On March 8, 2026, Coins.ph identified a security incident involving unauthorized email and mobile push notifications sent to Coins users. These messages contained phishing content designed to redirect users to a fraudulent website impersonating our platform.
Upon detection, our engineering, security, and risk teams acted immediately to contain and neutralize the threat::
- All active notification campaigns were halted
- The malicious third-party website was successfully taken down, and the attacker’s known wallet addresses have also been blacklisted.
- Coins initiated a comprehensive internal audit alongside our third-party messaging vendor.
Preliminary investigations confirmed that the incident was limited to unauthorized activity with our messaging provider. Importantly, this breach was confined to the messaging layer only. At no point were user account credentials, sensitive personal data, or funds compromised. All user accounts remain secure and unaffected.
While the immediate threat has been resolved, Coins.ph is implementing the following long-term measures:
- Coins is conducting a rigorous review of all access controls related to external service providers.
- Additional security layers are being integrated to prevent similar unauthorized access in the future.
We urge our users to remain vigilant and remind users that Coins.ph will never ask for your password or 2FA codes via external links, or request that you transfer funds to external wallet addresses via any external link.
We thank our community for their swift reporting, which allowed our team to neutralize this threat in a timely manner. Thank you.