Increasingly complex phishing attacks are once again targeting cryptocurrency users, but this time the con artists are abusing genuine Google account systems to make their emails look authentic.
Google shuts it down
Real Google recovery contact request emails are being used in a new phishing technique witnessed by multiple cryptocurrency product users. Instead of sending a fake copy, attackers use Google's system to submit a legitimate recovery contact request, with a malicious phishing link inserted into the request details. Since the email is directly from Google, many users might initially believe it to be reliable.
The trick makes extensive use of formatting manipulation. In order to conceal the malicious content far below the email's visible portion, attackers are said to insert large blank spaces into the message. The notification looks exactly like a typical Google security request at the top.
Emails indicating that someone wishes to add them as a recovery contact are displayed in screenshots shared by the targeted users. In one instance, the request asked the victim to review the request and seemed to be associated with dubious email addresses. The actual phishing link, which was intended to obtain login credentials or session information, was concealed farther down the message.
Sender address exploited
The method is particularly risky because it avoids one of the most important warning indicators that users typically rely on: suspicious sender addresses. The email can pass basic trust checks and avoid appearing blatantly fraudulent because it is created using Google's actual infrastructure.
Because blockchain transactions are irreversible, cryptocurrency holders are often targeted by phishing schemes. Stolen money is typically unrecoverable once attackers have access to wallets, exchange accounts, or seed phrases. DeFi users and traders with substantial balances frequently encounter attempts involving fake exchange login pages, wallet verification prompts, or fraudulent support messages.
According to security researchers, users should refrain from clicking links directly within emails related to their accounts, even if they seem authentic. Rather, users should manually launch Google, wallet providers, or exchanges via their browser and check requests from within their account dashboards.
The incident demonstrates how phishing campaigns are progressing from poorly crafted scam emails to attacks that exploit trusted infrastructure and legitimate platforms. As attackers become more inventive, users must carefully confirm each request before interacting with sensitive accounts or signing wallet transactions.
Dan Burgin
