One Crypto Scam

This is an experience I had where a scammer attempted to steal my cryptocurrency. Please note that I knew this was a scam and therefore never used my actual account information while playing along with the scammer. If I had made a mistake and used my real information, the scammers could have stolen everything I had in my Coinbase account. You should be very careful when toying with scammers like this. The smart thing to do would have been to hang up. But then I wouldn't have this great learning opportunity.

Two different Coinbase accounts are in play here.

1. Coinbase.com - In this account, Coinbase maintains the cryptocurrency and my private keys.
2. Coinbase Wallet - Though branded with Coinbase, Coinbase Wallets are not stored on Coinbase's servers. Instead, the Wallet is accessed by using a seed phrase. Anybody with the seed phrase could clone my private key and access everything in my wallet.

Coinbase makes it easy to transfer funds from a Coinbase.com account to a Coinbase Wallet. The wallets are easier for scammers to access, so they want you to transfer Coinbase.com assets into a Coinbase Wallet, then they steal your wallet. Imagine that a hacker wanted cash from your Bank of America checking account. Stealing your online account might be tricky. But if they can convince you to go to the ATM and withdraw $100, you now have that cash in your physical wallet. They could then convince you to hand over your physical wallet with the $100.

Series of events

I received two phone calls purporting to be from Coinbase.com (they weren't).

• At 4:35 PM, I received a call saying that somebody had tried to access my Coinbase account from Salt Lake City. I was told to press 1 if this was not me. I pressed 1 knowing this was a scam.
• At 4:38 PM, I received a callback. I recorded the conversation. Here is a link to the audio

Below is a transcript of the call. Note that I did not offer the scammer any information he didn't already have. I confirmed my email, but that information has been leaked so many times I don't consider it private.

Scammer: Am I currently speaking with Jim?

Me: Yes, you are.

Scammer: Before we do continue, I do want to let you know that this call is being recorded for quality assurance. The reason for my call today is regarding some concerning activity in your Coinbase account linked to j**** at gmail.com. Sorry for any mispronunciations on that.

Me: That's okay.

Scammer: We've detected a new device logging in from Salt Lake City, Utah, in an attempt to withdraw from a (garbled) IP address. Can you confirm if this was you?

Me: No.

Scammer: Alrighty. Additionally, I do see an attempted email change to ASDFBM7895(?)@hotmail.com. I'm also guessing this wasn't you doing, sir?

Me: Right, that's not me.

Scammer: Alright, I'm going to go ahead and mark this down as fraudulent activity. In case we get disconnected, can you please write down this case ID number for reference?

Me: Sure.

Scammer: Alrighty, sir. The case ID number is 421-424. Once again, that was 421-424.

Me: Okay, got it.

Scammer: Are you able to repeat that ticket number back to me, sir?

I was reluctant to read back the case number he gave me. I know that AI voice generation tools could probably generate numbers using my voice just fine. But, as a precaution, I didn't want a recording of myself saying these numbers to the scammer.

Me: I got it. We're okay.

Scammer: I do have to ask you to repeat that ticket number back to me, sir. It's just for safety precautions, just knowing that you did write it down. Sir?

Me: Yeah, I got the number just fine. I feel secure.

Scammer: Do you want to repeat that back to me?

Me: Not right now.

Scammer: Why is that, sir? We will not be able to proceed until I know that you have written the ticket number down and that you have repeated it back to me.

Me: Why can't we proceed?

Scammer: Sir, I already know the ticket number. I don't know why you are struggling just to repeat it back to me. It's not a security code.

Me: I'm fine proceeding.

Scammer: It's not a security code. It's just a case ID number.

Me: Great. I can always call back and ask for this case if I need to, so I'm happy proceeding.

Scammer: If this number does get lost, then we're not responsible for any funds that have been sent away.

Me: Okay.

Scammer: Are you okay with that, sir?

Me: Sure.

Scammer: Alrighty. Please keep this ticket number private. It's for support purposes only, and Coinbase will never request this number via private. It's for support purposes only and Coinbase would never request this number via email. To ensure your security, we can place a 24-hour lock on your account. This actual and not only secure account will also reverse any unopted exchanges. All transactions, conversions, purchases, sales, and sendouts will be restored back to normal. I also noticed the support ticket on your Coinbase account requested an increase in daily purchase limits It was created about 13 minutes ago Can you confirm if this was you sir?

