pull down to refresh

More victims of phishing attacks.
Companies don’t call you.
Be safe stackers.
Honestly this is the biggest mistake.
Companies don’t call you
My wife recently got a voice mail from a dude claiming to be a police officer. She was suspicious and instead of calling him back she called the police office directly and found out no officers there have that name or number.
Scamming is increasing on many fronts. People have to be skeptical and careful. It seems like I have a friend of family member telling me about a scam attempt every couple of weeks.
Law enforcement is both inequiped and unmotivated to stop it. That is not gonna change. I don't see legislation fixing this either. We just have to be educated and help those in our circles.
I'm active in my small community and we hear our local community contact from the county Sheriff warn us about scams every month. The weaknesses aren't unfixable. People just don't understand it yet. I think most just still think there should be some easy fix that doesn't require thinking and changing behavior.
I've been thinking about offering a free workshop for my church regarding online security. Basic stuff. Not sure how many would be interested but I think it's worth trying.
reply
Church workshop is a great idea. If you help one person, the world is a better place for financial security
reply
My wife agrees :) Also considering a bitcoin workshop as well. Later
reply
Do NOT use Google Authenticator! So many mistakes in this story but that one sticks out to me as one many may not be aware of.
attackers had used his Gmail account to gain access to his Coinbase account from a VPN connection in California, providing the multi-factor code from his Google Authenticator app. Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.
reply
As many people have said, IF you are going to use google authenticator, make sure it doesn't sync to the cloud.
reply
Yeah, for sure. But if there's a bug you are screwed. I like using an open source non-cloud solution.
These stories suck but it seems like the only way humans learn is through pain.
reply
the thing about Google is that it's always doing updates and opting in automatically
avoiding Google is a great policy
reply
My kids were screaming so I put my seed into a phishing site lol best line ever, and here I am in a quiet controlled environment sweating when I do something as simple as generate a new public key.
reply
fuck, imagine having all 40 btc on one single device and also having a pic of the seed phrase on google photos. maybe some hubris of being in early.
scams are so fucked, these days, not only do I never click on any email link, period, I don't engage with any calls from people saying it's the bank and I don't click on anything from text messages. anything crypto linked to a different address etc
i never even call back numbers.
what a waste of energy though, having to independently verify every number etc
reply
Smart strategy. Ignore all messages and calls and links
My phone silences or filters unfamiliar numbers.
reply
45 BTC???
WTF
from article: Griffin said that after receiving the pop-up prompt from Google on his phone, he felt more at ease that he really was talking to someone at Google. In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address.
“As soon as I clicked yes, I gave them access to my Gmail, which was synched to Google Photos,” Griffin said.
Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet. Armed with that phrase, the phishers could drain all of his funds.
“From there they were able to transfer approximately $450,000 out of my Exodus wallet,” Griffin recalled.
reply
He was buying in early 2013 but was made to believe his Trezor was compromised.
reply
from article:
Just days after Griffin was robbed, a scammer impersonating Google managed to phish 45 bitcoins — approximately $4,725,000 at today’s value — from Tony, a 42-year-old professional from northern California. Tony agreed to speak about his harrowing experience on condition that his last name not be used.
Tony got into bitcoin back in 2013 and has been investing in it ever since. On the evening of May 15, 2024, Tony was putting his three- and one-year-old boys to bed when he received a message from Google about an account security issue, followed by a phone call from a “Daniel Alexander” at Google who said his account was compromised by hackers.
Tony said he had just signed up for Google’s Gemini AI (an artificial intelligence platform formerly known as “Bard”), and mistakenly believed the call was part of that service. Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.
The Google prompt arrived seconds later. And to his everlasting regret, Tony clicked the “Yes, it’s me” button.
Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message sent from his Gmail account that included his name, Social Security number, date of birth, address, phone number and email address.
Tony said he began to believe then that his Trezor account truly was compromised. The caller convinced him to “recover” his account by entering his cryptocurrency seed phrase at a phishing website (verify-trezor[.]io) that mimicked the official Trezor website.
“At this point I go into fight or flight mode,” Tony recalled. “I’ve got my kids crying, my wife is like what the heck is going on? My brain went haywire. I put my seed phrase into a phishing site, and that was it.”
Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
“I made mistakes due to being so busy and not thinking correctly,” Tony told KrebsOnSecurity. “I had gotten so far away from the security protocols in bitcoin as life had changed so much since having kids.”
