A Coinbase customer in Texas received a text on June 8, 2026: "Coinbase withdrawal code: 482931. If you didn't request this, cancel at: [shortlink]." They tapped the link. The page that loaded looked identical to Coinbase's real login. Within ten minutes, $38,000 in Bitcoin had moved out of their account and onto an attacker-controlled address.
This is the Coinbase withdrawal code scam, and variants of it are now the highest-volume crypto phishing campaign in the US. The keyword "coinbase withdrawal code scam" gets searched every month by people who received the text and aren't sure whether it's real. The traffic potential on the cluster is roughly 15,000 monthly visits across the related queries.
This piece walks through what the withdrawal code scam looks like, the exact sequence the attackers run after a victim clicks, the technical and behavioral patterns that distinguish a real Coinbase message from a fake one, and the structural ways to make sure no withdrawal code text can put your crypto at risk.
The attack runs in three stages.
Stage 1: The text. A spoofed SMS or short-code message containing what looks like a Coinbase verification code or a withdrawal confirmation request. The message includes a link with two purposes — establish urgency ("cancel this withdrawal") and route the target to a phishing page.
Stage 2: The clone page. The link leads to a domain that mimics Coinbase visually. URL patterns observed in 2026: `coinbase-secure[.]com`, `coinbase-help[.]co`, `coinbasealerts[.]net`, sometimes with subdomains like `secure.coinbase-alert[.]com` to look more official. The page replicates Coinbase's login flow.
Stage 3: The drain. Once the attacker has the password and 2FA code, they log in from their own session and initiate withdrawals to addresses they control. If the user also enters a seed phrase (the phishing flow asks "verify your wallet" to grab non-custodial wallet keys too), the attacker drains every chain that seed touches.
The Texas case took about ten minutes end-to-end. The user noticed when the real Coinbase app pinged a confirmed withdrawal alert. By then the funds had cleared.
Five tells, all checkable in under a minute:
The domain. Coinbase's real domain is `coinbase.com`. Any URL with hyphens, extra words, or subdomain prefixes other than `www` and `pro` is fake. `coinbase-help.com` is fake. `coinbase.help` is fake. `coinbase.com.help.site` is fake.
The sender. Real Coinbase alerts come from short codes (33728 in the US) or no-reply email addresses. Long phone numbers, unknown short codes, and any sender that displays as "Coinbase" but isn't a verified short code are suspect.
The action requested. Real Coinbase emails and texts ask you to verify in the app or on coinbase.com directly. They don't include direct login links. Coinbase's own security pages say the company will never ask you to confirm details via a link in a text.
The seed phrase request. No legitimate exchange will ever ask for a seed phrase, ever. If any "verification step" prompts for 12 or 24 words, you're on a phishing site.
The urgency. Real security alerts give you time. Phishing variants always rush you ("cancel within 30 minutes," "secure your account immediately"). Urgency without an actual deadline is a tell.
If you've entered credentials on a phishing site, the timing matters.
Within minutes of clicking: Change your Coinbase password immediately (do this in the real app from your home screen, not from any text). Revoke all active sessions in account settings. If your 2FA is SMS-based, swap to an authenticator app or hardware key.
Within an hour: Contact Coinbase support directly through the in-app chat. Provide the IP and timestamp of the suspicious login. Coinbase's fraud team can freeze pending withdrawals if you reach them fast enough.
If you entered a seed phrase: Treat every chain that seed touches as compromised. Move funds from a different hardware wallet (with a different seed) immediately. The compromised seed is permanently exposed — assume the attacker has it indefinitely.
File a report. The FBI's IC3 portal (ic3.gov) tracks crypto fraud. The FTC accepts reports at reportfraud.ftc.gov. Both feed broader law enforcement work on these campaigns.
A hardware wallet doesn't have a login flow. There's no username, no password, no 2FA code, and no website that can be cloned. The private key lives on the device, and every transaction requires the device plus a physical button press.
Self-custody doesn't make phishing impossible — there are still social engineering attacks that target hardware wallet users directly (fake firmware updates, fake recovery tools). But the surface is much narrower, and the scams that exist require more effort per victim than blast-out SMS campaigns.
For a holder receiving Coinbase withdrawal code texts on a daily basis, the cleanest fix is to move long-term positions off the exchange entirely. Keep a small amount on Coinbase for trading if you actively trade. Move the rest to a hardware wallet, where no text message can reach.
Ryder One is the self-custody endpoint for users walking away from custodial risk. The EAL6+ Infineon SLC38 secure element holds the private key offline. Every transaction is verified on the device's 1.6-inch AMOLED touchscreen with a physical button press. TapSafe Recovery handles the backup so a single failure (lost device, lost phone, lost paper) doesn't take the wallet down.
There's no login. There's no SMS code. There's no phishing surface. The wallet sits as a small device in a drawer, and it only matters when you choose to engage with it.
The Coinbase withdrawal code scam works because custodial accounts have a single shared failure point — username, password, 2FA — that a remote attacker can compromise with a convincing enough phishing flow. The text-message variant of 2026 has industrialized that attack, with thousands of victims per month and individual losses sometimes running into five and six figures. The structural answer is to move long-term crypto off the exchange and onto a wallet where no text message can reach it.
Stop the phishing surface from existing. Ryder One keeps your keys offline on an EAL6+ secure element, with TapSafe Recovery as the backup. No login, no 2FA code, no clone-able URL. See how it works.
SEO
The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.
Share: