How I was hacked, and all my cryptocurrencies were stolen!

Because I started playing with cryptocurrencies as a hobby years ago, and for a long time they were not worth much of anything (read Some thoughts on cryptocurrencies), it did not occur to me to treat my crypto holdings more securely than other assets I owned. I assumed that by using very complex passwords, or a password manager like Dashlane, and requiring two-factor authentication with text messages sent to my cell phone, I would be safe.

Boy was I wrong! I did not realize I had a (very) weak link in my security: my cell phone provider. The hackers called T-Mobile pretending to be me. They said I had lost my cell phone and asked T-Mobile to activate another SIM with the same number. As (bad) luck would have it, I was traveling in Europe at the time. I noticed my cell phone lost connectivity, though it still worked through Wifi. I assumed it was just a roaming issue, put my phone on airplane mode (as I do every night) and went to sleep.

When I woke up, I still did not have connectivity, but it was not obvious that something was awry as many normal emails had come through the night. After a few hours, I randomly decided to check my Twitter and realized my password no longer worked. That’s when I became suspicious. I tried to login to my Gmail (which I very rarely use) and that password had also been changed. I checked my regular email address and while send and receive worked with no error, no new external emails had come in for a few hours (which is unusual as I get over 200 emails per day). I tried to login to my domain manager and no longer had access.

The hackers had been very sneaky. After they got control of my cell phone number, they sent themselves a reset password text message at my domain manager to get access to that. They left my existing Exchange mailbox intact, but created a new mailbox and switched the MX record to point to that mailbox. It took a few hours for the MX record change to propagate so I still received emails for a few hours. Also, because they did not reset the password of my Exchange email I did not get an incorrect password message that would have aroused my suspicion. Also, I kept getting internal FJ Labs emails even after the MX record change because those are also on the same Exchange server as my email.

Once the MX record change had propagated, they were able to use their control of my email and access to my cell phone (given that I required text confirmation in addition to control of my email) to reset the password for my Dropbox, Venmo, Twitter, Gmail, Coinbase, Xapo, Uphold and Bitstamp accounts. I did not see any of those reset password messages or any of the text message confirmations because they were going to the new mailbox and phone they setup. They then sent themselves all my BTC to 12LmHubDmhnLTrvPgs82MJ2FTJR68rwrfK.

At this point, it was clear that my phone an email had been compromised. I immediately called T-Mobile which confirmed that they had setup a new SIM for my number. It took a fair amount of time, but I convinced them to restore the original SIM. I then reset the password at my domain manager and noticed the MX record had been changed. They were now pointing to a mailbox hosted by my domain manager. I logged in and saw all the password resets on all my accounts.

It took hours, but I reset all the MX records and the passwords on all my accounts and replied to all the emails I had missed that had been sent to the new mailbox.

As luck would have it, for all their sophistication they stole only 0.01 BTC 🙂 I can take no credit for this, as it was sheer luck. I had fundamentally revised my crypto investment strategy the week before the hack and sold all of my direct crypto holdings. I had also reached my Venmo weekly payment limit, so they could not Venmo themselves money (and I can see they tried). They did not try to make wire transfers from my normal bank accounts, perhaps because that money would have been easier to trace and I require a few more security measures for wire transfers that are more difficult to get around.

This experience made me realize that your security is only as strong as your weakest link. Since then, I implemented several changes to my security protocols. To make any changes to my T-Mobile account by phone or in person, you now need to mention a very complex password with digits and special characters. I recommend that everyone adds a voice authorization password required to make changes to their cell phone account. It also made me realize the perils of using an email address everyone knows and a phone number everyone knows to manage my crypto holdings. The crypto accounts I now use all have email addresses dedicated to them and I use a non-US cell phone for two-factor authentication. No one has that number and I don’t use it for anything other than to authenticate access to my accounts. Also note that if you use an application like Authy for two-factor authentication (which I recommend), you should only allow it to work on one device (it’s the default setting). I like that it takes several days to reset your Authy account even if you are just putting it on a new cell phone with the same number. It adds a layer of security in case someone ends up getting a new phone on your number.

For crypto in particular, once the access to your accounts is secure you must decide whether you should leave your assets on the exchange or be your own custodian. Both come with their own risks.

  • Leaving it on an exchange: Your risk here is defined by the probability that this exchange will be hacked or be subject to new regulation. If you decide to go down this path, there are certainly better options than others. I know that the Coinbase team is doing a terrific job at keeping their assets secure. This does come with the drawback of users not being able to participate in certain airdrops, or not having access to new currencies from forks immediately, but I won’t delve into that topic here.
  • Being the custodian: Your risk here is defined by the likelihood of your seed phrase been stolen, or all replicas of it being permanently damaged/irrecoverable. Someone could also get the password for your given wallet and steal the hardware from you, in which case, unless you immediately get a new wallet, recover your keys from the passphrase, and transfer all of your assets out, they’ll all be soon gone. You could also lose your passphrase, as well as the password as it infamously happened to Wired writer Mark Frauenfelder in his epic tale of hacking his own wallet.

