More victims of phishing attacks.
Companies don’t call you.
Be safe stackers.
pull down to refresh
319 sats \ 3 replies \ @kepford 24 Dec
Do NOT use Google Authenticator! So many mistakes in this story but that one sticks out to me as one many may not be aware of.
reply
57 sats \ 2 replies \ @k00b OP 24 Dec
As many people have said, IF you are going to use google authenticator, make sure it doesn't sync to the cloud.
reply
32 sats \ 0 replies \ @kepford 24 Dec
Yeah, for sure. But if there's a bug you are screwed. I like using an open source non-cloud solution.
These stories suck but it seems like the only way humans learn is through pain.
reply
11 sats \ 0 replies \ @itsrealfake 24 Dec
the thing about Google is that it's always doing updates and opting in automatically
avoiding Google is a great policy
reply
409 sats \ 3 replies \ @kepford 24 Dec
Honestly this is the biggest mistake.
My wife recently got a voice mail from a dude claiming to be a police officer. She was suspicious and instead of calling him back she called the police office directly and found out no officers there have that name or number.
Scamming is increasing on many fronts. People have to be skeptical and careful. It seems like I have a friend of family member telling me about a scam attempt every couple of weeks.
Law enforcement is both inequiped and unmotivated to stop it. That is not gonna change. I don't see legislation fixing this either. We just have to be educated and help those in our circles.
I'm active in my small community and we hear our local community contact from the county Sheriff warn us about scams every month. The weaknesses aren't unfixable. People just don't understand it yet. I think most just still think there should be some easy fix that doesn't require thinking and changing behavior.
I've been thinking about offering a free workshop for my church regarding online security. Basic stuff. Not sure how many would be interested but I think it's worth trying.
reply
37 sats \ 1 reply \ @Bell_curve 24 Dec
Church workshop is a great idea. If you help one person, the world is a better place for financial security
reply
11 sats \ 0 replies \ @kepford 24 Dec
My wife agrees :) Also considering a bitcoin workshop as well. Later
reply
11 sats \ 0 replies \ @Miranda 26 Dec
It would be great if there was such a workshop and in your church, in my case it would obviously be to seek information about this type of scam and be able to get more knowledge of the subject and be safer in front of these cases. I have been a victim of it and it is really unpleasant to be deceived. but in these experiences we learn thanks to the Lord to be more cautious, because we are sheep in the midst of wolves. Thank you for sharing
reply
32 sats \ 1 reply \ @stack_harder 24 Dec
fuck, imagine having all 40 btc on one single device and also having a pic of the seed phrase on google photos. maybe some hubris of being in early.
scams are so fucked, these days, not only do I never click on any email link, period, I don't engage with any calls from people saying it's the bank and I don't click on anything from text messages. anything crypto linked to a different address etc
i never even call back numbers.
what a waste of energy though, having to independently verify every number etc
reply
0 sats \ 0 replies \ @Bell_curve 24 Dec
Smart strategy. Ignore all messages and calls and links
My phone silences or filters unfamiliar numbers.
reply
28 sats \ 0 replies \ @TheBTCManual 24 Dec
My kids were screaming so I put my seed into a phishing site lol best line ever, and here I am in a quiet controlled environment sweating when I do something as simple as generate a new public key.
reply
44 sats \ 14 replies \ @Bell_curve 23 Dec
45 BTC???
WTF
from article:
Griffin said that after receiving the pop-up prompt from Google on his phone, he felt more at ease that he really was talking to someone at Google. In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address.
“As soon as I clicked yes, I gave them access to my Gmail, which was synched to Google Photos,” Griffin said.
Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet. Armed with that phrase, the phishers could drain all of his funds.
