Fake Coinbase / Kraken / Binance / Gemini / Crypto.com exchange alert lure — "suspicious login / withdrawal attempt / unauthorized access, verify identity within 24 hours or account locked" targeting crypto exchange users; exchange credentials + 2FA + seed-phrase harvest enables $5-50K/victim irreversible theft + KYC data extraction

Fake "suspicious activity / unauthorized login / withdrawal attempt on your Coinbase / Kraken / Binance / Gemini / Crypto.com account — verify your identity within 24 hours or your account will be locked" email targeting crypto exchange users. Harvests exchange credentials, 2FA codes, and (in the worst variants) seed phrases. Post-compromise attackers empty the victim's entire crypto balance within minutes, pivot to any linked wallet, and extract KYC data (passport, SSN, address) from the account profile. Crypto exchange accounts are the highest-per-victim-value single credential target on the internet — average balance at top exchanges in 2026 is $5-50K, and theft is irreversible (no chargebacks, no fraud-dispute process). Chainalysis and BleepingComputer documented sustained 2024-2025 campaigns; 2026 variants combine fake withdrawal alerts with fake support phone numbers for the callback phase. Fires when body references Coinbase / Kraken / Binance / Gemini / Crypto.com / Bitstamp / KuCoin / exchange account / crypto withdrawal AND contains suspicious-login / unauthorized-access / withdrawal-attempt / account-locked / verify-identity urgency. Excludes coinbase.com (+.co, +.pro), kraken.com, binance.com (+.us), gemini.com, crypto.com, bitstamp.net, kucoin.com, bitfinex.com, okx.com, bybit.com, plus dead-exchange umbrellas for completeness. Auto-classified as danger via the `-lure` suffix.