People should weigh the probability of the exchange being hacked versus the probability of their seed phrase being stolen or lost. For most people with little crypto exposure, I would recommend they leave their crypto on Coinbase as it probably has a lower probability than the risks involved in being your own custodian. In addition, it’s way more convenient to just have your assets there rather than have to deal with the hassle of custody.

If you own a lot of crypto assets, you should avoid leaving coins in exchanges to avoid the risk of those being hacked as it famously happened to Mt. Gox, Bitfinex, and YoBit not so long ago. In 2014, Mt. Gox handled 70% of all Bitcoin transactions worldwide when 850,000 bitcoins belonging to customers were stolen. They subsequently filed for bankruptcy and went out of business. It’s certainly worth your time to learn how to protect yourself against these attacks.

If you choose to go down this path, I would highly recommend you getting your own hardware wallet. The two main companies in this space are Trezor and Ledger. I’m not very familiar with Trezor but can vouch for Ledger. When you first setup your wallet, you will be prompted with a passphrase and a password, the latter being specific to that wallet. Think of the passphrase as your master password for all private-public key pairs you will use in the future. If your wallet is damaged or lost, you can recover all transactions on a new one by having this passphrase. Just as you can be the one recovering these keys, anyone else who gets access to it will be able to do so as well so make sure that you save it in a safe place. Safe means: not on a computer with internet access; not on a hard-drive that’s not encrypted; not on a paper that could be easily stolen. You should also have more than one copy in different places (all of which must have tight security since your system is just as secure as your weakest link) to protect yourself against a potential loss (hard-drive malfunction, fire, a potential robbery, and others). As you are probably thinking by now, being the custodian of your own keys is no easy job.

As a side note, while hardware wallets are certainly great products, if you are an institution or someone who might be likely the target of a personalized attack, this path might also fall short. First, when talking about redundancy and safety, this is not a binary dimension but a spectrum. You could either leave a paper with your passphrase hidden in the closet or store it in a safety box inside of a bank. On top of the steps described above, you should also seriously consider multi-signature security. At a high level, this means that you’d need multiple keys to transfer your funds (e.g. 2-of-4 policy would be mean that there are 4 keys, and you’d need at least two of them). There are already a few companies like Coinbase and Anchor that provide this kind of service.

Stay safe!

  • very interesting post.
    It’s not clear to me how the hacker got the new SIM.
    You said the hacker called T-mobile pretening to be you.
    Why did not T-mobile call the number before replacing the SIM?
    Where did they send the new SIM (should it be your address)?

  • This is not the first time I hear about this type of attack to get around 2FA.

    This is why Google rolled out an Advanced Protection Program (https://landing.google.com/advancedprotection/) which does not rely on SMS. Without going to that extreme, they allow many other authentication factors outside of SMS (Google Authenticator, printed codes, but also a couple of physical security keys)

    I wished more vendors allowed such flexibility. F2A is getting common these days, but almost always relies on SMS.

  • Well, I think not only T-mobile, but this seems to me also not very strong chain part: they sent themselves a reset password text message at my domain manager to get access to that. Really just simple sms to get control over domain? (supposedly at least crosschecked on domain manager side against /stolen/ phone number, but still…)

  • Dear Fabrice
    i see some thing different in this story ?? this is can’t happen like this on the same day you travel outside USA (by accident no way )??? ..unless this hacker know you’r travling …so the security in this case have to start from inside (internaly) ..

  • One of my acquaintances suspected being hacked a few years ago, both on professional and personal systems. In short, this person (later on referred as “she”) went to the authorities in Europe to declare the facts. Though she was high school degreed with two decades of internet experience, worked in a “money” sensitive position with a manager status and gave what could stand for prooves of intrusion (unknown email addresses added, user account modifications aso), neither the authorities nor the entourage (close family members or twenty years old friends) accorded credit to her suspicions. Moreover, her employers used the argument to “dismiss” her, stating later on a legal dispute, she had “lost her mind” when warning them about security issues on the existing systems. As a consequence, this person (who won the legal dispute btw) is now also using double security checks, dedicated mobile phone numbers for internet that are not related to her physical id and uses various digital accounts on soc.med without publishing anymore anything, under her name, even on her own websites. Not to mention that passwords are not stored on any app, browser or computer (which is quite painful as it is adviced to modify them every semester). For email accounts, Proton might be an interesting alternative for those still using GoogM, HTM, YH aso. We now live a moment where everyone, from well-intentioned persons to their opposite, educated to almost illeterate, can read/view, without interacting or being noticed any publication you issue and act consequently for the better or the worse…In conclusion, when you read “stay safe!”, understand to change your mail accounts passwords and security checks right now, specially if you have had previous correspondance with the writer!

  • Fabio, the safest bet today is: Yubi key. Disable two-way authentication to cell phone (SMS). Instead, use 2WA only with Yubi key. Get a few extra keys for back ups and keep them in diffent places. Second best alternative is Google Authenticator for you email.

  • Excellent Article Fabrice, I am sorry to hear about your experiecnce… Time to upgrade my security I think.