Fake cryptocurrency exchange account security phishing — non-official sender impersonates Coinbase, Binance, Kraken, or Gemini claiming the recipient's account has been locked, suspended, or flagged for suspicious activity, then harvests login credentials or government ID documents through a phishing portal, enabling irreversible theft of all held cryptocurrency

Phishing emails impersonating Coinbase, Binance, Kraken, Gemini, or other major cryptocurrency exchanges claiming the recipient's account has been flagged for suspicious activity, unauthorized access, unusual login attempts, or policy violations — and requiring identity verification (government ID, driver's license, passport), credential confirmation, or sign-in through a phishing portal. Successful account takeover is permanent and financially catastrophic: cryptocurrency withdrawals are irreversible by nature, and exchanges typically do not insure against phishing-related theft. Key facts: (1) FBI IC3 2023: total cryptocurrency fraud losses reached $3.94 billion; exchange impersonation phishing is among the top initial access vectors; (2) Real exchanges (Coinbase, Binance) send security notifications exclusively through their official domains with List-Unsubscribe headers and never request government ID uploads by email — KYC verification is done through the exchange's official mobile app or website; (3) Credential harvesting portals exactly replicate exchange login pages using web scraping and are often hosted on lookalike domains (coinbase-secure.net, binance-alerts.com); (4) Account takeover victims often lose all held crypto within minutes of credential capture. Warning signs: email from any domain other than the official exchange domain, "account suspended" or "suspicious activity" from an unsolicited email, request to upload government ID by email, urgency framing (24-hour suspension deadline).