Me: No

Scammer: Alrighty To ensure your security I'll mark this request as fraudulent And close it down immediately.

Me: Great.

Scammer: Given the unauthorized access to your account, they might have gained access to your payment methods. This could be any linked credit cards, debit cards or bank accounts that you do have on your Coinbase account. Would you like me to remove these payment methods to prevent further unauthorized access?

Me: Yes.

Scammer: Alrighty. And then is this the best callback number to reach you in case we do get disconnected?

Me: Yes.

Scammer: Perfect. In case this call disconnects, one of my colleagues will give you a call back at this number. Do you still currently have access to your email on file to your Coinbase account?

Me: Yes.

Scammer: Are you the primary account holder of your Coinbase account?

Me: Yes.

Scammer: Do you use your Coinbase account frequently and do you still currently hold assets in your Coinbase account?

Me: I do have access.

Scammer: Do you still currently hold assets in your Coinbase account?

Me: I do have access.

Scammer: Alrighty. For security purposes, we're able to subscribe you to Coinbase Bytes, which basically gives you updates to your email about data breaches and updates to your Coinbase account. It's a 100% free subscription, but we do recommend it to all of our customers. Would you like to go ahead and proceed with that?

Me: No, thanks.

Scammer: Alrighty, sir. We do suggest it to all of our customers. If you ever want to change your mind, you can visit us on our Coinbase website and subscribe to it yourself. There are going to be a couple steps we are going to go ahead with to fully secure your Coinbase account and safeguarding your assets. I'm going to go ahead and email you a password. We sent your current email address on file. That was j*** at gmail.com. Is that correct, sir?

Me: Right.

Scammer: All right. Give me one second to do that. All righty, sir. While we wait for that email to send, are you familiar with the Coinbase Wallet app?

Me: Yes.

Scammer: Do you currently have that downloaded on your cellular device?

Me: No.

I in fact did have the Coinbase Wallet app on my phone, but but I also have a Coinbase Wallet browser extension. I wanted to use my browser, so I told him that I did not have it on my phone.

Scammer: What we are going to do is have you download the Coinbase Wallet app and temporarily store your assets in there while we secure your main Coinbase account. The Coinbase Wallet app is 100% owned by you, sir, and we do not have access to it.

Me: All right, I got your email.

Scammer: All righty, sir. Alrighty, sir. Would you be able to go ahead and download the Coinbase wallet app sir?

Me: Yeah, I've got it on my desktop.

Scammer: The Coinbase wallet app?

Me: Right.

Scammer: Alrighty so I am going to have you navigate back to that email, and then it should say secure assets, and then it will prompt you to a password reset and then a whitelist section after. What we are going to have you do is after you click on the secure assets, please do not close out of the tab at any time until we are finished with this call. There will be another step after the password reset, so after the password reset, just let me know when you are there.

Below is a screenshot of the phishing email I received. There were some warning signs in the email that it was not legitimate.

Me: While I do that, what's the next step? What do I need to do?

I wasn't sure how long I wanted to play along. I decided to keep going.

Scammer: There's going to be a step where you whitelist your Coinbase wallet app. Basically, what happens during the whitelisting section is that you can only send assets from your Coinbase wallet or your Coinbase app, sorry, sir, to your Coinbase wallet app. This is just so we can make sure that it is 100% you and that we can know that it is only the transactions will only be sent from that Coinbase app to the Coinbase wallet. No other transaction will be able to go through if you do have someone in your Coinbase account. If someone is in your Coinbase account and their wallet is not whitelisted, they will not be able to send anything.

Me: Alright, I'm pulling something up real quick. It's just taking me a moment to get that link open. Switched computer, so it's taking me a minute.

Instead of opening the email in my normal web browser on my computer, I started a Linux virtual machine with a graphical user interface. This let me open the website in a secure sandbox. If the website had malicious code, I could open the link safely. So when I "switched computers," I was just opening a virtual machine and launching my web browser.

Scammer: If you need any help during this process, I'll rain on the line.

