Look at your Coinbase ETH deposit screen right now. Tell me how much of your address you can actually see.
The answer, for every Coinbase user, is the same: 10 characters. Four at the start, six at the end. Something that looks like 0x424A...59D2D9. The other 30 characters of your 40-character Ethereum address are hidden behind dots. There is no expand button. There is no obvious way to view the full string without copying it and pasting it somewhere else.
A security researcher named Quit (@0xQuit on X) screenshotted that exact screen on April 13 and posted it with one observation: this is absurd. There is no straightforward way to see the full address you're about to receive funds into, which leaves users wide open to clipboard hijacking and lookalike address attacks.
Quit's original post on X showing Coinbase's ETH receive screen. The full address is hidden behind dots, with only "0x424A...59D2D9" visible. Source: @0xQuit, April 13, 2026.
The post hit 76,000 views and 1,000 likes within hours. More importantly, Coinbase CEO Brian Armstrong replied directly: "Fair point, will look into getting this fixed."
It's not every day a Fortune 500 CEO publicly acknowledges a security UX flaw on his own product on a Sunday. But "will look into" doesn't ship code. Until Coinbase actually fixes the screen, every user is staring at the same problem. So let's break down exactly how big a problem it is, and what you can do about it right now.
Coinbase CEO Brian Armstrong responded within hours, agreeing the design needs to change. The reply hit 1,300 likes and 21,000 views in under a day.
The math behind the attack
To fool the Coinbase preview, an attacker needs to generate a wallet address whose first 4 and last 6 hex characters match a specific target. That's 10 hex characters of constraint.
Hex characters have 16 possible values (0 through 9, plus a through f). Matching 10 of them takes, on average, 16 to the 10th power attempts. That works out to roughly 1.1 trillion address generations.
1.1 trillion sounds like a lot. It is not.
A modern vanity address generator running on a single RTX 4090 GPU produces somewhere between 200 and 400 million Ethereum addresses per second. At that rate, generating a lookalike that matches Coinbase's preview takes roughly 45 minutes to a few hours on one consumer gaming GPU. A small 4-to-8 GPU rig drops it to minutes. A rented cloud cluster on a service like vast.ai can do it for a few dollars in an afternoon.
That's the actual cost of producing a wallet address that looks identical to yours inside Coinbase's UI. A gaming PC, an afternoon, or twenty bucks on a cloud rental.
The 10-character preview gives users a false sense of uniqueness. People look at 0x424A...59D2D9, see the digits they expect, and assume they're looking at their own address. They aren't necessarily looking at their own address. They're looking at some address that happens to match the only 10 characters Coinbase ever shows them.
How the actual attack chains together
Generating a lookalike address by itself doesn't steal anything. The attacker still doesn't have your private key. They don't have access to your funds. What they have is a tool to trick you into sending funds to them. The full attack chain looks like this:
Step 1. Malware lands on your machine. Could be a fake browser extension, a malicious desktop app, a compromised npm package, a typosquatted download, a cracked piece of software, a phishing email attachment. The bar for getting clipboard-monitoring malware onto a typical computer is depressingly low.
Step 2. The attacker has already generated a vanity address that matches the truncated preview of your real Coinbase deposit address. They've been doing this passively against high-value targets, or they fire it up the moment they see a deposit address flow through your clipboard.
Step 3. You go to Coinbase, look at your deposit address, copy it. The malware silently swaps what's on your clipboard with the attacker's lookalike address.
Step 4. You paste it into your sending wallet or your hardware wallet companion app. You glance at the preview. You see the same 4 characters at the start and 6 at the end that you expected. You hit confirm.
Step 5. Funds go to the attacker. Forever.
This is not a theoretical attack. Clipboard hijacking has been one of the most common crypto malware techniques for years. The reason it doesn't work more often is that careful users verify more than 10 characters of an address before they send. The Coinbase UI is built around the assumption that 10 is enough. The math says otherwise.
The thread had pushback. Here's what the pushback gets wrong.
