BitGo Engineering Manager Has $100K Stolen From His Coinbase Account

On Monday (May 20), Sean Coonce, an engineering manager at crypto custodian BitGo, revealed that last week he became the victim of a SIM swap attack (he referred to this as a "SIM port hack") as the result of which his Coinbase account got "drained" and he lost "north of $100,000." So, he decided to "increase awareness about these types of attacks" by providing a detailed account of what had happened, and what he had learned from this very unfortunate incident.

SIM swap (or hijack) attack or hijacking is a type of scam that involves taking over someone else's mobile phone number via social engineering methods such that the attacker gains access to the victim's phone number through a different SIM card (either one that he has already, or one that he obtains as a replacement from the carrier). Once this has been done, the hacker can "intercept any one-time passwords sent via SMS or telephone calls sent to the victim," thereby being able to circumvent any security features of accounts (be they bank accounts, social media accounts etc.) that rely on SMS or telephone calls."

In his blog post, Sean explained what "authorized SIM porting" is, describe the anatomy of a typical "SIM port attack", provided a timeline of the events of last week, and finished by listing the lessons he had learned from this painful and embarrassing experience.

Here is what typically happens in this type of attack:

  • You are targeted by the hackers, which means that they "gather personally identifiable information about you." (Naturally, one of this pieces of information is your mobile phone number.)
  • The hackers use this information to pretend to be you when they contact your mobile phone service provider (such as T-Mobile).
  • Once they have convinced a customer service agent that they are the rightful owner of that account, they gain sympathy by making up a story about the SIM card currently associated with that number being either damaged, lost, or inaccessible (for example, as the result of losing the phone it was in). 
  • They ask the customer service agent for a replacement SIM card (that is associated with that phone number). This means that your existing SIM card is no longer registered with your mobile phone number and is, instead, associated with the new SIM card given to the hackers by your mobile service provider.
  • The hackers then ask for a password reset on your primary email account, which causes a verification code to be sent by SMS to the mobile phone owned by the hackers.
  • The hackers then set a new password for your primary email account, and take it over, which means that they now have access to "any lucrative online services that you manage via that email address."

This is Sean's timeline of the events "leading up to and through the attack":

Sean's Timeline of SIM Swap Hack.png

And finally, Sean would like to offer the following pieces of advice:

  • Do not treat your account at a custodial crypto exchange (such as Coinbase) as a bank account. In other words, make sure that your crypto funds are stored on a "hardware wallet/offline storage/multi-sig wallet" whenever "you are not transacting."
  • Instead of relying on SMS-based Two Factor Authentication (2FA), which can be easily hacked as explained above, either use "hardware based security" (e.g. a YubiKey device from Yubico) or an "Authenticator" app (such as Google Authenticator).
  • Share online as little "personally identifiable information."
  • Use a secondary email address(secured with some kind of hardware-based 2FA) for "your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.)" and do not "use this email address for anything else and keep it private."
  • Use an offline password manager to store your passwords.

Sean should be applauded for his openness and honesty. His invaluable advice deserves to receive a wider audience since despite the increasing frequency of SIM swap attacks over the past few years, it seems that many/most people are still not doing enough to protect their online accounts, and this type of attack can make a victim of even very smart people.

For example, on January 27, Dovey Wan, a prominent member of the crypto community who is a founding partner of crypto-focused investment firm Primitive Ventures, reported that she had become a victim of a SIM swapping hack:

In a follow-up tweet, she gave this advice to her followers:



Featured Image Credit: Photo via

IOTA Foundation to Reopen Mainnet by March 2 after $2 Million Hack

The IOTA Foundation, the non-profit organization behind the IOTA network, has announced it plans to reactivate the IOTA Network by March 2 after halting it over a $2 million hack.

According to the non-profit organization, it’s working on creating transition tools for users to transfer funds from their existing wallets to new ones so they can avoid any further losses and bring the network back online.

As CryptoGlobe reported, the IOTA Foundation turned off its Coordinator node, which is responsible for validating individual transactions on the network, earlier this month after users started reporting their funds were being stolen from the Trinity wallet, a wallet designed by the Foundation.

Since it turned the coordinator off, it has been working with law enforcement agencies, including the German Center for Cybercrime and the U.S. Federal Bureau of Investigation, to identify the cause. A total of “8.55 Ti”, or $2.3 million worth of IOTA tokens were lost.

In a post-mortem report, the Foundation detailed the vulnerability was the result of an integration with a fiat-to-crypto onramp platform called MoonPay that was being used with the Trinity wallet. Its investigation found a hacker was able to take over MoonPay’s content distribution network, and using it infiltrated the Trinity Wallet to distribute malicious Software Development Kits (SDKs).

The Foundation’s internal analysis of affected Trinity caches found irrefutable proof that they had been compromised with one of several illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their content delivery network) when a user opened Trinity.

The attacker, according to the Foundation, made sure he avoided triggering cryptocurrency exchanges’ know-your-customer (KYC) checks when sending funds to cash out, keeping the threshold below $10,000.

The IOTA Foundation was, according to the report, only able to identify 50 victims from the attack, and doesn’t know exactly how many users were affected by the attack. As such, it’s asking those who used the Trinity desktop wallet to use a migration tool.

The organization’s move to shut down the Coordinator node and essentially bring the mainnet to a halt was a controversial one, as various cryptocurrency users are now on social media claiming the IOTA network is centralized.

Featured image via Pixabay.