Jameson Lopp warned crypto users to stop trusting urgent account-security messages after an attempted phishing attack used Google’s own recovery-contact system to deliver a malicious link inside what appeared to be a legitimate notification.
The Casa co-founder and Bitcoin security advocate first disclosed the attempt in a May 17 post on X, saying the attacker abused a real Google recovery contact request form and filled it with a long message that concealed the true Google notice beneath several pages of blank space.
Real Google emails add new risk
The attack differs from ordinary phishing attempts because it does not appear to rely on a fake Google sender or a basic imitation of the company’s branding.
Instead, the method triggers an authentic Google system email tied to recovery-contact requests, allowing the message to appear more credible to the target and potentially pass checks that normally help users detect forged emails.
This gives attackers a stronger social-engineering tool by making the message appear to come through a trusted channel while still carrying attacker-controlled text and links inside the notification.
Blank space used to bury the warning
The method manipulates the email layout by packing the request with extra spacing and text, making a fake security warning or review request appear first while pushing the genuine Google recovery-contact details out of immediate view.
For crypto holders, that kind of misdirection can be especially damaging, as a convincing fake login page may be used to steal exchange credentials, two-factor codes or active session data, creating a path to account takeovers and withdrawals.
Lopp urges zero trust for inbound messages
Lopp’s warning went beyond one Google-related scam, urging users to treat inbound emails, phone calls, text messages, chat messages and external notifications as unsafe whenever they claim there is an urgent account problem.
The safest response, he said, is not to click links in incoming alerts but to open the relevant service directly and check account status from the official website or app.
The incident shows how phishing campaigns are moving beyond crude impersonation and toward weaponizing legitimate platform tools, leaving crypto users with fewer obvious warning signs and a greater need to verify security alerts outside the message that delivered them.



