BitGo Engineering Manager Has $100K Stolen From His Coinbase Account

On Monday (May 20), Sean Coonce, an engineering manager at crypto custodian BitGo, revealed that last week he became the victim of a SIM swap attack (he referred to this as a "SIM port hack") as the result of which his Coinbase account got "drained" and he lost "north of $100,000." So, he decided to "increase awareness about these types of attacks" by providing a detailed account of what had happened, and what he had learned from this very unfortunate incident.

SIM swap (or hijack) attack or hijacking is a type of scam that involves taking over someone else's mobile phone number via social engineering methods such that the attacker gains access to the victim's phone number through a different SIM card (either one that he has already, or one that he obtains as a replacement from the carrier). Once this has been done, the hacker can "intercept any one-time passwords sent via SMS or telephone calls sent to the victim," thereby being able to circumvent any security features of accounts (be they bank accounts, social media accounts etc.) that rely on SMS or telephone calls."

In his blog post, Sean explained what "authorized SIM porting" is, describe the anatomy of a typical "SIM port attack", provided a timeline of the events of last week, and finished by listing the lessons he had learned from this painful and embarrassing experience.

Here is what typically happens in this type of attack:

  • You are targeted by the hackers, which means that they "gather personally identifiable information about you." (Naturally, one of this pieces of information is your mobile phone number.)
  • The hackers use this information to pretend to be you when they contact your mobile phone service provider (such as T-Mobile).
  • Once they have convinced a customer service agent that they are the rightful owner of that account, they gain sympathy by making up a story about the SIM card currently associated with that number being either damaged, lost, or inaccessible (for example, as the result of losing the phone it was in). 
  • They ask the customer service agent for a replacement SIM card (that is associated with that phone number). This means that your existing SIM card is no longer registered with your mobile phone number and is, instead, associated with the new SIM card given to the hackers by your mobile service provider.
  • The hackers then ask for a password reset on your primary email account, which causes a verification code to be sent by SMS to the mobile phone owned by the hackers.
  • The hackers then set a new password for your primary email account, and take it over, which means that they now have access to "any lucrative online services that you manage via that email address."

This is Sean's timeline of the events "leading up to and through the attack":

Sean's Timeline of SIM Swap Hack.png

And finally, Sean would like to offer the following pieces of advice:

  • Do not treat your account at a custodial crypto exchange (such as Coinbase) as a bank account. In other words, make sure that your crypto funds are stored on a "hardware wallet/offline storage/multi-sig wallet" whenever "you are not transacting."
  • Instead of relying on SMS-based Two Factor Authentication (2FA), which can be easily hacked as explained above, either use "hardware based security" (e.g. a YubiKey device from Yubico) or an "Authenticator" app (such as Google Authenticator).
  • Share online as little "personally identifiable information."
  • Use a secondary email address(secured with some kind of hardware-based 2FA) for "your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.)" and do not "use this email address for anything else and keep it private."
  • Use an offline password manager to store your passwords.

Sean should be applauded for his openness and honesty. His invaluable advice deserves to receive a wider audience since despite the increasing frequency of SIM swap attacks over the past few years, it seems that many/most people are still not doing enough to protect their online accounts, and this type of attack can make a victim of even very smart people.

For example, on January 27, Dovey Wan, a prominent member of the crypto community who is a founding partner of crypto-focused investment firm Primitive Ventures, reported that she had become a victim of a SIM swapping hack:

In a follow-up tweet, she gave this advice to her followers:



Featured Image Credit: Photo via

Browser Extentions Are Trying to Steal Your Bitcoin, Says Casa CEO

Will Heasman

Casa CEO, Jeremy Welch has expressed concerns about, malicious browser extensions, noting that some may pose a risk to users' bitcoin holdings. 

Addressing a crowded conference room during this weekend's Baltic Honeybadger meeting in Riga, Welch urged proper due diligence when it came to bitcoin and browser security. 

Browser extensions impose major risks, and these risks haven’t been discussed until this point... Make sure you don’t expose your bitcoin addresses anywhere.

Somewhat unbeknownst to any casual peruser of the internet, dangers lurk around pretty much any URL. Browser extensions are perhaps the most insidious element, containing trackers to monitor user information and gather data. While these may not necessarily be menacing in themselves, they can provide scammers with a great resource to expose users to further threat. 

Speaking further on the matter, Welch elaborated on several examples, including a seemingly harmless extension that provides wallpapers depicting motivational quotes. In reality, this outwardly innocuous add-on is actually malware stealing KYC data as you fill in online compliance forms. Such threats can appropriate identification such as passports via code which is later portrayed as a graphic depiction.  

You got a nice background here, and you don’t realize that your browser is actually dumping data

Moreover, Welch explained how some extensions allow the diversion of funds, altering a receiving address and channeling it to the hacker's own.

Even if wallpaper apps aren't your thing, you may be surprised to learn that Welch highlighted more mainstream iterations, such as editing app, Grammarly, as well as the Joule extension for lightning transactions.  

The issues remain that there is no real way to know which browsers are dependable and which are not. As Welch notes, something as simple as a software update could prove to destabilize the security of a browser extension and provide access for bad actors. 

Featured Image Credit: Photo via