbase never sends recovery phrases. The phrase in the email was generated by the attacker, so any crypto you deposit into the wallet it unlocks can be drained. Delete the email and never import the phrase.
Why is a scammer giving me a recovery phrase instead of stealing mine?
Because the phrase they give you unlocks a wallet they also control. A recovery phrase is the wallet itself, and whoever knows the words can access every coin in it from any device. The attacker generated one phrase, kept their own copy, and sent it to many people. When a victim imports that phrase and deposits funds, they are funding a shared account the scammer can empty at any time. It is a clever inversion of normal phishing, which usually tries to take your seed. This one hands you theirs.
The email links go to the real coinbase.com. Doesn't that make it safe?
No. Real links are used as cover. The theft in this scam does not depend on a fake login page. It depends on the recovery phrase printed in the email body, which you are told to import. Legitimate links and even passing SPF, DMARC, and DKIM email checks only prove the message reached you intact, not that its content is honest. A recovery phrase arriving in your inbox is the red flag, regardless of where the links point.
I imported the recovery phrase from the email. What should I do?
Stop using that wallet immediately. If you have not deposited anything yet, do not, and delete the wallet from your app. If you already moved crypto into it, treat it as compromised right now, because the attacker shares the phrase and may be draining it. On a clean device, set up a brand-new wallet with a phrase only you generate, and move any remaining assets that are still under your sole control to safety. Then report the scam to Coinbase and to FBI IC3 if you are in the US. Do not pay anyone who offers to "recover" the funds.
How do I actually move to a self-custodial wallet safely?
You start it yourself, from inside the official app, and you generate your own recovery phrase. Open the Coinbase Wallet app or another reputable wallet, choose to create a new wallet, and let the app produce a phrase that only you ever see and store offline. You never import a phrase someone emailed you, and a real migration is never forced on you by an urgent message with a deadline. Reach Coinbase only at coinbase.com, use a bookmark, and if any link is unclear, paste it into the SafeBrowz checker on this page for a 3-layer verdict first.
Last updated 2026-07-19