Tony said the theft left him traumatized and angry for months.
“All I was thinking about was protecting my boys and it ended up costing me everything,” he said. “Needless to say I’m devastated and have had to do serious therapy to get through it.”
reply
"Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message..."
"Close his account". This is not how blockchains work. How does someone in Bitcoin for 12-13 years not know this? It would be explained in the Trezor 'beginners' education section. ???
reply
He should also have multiple wallets to eliminate single point of failure
reply
I know Darth has some thoughts on this
reply
Hardware vault
Lightning wallet
Third wallet for opening lightning channels etc
reply
from the article:
“It’s interesting because copyright infringement really is an act that you’re claiming against the publisher, but for some reason these companies have taken a very hard line against it, so if you even claim there’s copyrighted material in it they just take it down and then they leave it to you to prove that you’re innocent,” Junseth said. “In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”
(This part is really important: Google Authenticator cloud settings)
When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin.
By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.
One lesson is that 10 hot wallets are more secure than one hardware wallet.
Eliminate single point of failure
reply
I disagree.
No hot wallet, or cold wallet for that matter, will stop thieves if the victim literally, voluntarily gives out a seed phrase over the phone.
reply
He should have at least 3 different hardware wallets or desktop wallets
Or run a node
reply
Those things not mutually exclusive. I know some people like multi-signature. At least that way he couldn't give out a seed phrase if drunk/tired/lack of judgement etc. For those amount of sats seems worth it imo
reply
Agree about multi signature
You’re right: he can do all of the above
Edit: If you only have one wallet then multi signature is the best option
reply
11 sats \ 0 replies \ @chaum 22h
True, that is more resilient, but the backup solution will be more complex/complicated if you're not using multisig.
reply
People need to be more careful. Keep your coins safe.
reply
Ouch.
If you can help even one person avoid ever having this happen, then you're doing the right thing. Educate others.
I recently reconnected with a friend from high school that I haven't spoken to in many years. He wanted to get started with bitcoin. He said he had already purchased some from Coinbase, but it's just on their server where he bought it. He has never used a wallet yet.
Here's a screenshot of the last of the stuff I told him:
reply
Tell your friend to start with beginner friendly Coinos wallet (browser)
reply
11 sats \ 1 reply \ @1GLENCoop 21h
Meh. Maybe.
Does Coinos have lightning yet?
reply
Yes plus on chain, liquid and e-cash
Edit: the founder also takes care of support tickets via email, telegram, nostr and SN
reply
11 sats \ 1 reply \ @ChrisS 24 Dec
“I know I definitely made mistakes, but I also know Google could do a lot better job protecting people,” he says
This sucks but if after all he did and all that happened he thinks google should do more to protect people he has learned nothing. One of the main problems bitcoin solved is trusted third parties.
reply
Every single hardware wallet manufacturer, every. single. one says explicitly under NO circumstances should you provide a seed phrase to anyone else
  • from an exchange
  • from tech support
  • from a 'crypto' company
  • or to anyone else.
In addition, the explicit guidance from every. single. company that makes HW wallets IS DO NOT TAKE A PICTURE OF YOUR SEED PHRASE. IT IS IN BOLD IN THE INSTRUCTIONS
reply
he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet
AHAHAHAHAHAHAVAVAVAVAVAVAVHAHAHAHSHSHSHSHAHAHAHAHAHAHSHAHSHAHAHAHAHSHÇAHAHÁAAAAAAHAHAHAHÇAHAH
reply
Just before Christmas 🎄 damn 😢
reply
Who would lose 45 BTC today? Or is that an old one?
reply
Gmail and Google are entry points for phishing attacks
I fell victim to a toll road scam a few months ago. Long story short: it was user error, i.e. I was gullible.
Fortunately I didn't lose any money because Discover sent me a security alert and locked my account after a couple suspicious Uber Eats orders of 20 bucks and 90 bucks. I knew something was off because I rarely order 90 bucks on Uber Eats and I don't use Discover for food/takeout
reply
I had the same thing a few months ago - 'grub hub' order for like 60$ and I've never used them. Called the credit card company and reported it/had the card cancelled etc.
reply
Similar thing happened to my cousin. Grubhub
Someone in Texas ordered Indian food lol
reply