By CCN: SIM hijackers aiming to steal bitcoin and other cryptocurrencies are getting bolder and more daring. No longer are they just going for the soft targets but are now even pursuing the technologically adept and sophisticated.
One such victim is the engineering manager at cryptocurrency custodian BitGo, Sean Coonce. In a bold move, the blockchain engineer has publicly revealed that attackers stole bitcoin worth more than $100,000 from his Coinbase account. The attackers managed this over a period of 24 hours while carefully concealing any evidence that something was amiss.
Coonce dubbed the incident which occurred last week the ‘single most expensive lesson’ of his life.
My personal identity was hacked last week. The attacker was able to steal $100k+ in a sweep of my Coinbase account. I’m equal parts embarrassed, hurt, and deeply remorseful.
In an effort to raise awareness about the attack, I wrote about it here: https://t.co/ZnbB0AN6Gd
— Sean Coonce (@cooncesean) May 20, 2019
Blow by Blow Account of Bitcoin Sim Hijacking
According to Coonce, the attacker first ported his SIM card to a device they controlled last week Tuesday. The blockchain engineer only realized this after he lost cellular service while using his smartphone. Soon after he was prompted to sign in to his Google account but he was unsuccessful in his attempts.
Meanwhile, the attacker had initiated the password recovery process for Coonce’s Coinbase account. The password reset link could only be sent after 24 hours, however. After initiating this process, the attacker deleted the email correspondence with Coinbase leaving no evidence of what had transpired.
Suspecting that the SIM-card problem had arisen after having dropped his device, Coonce obtained a new one the following day. The blockchain engineer also assumed the problem had been fully resolved. But later that evening at around the same time as the previous night, Coonce’s cellular coverage disappeared again. He also got messages prompting him to log into his Google account.
Patient Bitcoin Sim Swapper Goes in for the Kill
Unfortunately, Coonce once again decided to sort out the problem the following morning. But by this time the attacker had completed Coinbase’s password reset process with the 24-hour delay period having elapsed. Besides draining everything that was contained in his Coinbase wallet, the attacker also bought cryptocurrencies using Coonce’s funds deposited on the exchange. The attacker then moved the bitcoin and other cryptocurrencies to a non-Coinbase on-chain address.
This comes at a time when SIM-swapping incidences are on the rise. Less than two weeks ago prosecutors at the US Attorney’s Office for the Eastern District of Michigan charged nine individuals who were in a SIM-hijacking ring that is believed to have netted more than $2.4 million from their activities. Even more troubling was the fact that the ring included three employees of an unnamed wireless carrier proving that SIM-swappers sometimes use insiders.
— CCN.com (@CCNMarkets) May 13, 2019
While some victims of SIM-hijacking choose not to pursue legal remedies against the wireless carriers, not all take it lying down. Last year, for instance, bitcoin investor Michael Terpin who lost his crypto assets worth millions of dollars after his SIM card was hijacked has sued U.S. telecoms giant AT&T. Earlier this month California’s Supreme Court awarded him $75.8 million in another suit he had filed against a 21-year old SIM hijacker who stole his bitcoin and other crypto assets.
So Where’s the Biggest Vulnerability?
Though there will always be bad actors looking to take advantage of weaknesses in online security, Coonce has stated that while cellular networks, online service providers and device makers could bolster safeguards, the biggest vulnerability lies with human nature.
In his case, Coonce admits that he didn’t take online security seriously since he ‘had never experienced an attack’. The blockchain engineer who is still ‘gutted’ after the $100,000-plus loss also blamed laziness to an extent:
And while I understood my risk profile, I was simply too lazy to secure my assets with the rigor they deserved.