A few people in the replies argued that this isn't a Coinbase problem, it's an environment problem. The argument goes: if your machine is compromised enough to have clipboard-hijacking malware on it, your QR codes are also compromised, your screen is compromised, and you shouldn't be sending crypto from that machine in the first place. So showing more characters wouldn't help.
NiklasSinclair pushed back in the thread, arguing that a compromised machine has bigger problems. Quit's reply: peace of mind matters even when you're not actively compromised.
That's technically true and practically wrong.
It's true that a fully compromised machine has bigger problems than truncated previews. It's wrong because it assumes users always start from a clean baseline. Real users get compromised slowly, in pieces, often without knowing it. A clipboard hijacker is exactly the kind of low-grade malware that lives quietly on a machine for months without setting off alarms. Most users don't know they have it until funds go missing.
Even Quit himself agreed in a follow-up: "Ya you should probably not install malware, but it's still nice to eliminate the possibility for those in the habit of checking." That's the right framing. Defense in depth doesn't mean every layer is independently sufficient. It means each layer catches mistakes the other layers missed.
Showing the full 40-character address gives users the ability to verify against an out-of-band source: a hardware wallet screen, a written backup, a physical reference they trust. That verification step is the only layer that catches a sophisticated clipboard swap. Removing it from the UI means stripping out the most reliable line of defense most users have.
This is the same lesson, told twice in one day
Earlier today we published a breakdown of how a fake Ledger Live app on Apple's Mac App Store drained $424,000 in Bitcoin from a musician who typed his 24-word seed phrase into the wrong screen. (Read it here.) Different attack surface, same root cause. The musician trusted what was on his screen because the screen looked official. He had no out-of-band reference to compare against, so when the screen lied, the screen won.
The Coinbase story is the exact same problem, just at a different layer of the stack. In the Ledger case, the screen was lying about which app you were running. In the Coinbase case, the screen is lying about how much of an address you're seeing. In both cases, the only defense is to verify against something the screen cannot touch.
Two different stories. Two different days of news. One identical lesson: the screen is not your source of truth. The screen is the surface attackers control.
The Profanity history that nobody talks about anymore
If you're old in crypto years, "vanity address generation" already makes the back of your neck itch. There's a reason.
In September 2022, a tool called Profanity that crypto users had been using for years to generate custom vanity addresses was found to have a critical seed entropy flaw. The pseudo-random number generator it used was weak enough that attackers could brute-force the private keys of any address Profanity had ever generated. Roughly $160 million was stolen in a single incident: the market maker Wintermute lost their entire DeFi vault when attackers brute-forced the private key to one of their Profanity-generated wallets.
That's not the same vulnerability as the Coinbase truncation issue. Profanity was a flaw in how vanity addresses were generated, not in how exchanges display them. But it matters because it shows how seriously the crypto security community has had to take vanity-address-related attack vectors. Tools that produce custom-looking addresses have a track record of being weaponized, sometimes years after they were built. The Coinbase preview flaw doesn't require a flawed generator. A perfectly clean modern vanity tool is enough.
What to do until Coinbase ships the fix
Brian Armstrong said Coinbase will look into the fix. That's good. It also doesn't help you today, this week, or next month. Here's what to do in the meantime:
Verify the full address out-of-band, every time. Before you send funds to a Coinbase deposit address, get the full 40-character address from a source other than the screen you're sending from. The Coinbase mobile app and the Coinbase website both let you copy the full address. Paste it into a notes app, a text file, or even a piece of paper, and compare the full string against what's on your sending wallet. If even one character is off, stop.
Use the QR code as a secondary check, not a primary one. The QR code on the Coinbase deposit screen encodes the full address. If you scan the QR code with a hardware wallet companion app or a fresh, clean device, you bypass the clipboard entirely. Scan the QR, then verify the address that appears on your hardware wallet's screen against a written reference. The hardware wallet's screen is a trusted display, the only one in your setup that an attacker on your computer cannot touch.