“From there they were able to transfer approximately $450,000 out of my Exodus wallet,” Griffin recalled.
reply
44 sats \ 13 replies \ @k00b OP 23 Dec
He was buying in early 2013 but was made to believe his Trezor was compromised.
reply
5 sats \ 6 replies \ @Bell_curve 23 Dec
from article:
Just days after Griffin was robbed, a scammer impersonating Google managed to phish 45 bitcoins — approximately $4,725,000 at today’s value — from Tony, a 42-year-old professional from northern California. Tony agreed to speak about his harrowing experience on condition that his last name not be used.
Tony got into bitcoin back in 2013 and has been investing in it ever since. On the evening of May 15, 2024, Tony was putting his three- and one-year-old boys to bed when he received a message from Google about an account security issue, followed by a phone call from a “Daniel Alexander” at Google who said his account was compromised by hackers.
Tony said he had just signed up for Google’s Gemini AI (an artificial intelligence platform formerly known as “Bard”), and mistakenly believed the call was part of that service. Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.
The Google prompt arrived seconds later. And to his everlasting regret, Tony clicked the “Yes, it’s me” button.
Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message sent from his Gmail account that included his name, Social Security number, date of birth, address, phone number and email address.
Tony said he began to believe then that his Trezor account truly was compromised. The caller convinced him to “recover” his account by entering his cryptocurrency seed phrase at a phishing website (verify-trezor[.]io) that mimicked the official Trezor website.
“At this point I go into fight or flight mode,” Tony recalled. “I’ve got my kids crying, my wife is like what the heck is going on? My brain went haywire. I put my seed phrase into a phishing site, and that was it.”
Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
“I made mistakes due to being so busy and not thinking correctly,” Tony told KrebsOnSecurity. “I had gotten so far away from the security protocols in bitcoin as life had changed so much since having kids.”
Tony said the theft left him traumatized and angry for months.
“All I was thinking about was protecting my boys and it ended up costing me everything,” he said. “Needless to say I’m devastated and have had to do serious therapy to get through it.”
reply
23 sats \ 3 replies \ @028559d218 24 Dec
"Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message..."
"Close his account". This is not how blockchains work. How does someone in Bitcoin for 12-13 years not know this? It would be explained in the Trezor 'beginners' education section. ???
reply
1 sat \ 2 replies \ @Bell_curve 24 Dec
He should also have multiple wallets to eliminate single point of failure
reply
11 sats \ 1 reply \ @028559d218 24 Dec
I know Darth has some thoughts on this
reply
0 sats \ 0 replies \ @Bell_curve 24 Dec
Hardware vault
Lightning wallet
Third wallet for opening lightning channels etc
reply
1 sat \ 1 reply \ @Bell_curve 23 Dec
from the article:
“It’s interesting because copyright infringement really is an act that you’re claiming against the publisher, but for some reason these companies have taken a very hard line against it, so if you even claim there’s copyrighted material in it they just take it down and then they leave it to you to prove that you’re innocent,” Junseth said. “In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”
(This part is really important: Google Authenticator cloud settings)
When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin.
By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.
reply
0 sats \ 0 replies \ @nitter 23 Dec bot
https://xcancel.com/verysmallclaims/status/1789831026228830280
reply
34 sats \ 5 replies \ @Bell_curve 24 Dec
One lesson is that 10 hot wallets are more secure than one hardware wallet.
Eliminate single point of failure
reply
28 sats \ 3 replies \ @028559d218 24 Dec
I disagree.
No hot wallet, or cold wallet for that matter, will stop thieves if the victim literally, voluntarily gives out a seed phrase over the phone.
reply
0 sats \ 2 replies \ @Bell_curve 24 Dec
He should have at least 3 different hardware wallets or desktop wallets
Or run a node
reply
11 sats \ 1 reply \ @028559d218 24 Dec
Those things not mutually exclusive.
