Family Loses $75,000 in Crypto via Coinbase SIM Card Swap Scam

A US family of four has had their crypto savings drained through a fraudulent SIM-swap. Their Coinbase account holding US$75,000 was emptied in a matter of seconds, leaving them with almost nothing.

Identity Fraud Facilitates SIM-Swap Scam

The family, who requested anonymity, said that the stolen crypto investments were intended for their two children’s university fund. “John” and “Lisa” were the victims of a SIM swap/hijack that allowed attackers to fake their identity and move the funds.

In a report filed with the Palm Bay Police in Florida, John wrote: “I know I had over $70,000. My wife checked with our family T-Mobile plan and the company confirmed someone swapped my SIM card at approximately 3:48pm [on May 9].”

Coinbase investigators said the account “was accessed from a Windows 10 device and the [given] IP address by entering your password, a two-step verification SMS code sent to your verified mobile number, and completing the new device confirmation requirement via email”. Coinbase has also recently warned users of fake SMS confirmation scams. Below is an example from last year:

And that is how you get swipped on @coinbase , just like that your balance disappears. Woke up today and had no service on my cell phone. Turns out the SIM card number was changed and some fuck took complete control. Coinbase security never caught this complete fraud and I’m zapd pic.twitter.com/nfDc5vDeBS

— Twhyler (@TraderTyler137) March 17, 2020

Coinbase is insured, but because the thieves in this case were able to access the account using the proper smartphone security protocol, the lost money will not be reissued. The Florida couple has set up a GoFundMe account in a last effort to recoup their lost savings.

The Imperative to Protect Personal Identifiable Information

John’s SIM was “hijacked” by thieves who were able to match his SIM card to a new device after somehow getting hold of his credentials and enacting the SIM-swap via the log-in process.

Special agent Caroline O’Brien of Palm Bay Police warned that through social engineering or by using social media to obtain personal information that is displayed publicly, thieves can convince service providers they are the actual account holder.

Cybercriminals are monitoring social media to target crypto accounts because the funds are irreversible and nearly untraceable. In Australia, some of the latest crypto scams to look out for are listed here. In 2020 alone, an estimated A$26 million in bitcoin was lost to scams.

Using Two Authentication Methods Beats an SMS Code Login Alone

Individuals who bank, trade, or make credit card purchases with their smartphones could also be affected by this exploit. Consumers should ask their phone carrier for additional security measures, including:

• a 16-digit PIN
• voice print authentication
• facial authentication
• two-factor authentication in which a code is sent to you, and you send the code back from your smartphone

These measures can help individuals by placing more obstacles between their accounts and potential attackers.