Me: Let's see. 421424-421424-cbwallet.com reset underscore password confirm that I'm not a robot I'm not a robot captcha well that looks like a tiger does the cat look like a tiger? Maybe. All right, I've reset my password.

Here is a screenshot of the website and the password reset page. There was a captcha, also, where I had to select images that looked like tigers.

The password reset does not actually reset anything. Interestingly, the password reset page did validate that the password met the complexity requirements and confirmed that the passwords matched. Likely, the scammers developed these features to make people think that nothing was out-of-the-ordinary, since most websites not require complex passwords and ensure that your passwords match.

After "resetting" a password, the website shows:

Scammer: Does it say that it is confirming something, sir?

Me: Yes.

Scammer: Alrighty. Let me know when it does prompt you to the whitelist section, sir.

Me: Okay, so it looks like it's seeing something about a whitelist.

Scammer: That is correct. Is it asking you for the 12-word recovery phrase, sir?

Me: Yes.

This is the page displayed. At this point, if I entered my seed phrase, the scammers would be able to clone my wallet and steal everything in the wallet.

Scammer: All righty. So what I am going to have you do is navigate to your Coinbase Wallet app.

Me: Okay.

Scammer: And then when you are in the coinbase wallet app you see the settings button in the bottom right of your screen.

Me: Yes

Scammer: I'm going to have you click on that and then it's going to ask you to go to the wallet subcategory you see the wallet subcategory.

Me: Uhm, yep I got it.

Scammer: And then click address one or whatever you have named your address to your wallet.

Me: Okay.

Scammer: And then you see where it says recovery phrase?

Me: Yes.

Scammer: What you are going to do is paste that 12 word phrase, which is your recovery phrase, into the whitelist section. And once you have whitelisted your Coinbase wallet app, you will only be able to send funds from your Coinbase app to your Coinbase wallet app.

Me: Okay. All right, I'll just copy and paste that in there. And submit. All right, so I should be protected now, right?

Scammer: That is correct, sir. Does it say that it has been successful?

I generated a random 12-word passphrase and entered it. Here is what was displayed.

When I clicked continue, the website brought me back from the login page. All they needed was my seed phrase. The seed phrase I gave them was bogus, and I never transferred any money in there.

Me: Yes, it appears so.

Scammer: It says successfully whitelisted or something in that sense?

Me: Right.

Scammer: All righty. So what we are going to have you do is, do you know how to send assets from one wallet to another?

Me: Yes. Hello?

Scammer: Hello. So what we are going to have you do is transfer your funds from your Coinbase app to your Coinbase wallet app.

Me: It's kind of big. There's like $2 million in there. Is that going to be a problem?

I do not have that much money in cryptocurrency. I just wanted to mess with the scammer to make him think he hit the jackpot.

Scammer: That will not be a problem, sir. It might just take a little bit more time to confirm.

Me: Alright, let me just enter. It's all in Bitcoin. All right. Okay, it looks like it's in process. So I think that should be all we need right now.

Scammer: All righty. Once you have successfully transferred your funds over, please let me know that. They should be in your Coinbase wallet app. And we have placed a 24-hour lock on your Coinbase account. So after the 24-hour period, you will be able to transfer it back. Any fees that you do have on your Coinbase wallet transfers will be covered by Coinbase itself, sir.

Me: Gotcha. Okay. That's good to know. So just one final question. How many people fall for this?

Scammer: You would be surprised, sir.

Me: Yeah?

At this point, the scammer hung up. I loved his final quote, "You would be surprised, sir." At least he was polite and called me, "sir" after attempting to steal from me.

Fallout

My data was never compromised. I never divulged my Coinbase Wallet seed phrase. I checked my Coinbase.com account and there were no suspicious logins. Nobody ever changed any payment methods or tried to log in to my account. All login attempts were tied to my correct location and my IP address from my home network.

Reflection

• What warning signs would you have noticed?
• Did I put myself at risk by talking with the scammer?

Extra

There are lots of cryptocurrency scams out there. The FBI issued a public service announcement about cryptocurrency scams conducted by North Korea, but these techniques used could be carried out by any scammer. The public service announcement is worth reading.