I know some people like multi-signature. At least that way he couldn't give out a seed phrase if drunk/tired/lack of judgement etc. For those amount of sats seems worth it imo
reply
25 sats \ 0 replies \ @Bell_curve 24 Dec
Agree about multi signature
You’re right: he can do all of the above
Edit:
If you only have one wallet then multi signature is the best option
reply
11 sats \ 0 replies \ @chaum 24 Dec
True, that is more resilient, but the backup solution will be more complex/complicated if you're not using multisig.
reply
44 sats \ 0 replies \ @Satosora 23 Dec
People need to be more careful.
Keep your coins safe.
reply
11 sats \ 0 replies \ @Miranda 26 Dec
security is important and I say this from my own experience and this SN touches me closely, because recently someone with the data of a relative of mine contacted me that had arrived in my country by surprise and could not rent a car because everything was in dollars and needed the national currency, I sent through another person some money and when I realized it was too late. so stakers certainly be careful and be more cautious, as @kepford says there should be preparation workshops would be great more of these posts. and learn to move more safely in the midst of so many scams.
reply
11 sats \ 3 replies \ @1GLENCoop 24 Dec
Ouch.
If you can help even one person avoid ever having this happen, then you're doing the right thing. Educate others.
I recently reconnected with a friend from high school that I haven't spoken to in many years. He wanted to get started with bitcoin. He said he had already purchased some from Coinbase, but it's just on their server where he bought it. He has never used a wallet yet.
Here's a screenshot of the last of the stuff I told him:
reply
1 sat \ 2 replies \ @Bell_curve 24 Dec
Tell your friend to start with beginner friendly Coinos wallet (browser)
reply
11 sats \ 1 reply \ @1GLENCoop 24 Dec
Meh. Maybe.
Does Coinos have lightning yet?
reply
0 sats \ 0 replies \ @Bell_curve 24 Dec
Yes plus on chain, liquid and e-cash
Edit: the founder also takes care of support tickets via email, telegram, nostr and SN
reply
11 sats \ 1 reply \ @ChrisS 24 Dec
This sucks but if after all he did and all that happened he thinks google should do more to protect people he has learned nothing. One of the main problems bitcoin solved is trusted third parties.
reply
29 sats \ 0 replies \ @028559d218 24 Dec
Every single hardware wallet manufacturer, every. single. one says explicitly under NO circumstances should you provide a seed phrase to anyone else
- from an exchange
- from tech support
- from a 'crypto' company
- or to anyone else.
In addition, the explicit guidance from every. single. company that makes HW wallets IS DO NOT TAKE A PICTURE OF YOUR SEED PHRASE. IT IS IN BOLD IN THE INSTRUCTIONS
reply
0 sats \ 0 replies \ @Skipper 23 Dec
AHAHAHAHAHAHAVAVAVAVAVAVAVHAHAHAHSHSHSHSHAHAHAHAHAHAHSHAHSHAHAHAHAHSHÇAHAHÁAAAAAAHAHAHAHÇAHAH
reply
0 sats \ 0 replies \ @cleaningup12 23 Dec
Just before Christmas 🎄 damn 😢
reply
0 sats \ 3 replies \ @Shugard 23 Dec
Who would lose 45 BTC today? Or is that an old one?
reply
5 sats \ 2 replies \ @Bell_curve 23 Dec
Gmail and Google are entry points for phishing attacks
I fell victim to a toll road scam a few months ago.
Long story short: it was user error, i.e. I was gullible.
Fortunately I didn't lose any money because Discover sent me a security alert and locked my account after a couple suspicious Uber Eats orders of 20 bucks and 90 bucks. I knew something was off because I rarely order 90 bucks on Uber Eats and I don't use Discover for food/takeout
reply
11 sats \ 1 reply \ @028559d218 24 Dec
I had the same thing a few months ago - 'grub hub' order for like 60$ and I've never used them. Called the credit card company and reported it/had the card cancelled etc.
reply
0 sats \ 0 replies \ @Bell_curve 24 Dec
Similar thing happened to my cousin. Grubhub
Someone in Texas ordered Indian food lol
reply