TL;DR: A recent security incident at Coinbase—stemming from compromised third-party support agents—highlights the value of minimizing intermediaries in wallet infrastructure. This post explores how embedded wallets with user-owned, on-device custody offer a more secure foundation for mobile-first onchain apps.

In a recent blog post, Coinbase revealed an extortion attempt involving cybercriminals who bribed overseas customer support agents. These agents were convinced to leak user data, which was then used in targeted social engineering attacks.

Crucially, no private keys or passwords were leaked, and the company acted quickly to reimburse affected users. But the real issue here isn't just the attack—it's the reliance on a third-party custody and support layer that created a vulnerable entry point in the first place.

For all its user-friendly interfaces and institutional credibility, centralized custody introduces systemic risks:

• Support agents can be bribed or socially engineered

• Sensitive metadata (emails, balances, behavioral patterns) is exposed

• Users don’t actually control their keys or signing privileges

This undermines the core ethos of Web3—ownership without intermediaries.

Embedded wallets offer a fundamentally different model: users control their keys from the start, and those keys are stored securely on their own devices. Here’s what user-owned, on-device custody via embedded wallets provides:

• No centralized customer support layer with access to user accounts

• Programmable controls for gasless transactions and session management

• Keys stored on the device or secured via passkeys, biometrics, or secure enclaves

• Reduced liability for you, the developer

Platforms like RallyProtocol offer permissionless SDKs for building mobile-first, embedded wallet flows that feel like Web2 but behave like Web3.

If you’re building a mobile dApp, the UX needs to be seamless—no copy-pasting seed phrases or redirecting users to browser extensions. But you also need to ensure users truly own their assets.

By using open & permissionless developer tools for mobile, you can:

• Build intuitive onboarding with auto-generated wallets

• Support social logins with underlying cryptographic safety

• Avoid custodial compliance burdens (you never touch the funds)

• Design and own the entire onchain experience without compromising user custody

The Coinbase incident wasn’t about bad tech—it was about bad incentives and centralized risk. As developers, we can design systems that are resilient not just to code exploits, but to human ones.

Embedded wallets with on-device custody let us build for the future—where users hold the keys, and developers build with trust, not compromise.

RallyProtocol is an open and permissionless onchain mobile toolkit designed to help developers build seamless, secure crypto-native experiences. With features like embedded wallets and gasless transactions, Rally enables apps to support self-custody from day one—without compromising on UX. Whether you're building in Flutter, Unity, React Native, Expo, Swift, or Kotlin, RallyProtocol gives you the tools to go onchain, mobile-first, and user-first.