Coins.ph Messaging Vendor Hijacked in Phishing Attack

Attackers hijacked Coins.ph's third-party messaging vendor to send phishing emails and mobile push notifications on March 8, directing users to a fake website designed to steal login credentials.

The company shut down all active notification campaigns immediately after detecting the breach and blacklisted all known wallet addresses controlled by the attackers. User account credentials, personal data, and funds were never accessed during the incident, according to the company's official statement.

Coins.ph warned users to stay alert for common phishing tactics. The company emphasized it will never ask for passwords or 2FA codes through external links, nor will it request fund transfers to external wallet addresses via any external link.

This marks the second major security incident for the Philippine exchange in less than three years. Former consultants Vladimir Evgenevich Avdeev and Sergey Yaschuck stole 12.2 million XRP worth approximately ₱354.09 million ($6 million) from Coins.ph in October 2023 by exploiting their insider knowledge of the platform's network infrastructure. Both fled the country before the Department of Justice could charge them under the Cybercrime Prevention Act of 2012.

Coins.ph is now conducting a comprehensive internal audit with its messaging vendor and reviewing all access controls for external service providers.

🇵🇭 What This Means for Filipinos: Coins.ph users should immediately verify any notification asking for account actions by logging in directly through the official app, never through email links. As a BSP-licensed exchange, Coins.ph faces vendor-layer risks that can expose users to phishing attacks targeting OFW remittance wallets and local trading accounts.