I had these people call me the other day. I got a text message alerting me of a potential Google account security issue they had blocked and they I should expect a call. I also got one of those emails and an automated phone call. The automated phone call had me dial 1 if I wanted a call back from support to help recover my account.

I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.

I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.

Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.

It does feel like the security protocols necessary to secure $100k to $Ms of crypto which transfers instantly and non-reversibly is a challenge for the average user.

Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).

From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.

Versus keeping my money in SIPC and FDIC protected accounts.

I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.

> Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.

This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.

But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.

The glaring common denominator here is that the attacker has the ability to send an unprompted, unblockable request to the victim's phone. Pressing the safe-looking green button that shows up, even accidentally, is digital suicide.

Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.

There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.

About a year ago I got an email from an actual Coinbase email address telling me that my account had been compromised. It included a case number.

Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.

I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.

I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.

I ended up changing my password to just about everything out of caution.

I wonder if people who are "invested" in cryptocurrency are more susceptible to these kind of scams. There's a strong aspect of FOMO in getting people to buy imaginary internet money, and also in getting them to panic and fumble said internet money.

I hadn't considered that use of Google Forms to send emails from a Google domain. That's a pretty huge security risk, technically it doesn't risk your zgiogle account but the phishing and impersonation risks for Google are huge.

I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.

Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?

The defining feature of crypto - decentralized, irreversible, no "higher power" you can go to in order to get your money back - turns out to be the thing that burns people ALL the time.

I couldn't find it from the article, but how the scammer got access to the Gmail account? How he triggered that prompt in the victim's phone, and what did it mean?

It feels something is missing here?

Edit: Well, I learnt about Google Prompts today: https://support.google.com/accounts/answer/7026266?hl=en&co=...

Basically someone can request access to your account and if you click Yes, they do access it.

This part from a Reddit thread [1] scared me a bit:

> The notification pops up on my screen over whatever I am doing, and if I'm using my phone, I worry that I might accidentally hit YES (it almost happened today).

1: https://www.reddit.com/r/techsupport/comments/ccd304/someone...

I had read of this attack back in September[1]. It seems very sophisticated because they spoof a phone number that at first glance is associated with Google, but is really just the “uncanny-valley” Google Assistant service that can check wait times or make reservations on your behalf.

Does Google even offer live-person support if you’re not their Workspace customer?

Also, one other difference is that apparently the attackers may have been using Salesforce to send the emails. Maybe they were using a trial or developer edition? I believe those can send out emails too, but they are very limited. So this must be a very targeted kind of attack. The scary part is that the attacker’s emails pass SPF, DKIM, and DMARC. There’s a technical write-up I found about this aspect of the attack.[2]

[1]: https://sammitrovic.com/infosec/gmail-account-takeover-super...

[2]: https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...

While this is devastating, the lesson that we should all remember:

Never, ever, no matter the circumstances, store private keys (or seed phrases) on photos. Especially if those photos are synchronized to the cloud.

Hand-write them, store them in a safe and secure PHYSICAL location.

Of course we're humans, we make mistakes, and we usually start with small amounts of money that we can lose where it would be unnecessary to take all these precautions, but we still need to regularly remind ourselves to avoid disasters like this in the self-custody world.

“In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”

Good job helping the scammers, SoundCloud. WTF

The start of the article and comments thus far focus on the authenticator/Google account scam. I think a separate topic of note is taking a photo of the wallet recovery words [on an internet-connectable device]. This was, IMO, the primary mistake the user made. (And an easy one to make if you don't consider its consequences)

I feel like attacks like this would be much harder if we had never adopted HTML emails. Then it would make more intuitive sense (for the user) for an institution to write:

(1) Go to our website

(2) Login and check your account

Of course, leigitimate emails do that now, but because of the way we've been trained to "click" (such as "click to verify your email"), this conditioning carries over to phishing and other attacks, whereas that would be impossible with plain text. With plain text, the email verification would have to be "paste this code into a box".

My favorite bit:

> More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.

> [...]

> Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.

> Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.

> The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.

DMCA enabling bad actors to cover their tracks was not on my bingo list.

45 BTC (as in the screenshots) is not 500K, it's 4.5M

I am maybe missing something obvious here, but isn't it suspicious that these attacks "affecting a small number of google users" happened to "hit" two people with significant cryptocurrency holdings?

How stressful it must be as an experience to go through.

Having nothing to be robbed from is such an underrated means to live in serenity.

I always tell people to take control of the situation and stay calm. If “Google” or someone contacts you about a problem, simply hang up or ignore the email, look up the company’s info online, and contact the company directly.

Almost all scammers use more or less the same trick, they try to trigger a fear or greed rush with their message/call, so you don't get a chance to question authenticity of what you read or hear.

That is also what many salespersons do to get you to buy what you don't need nor even want, you cannot miss this limited time discount.

Always stop for a moment and be skeptical, caller ID can be spoofed, email addresd can have ä or ē in the domain that you won't notice if you don't look carefully.

I have a simple defense against this. I use a special email account for financial information that only my email provider, myself and my financial institutions know to exist. Even if I tap yes instead of no by mistake on a prompt like this, my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.

Losing a fortune with one bad click is not a new thing or all that rare, stock betting is all the same.

Idk I just think the title is pretty lame and generalizes a pretty informative phishing article, in a bad way.

It seems like the common thread here is that the thefts were of cryptocurrency, rather than real assets in a financial system with safeguards. You can still get robbed of those assets, but it leaves a far stronger paper trail to catch the perpetrators.

The red-flag he should have spotted was Google "Support".

So the attacker has known in advance that the secret was stored in google photos? Is it a common way to store passwords, or is some piece missing here?

That is one really nasty aspect of cryptocurrency. They make theft cryptographically irreversible. And you can watch the thieves spend your money!

How did the scammers know these people were likely to have significant amount of crypto in the first place?

Easy for me to be a smartass in hindsight, but I can't resist:

> Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet.

Um, duh...

> "[...] I put my seed phrase into a phishing site, and that was it.”

>Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.

Um, duh. First mistake to put all eggs in a single basket. Second mistake, this basket was a cryptocurrency. Third mistake, pasting the secret key to that _anywhere_.

>ultimately seized control over the account by convincing him to click “yes” to a Google [2FA] prompt on his mobile device

Stopped reading there. What more can we do to protect people from their own stupidity (and I'm not talking about the crypto "investment" part)?

Never Trust a call you didn't initiate.

> By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.

When business guys are involved in a security app. Many of us can easily imagine the "user story" that caused this.

The wallet name was exodus, how fitting :D

If you're so rich, why aren't you so smart? is the burning question here.

It's mind-boggling to me how crypto guys can be simultaneously savvy enough to be involved in crypto, to the tune of millions of dollars, but also retarded enough to fall for stuff like this.

Holding $500k in hot wallet, this man is braindead...

> Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.

Come on.

[dead]

[dead]