There has been an increase in scams where criminals impersonate Coinbase support to extract users’ seed phrases. One victim lost approximately $1.7 million.
On July 8, Edge & Node co-founder Tegan Kline reported that scammers had emptied the wallet of a close friend.
CT, a member of the community urgently needs your help.
$1.7 Million stolen — A good friend’s self custody wallet was drained by a scammer yesterday, July 6th.
TLDR of how it went down below (3 pages)⤵️
You can find the Ethereum transactions with links in the comment below.… pic.twitter.com/OTx3wslz6R
— Tegan.eth ?,? (@theklineventure) July 7, 2024
According to Kline’s account, the scammer initially called the victim pretending to be from Coinbase’s security team, then continued communication via email. The scammer warned the victim of “unauthorized access” due to a fabricated wallet connection error.
To appear more credible, the scammer provided additional transaction details and personal information about the target. To cancel the suspicious transfer, the victim was asked to verify on a website.
After following the link, the victim entered part of their seed phrase. This was sufficient for the theft of approximately $1.7 million from the wallet.
Alex Miller, CEO of Hiro Systems, explained that such sites “collect data as it is entered,” allowing criminals to deduce the remaining part of the seed phrase.
Never enter any information into a site you have a bad feeling on — even if you never hit submit, the bad guys are capturing data as you enter it.
sounds like this user put in part of his seed phrase, which was enough to reduce the entropy and the bad guys brute force the rest. https://t.co/NMpeLcHmdv
— Alex Miller (@alexlmiller) July 8, 2024
“Never enter any information on a site that gives you a bad feeling. Even if you don’t hit ‘Submit,’ scammers capture data as it is entered. It seems this user entered part of their seed phrase, which was enough to reduce entropy, allowing scammers to brute force the rest,” added Miller.
He noted that he recently received a warning from genuine Coinbase support about an attempted account breach. He speculated that hackers exploited a Cointracker leak and are using API keys to forge online identities.
A user known as Paul04Trader also reported a “fairly sophisticated” hacking attempt where the scammer posed as an exchange representative. The scammer tried to trick the victim into revealing their account password via a fake reset link.
Another trader, under the pseudonym beanx, described a similar call from a fake Coinbase representative warning of a hacking attempt.
In June, the cryptocurrency exchange was listed among American brands most frequently impersonated by scammers to deceive victims. According to Mailsuite analysts, from January 2020 to March 2024, the name Coinbase was used in 416 scam schemes and phishing attacks.
Back in February, a perpetrator under the alias Tamagami offered for sale on the dark web access to data from Binance and Coinbase. The hacker claimed to have breached the Kodex Global platform, which allows requests to be sent on behalf of law enforcement to obtain data from various bitcoin exchanges and social networks.