Coinbase QR Code Scam: How It Works and What to Do

Three ways scammers use fake Coinbase QR codes

1. The phishing email with a "verify your account" QR code

You receive an email that looks exactly like an official Coinbase notification — same logo, same fonts, same tone. It warns that your account has been locked, your identity needs reverification, or a suspicious login was detected. Inside the email is a QR code telling you to scan it to "restore access."

Scanning takes you to a convincing lookalike of the Coinbase login page hosted on a scam domain — something like coinbase-verify.net or co1nbase.com. When you enter your email, password, and two-factor code, you hand the attacker everything needed to empty your real Coinbase account within minutes.

The real Coinbase only sends notifications from coinbase.com email addresses and links only to coinbase.com pages. If a QR code in any email leads anywhere else, it is a phishing attempt.

2. The QR login hijack

Coinbase offers a legitimate QR code login feature inside its app for linking devices. Scammers weaponize this by capturing a real Coinbase QR login code from their own device and then sending it to victims — via text, social media DM, or a fake Coinbase support chat — with a message like "scan this to verify your identity so we can restore your account."

If the victim scans that code and approves it, the attacker's device is linked to the victim's Coinbase account, giving them full access. This is the same mechanic used in WhatsApp and Signal account-hijacking scams. The key rule: you should only ever scan a Coinbase QR login code from within the Coinbase app itself when you deliberately initiate a device link — never from any external source.

3. The fake payment or investment QR code

A seller on a marketplace, a romantic interest online, or a fake investment platform tells you to send crypto via a QR code they provide. The code may claim to encode your intended recipient's Coinbase address — but it actually encodes the scammer's wallet. Like all Bitcoin QR code scams, once you confirm the send, the transaction is irreversible on the blockchain.

A subtler variant: the scammer shows you a fake Coinbase "payment received" screenshot to convince you they've already sent funds, then asks you to release goods or send your own payment as a "refund" before you verify the funds hit your account. Always confirm an incoming transaction in your own Coinbase app before sending anything.

Why it's so hard to recover what you lost

If the scam involved an on-chain crypto transfer, the core problem is the same as with any crypto QR code scam: blockchain transactions are final. Coinbase cannot reverse a completed on-chain send any more than a bank could undo a cash withdrawal after it left the building.

If the scam involved an account takeover (phishing or QR login hijack), the attacker's window to drain funds is narrow — typically minutes. By the time victims notice and contact Coinbase, the balance is usually gone.

There is one narrow exception: if the scammer's receiving address is also a Coinbase account and you report fast enough, Coinbase's compliance team may freeze that account before the funds are swept or converted. This is rare but worth attempting.

What to do right now

1. Secure your Coinbase account immediately. Go to coinbase.com (type it directly — do not click any link), change your password, revoke any linked devices you don't recognize under Settings → Security → Linked Devices, and confirm your two-factor authentication method is still under your control.
2. Contact Coinbase support. Report the fraud through Coinbase's official support portal at coinbase.com/help. Provide the receiving wallet address and transaction ID (TXID) if a transfer was made. Ask them to flag the destination address.
3. Document everything now. Screenshot the QR code, every message or email, the TXID from your Coinbase transaction history, and the URL the QR code resolved to. You will need this for every report you file.
4. Report to the FBI's IC3. File at ic3.gov with the wallet address and TXID. The FBI's crypto unit tracks these addresses and connects them to larger scam operations.
5. File an FTC complaint. Report at reportfraud.ftc.gov. This helps the FTC identify scammers targeting multiple victims.
6. Contact your bank if fiat was involved. If you used a debit card, ACH transfer, or wire to fund the purchase before sending, contact your bank immediately. They may be able to dispute the fiat leg even if the crypto leg is irrecoverable.
7. Do not pay any recovery service. Crypto recovery services that charge upfront fees are almost always follow-up scams. No third party can reverse an on-chain transaction.

How to protect yourself before scanning

• Scan with QRsafer first. QRsafer decodes any QR code and checks the destination URL against known phishing and scam databases before you open anything. If a code claiming to be from Coinbase resolves to anything other than coinbase.com, you'll see a Dangerous verdict before any credentials are entered.
• Never scan a Coinbase QR code from an email, text, or DM. Coinbase will never send you an unsolicited QR code to verify your account. If you receive one, it is a scam.
• Verify wallet addresses independently. Before sending any crypto, confirm the destination address through a separate channel — a phone call to the recipient using a number you found yourself, reading back at least the first and last six characters of the encoded address.
• Check the URL before entering credentials. The only legitimate Coinbase domain is coinbase.com. Any variation — extra words, hyphens, different TLDs — is a fake site.
• Use a hardware security key for 2FA. SMS-based two-factor codes can be intercepted via SIM swapping. A hardware key or authenticator app makes account takeover significantly harder even if your password is phished.

Frequently asked questions