If you keep funds long-term, do not store the seed phrase that controls them on any device a clipboard hijacker can reach. This is the deeper Shieldfolio thesis and the reason this story matters beyond the Coinbase angle specifically. Every layer of protection above the seed phrase can be defeated by a determined attacker. The seed phrase itself, written down once on something physical, stored somewhere only you control, is the only thing in the entire stack that an attacker can never reach over the wire. Our seed phrase storage guide walks through how to actually do this without falling into the most common traps.
The Stonebook is built specifically for that last layer. Stone-paper pages that survive water, tears, and time, with pre-printed fields for 50+ wallet backups. Pair it with a fire-rated safe and the seed phrase only ever lives in two places: the device you sign with, and the page you wrote it on. Nowhere in between. Nowhere a malicious clipboard or a misleading exchange UI can touch.
The part that should bother you the most
Brian Armstrong's reply was three words long and ended with "fair point." A Fortune 500 CEO with thousands of engineers and a multi-billion dollar product did not push back, did not defend the design, did not invoke threat models. He just agreed. Because the math is the math, and there is nothing to defend.
The flaw has been in the Coinbase UI for years. Hundreds of millions of dollars have flowed through that screen. Every single one of those transfers was protected by 10 characters of preview, against attackers who can produce matching addresses for the price of a Saturday afternoon on a gaming PC.
It will get fixed. Probably soon. But the deeper question is how many other places in your crypto stack are showing you partial information you've been mentally treating as complete information. Every truncated address. Every "..." in the middle of a hash. Every wallet UI that decided four-and-six was enough. Every confirmation screen you scrolled past.
The screen is not your source of truth. Make sure something else is.
FAQ
Has Coinbase actually been compromised? Should I withdraw my funds?
No. Coinbase has not been hacked. Your funds are not at immediate risk simply for sitting on Coinbase. The flaw discussed here is a UI design issue that makes one specific type of clipboard-based attack easier to execute against users sending crypto to or from Coinbase. It is not an exchange breach. You do not need to panic-withdraw. You should, however, be more careful when copying deposit addresses until the fix ships.
How do I see my full Coinbase deposit address right now?
Tap the copy icon next to the truncated address on the deposit screen. The full 40-character address goes onto your clipboard. Paste it into a notes app or text file to view the entire string. You can also scan the QR code on the deposit screen with a separate trusted device, which encodes the full address. The information is technically accessible, it's just not displayed by default — which is the entire point of the criticism.
What is a vanity address and how does the attack work?
A vanity address is a wallet address generated to match a specific pattern, like starting with your initials or ending in a memorable string. They're created by generating millions or billions of random addresses until one matches the target pattern. Modern GPUs can generate hundreds of millions of Ethereum addresses per second. The attack in this story uses vanity generation to produce an address that matches the truncated preview Coinbase shows users, so a swapped address looks identical at a glance.
If my computer has clipboard-hijacking malware, isn't the whole machine already compromised?
Clipboard hijackers are one of the lowest-grade categories of crypto malware. They can sit on a machine for months without triggering antivirus, without escalating privileges, without stealing browser sessions. Plenty of otherwise-clean computers have them. The argument that "if you have any malware you have all malware" is technically defensible and practically wrong. Most real-world compromises are partial, slow, and quiet.
Does this affect Bitcoin deposit addresses too, or just Ethereum?
Quit's screenshot was specifically the ETH receive screen. Other coins on Coinbase use the same general truncation pattern in the UI, so the conceptual issue is the same. Bitcoin addresses have a different format and different brute-force economics, but the underlying problem (you can only see a few characters of what you're verifying) applies anywhere a UI hides most of an address.
Is the Stonebook going to protect me from this specific attack?
Not directly. The Stonebook is for storing your seed phrase, which is a different layer of security. What it does is make sure the deepest layer of your setup, the one that controls your funds, is never touchable by malware on any computer. The Coinbase UI flaw is a story about how every layer above the seed phrase can be misled. The Stonebook exists for the layer below all of those, the layer that no UI can touch.
