On the morning of April 16, 2021, a remote attacker accessed my machine using VNC and took advantage of my browser signed into Gmail to reset passwords and sign into Coinbase to transfer funds.
Total stolen
$2,814 was transferred to my Coinbase account to purchase Bitcoin. $500 was then transferred to a foreign account and is lost forever due to Coinbase’s lack of insurance. The remaining amount would only be worth $1,300 today, but unfortunately Coinbase disabled my login so I can no longer access my account. To add insult to injury, their support has been unresponsive, and it is unclear whether I will see those funds ever again 😢
The attacker also stole my Chase credit card reward points by redeeming a $200 gift card, but thankfully Chase was able to restore the points to my account.
Timeline of the attack
Since the attacker used my browsers, I have a record of all the sites they visited in Chrome and Safari:
8:10am: log into my computer
8:25am: download and install TeamViewer
8:38am: attempt to send $844 to Colm Gallagher <mecolmg@gmail.com> using Google Pay
8:38am: attempt to send $844 to mitchellinvestllc@gmail.com using Google Pay
8:40am: search email for cryptocurrency and financial accounts, e.g. emails from Binance, Coinbase, Gemini, Chase, and Ally Bank
8:43am: set up Gmail filters to immediately delete any emails from binance, coinbase, gemini, chase, or ally.
8:50am: transfer $500 (0.0079462 BTC) from Ally Bank to Coinbase
8:52am: transfer $500 (0.0079462 BTC) from Coinbase to 13JKFEjHDF9ZTEyd9XxDEs357Dvhve814d
8:56am: transfer $2,314 (0.03673242 BTC) from Ally Bank to Coinbase
9:30am: sign into Chase and purchase $200 Home Depot gift card using points
Suspects
Because Bitcoin is on the blockchain, I am able to track the movement of the stolen $500:
- Sent from Coinbase to 13JKFEjHDF9ZTEyd9XxDEs357Dvhve814d, an empty account
- Then sent to 3PLx7czKsHHsrqw8JFyknPxeaVKWpa37wd, another empty account
- Then sent to bc1qakh8d2n278n0zlc30yp9q0vr574faewwhepl0t, an account containing over 174 BTC (over $6M USD).
It’s unclear who owns this account.
The attacker also tried to send funds using Google Pay to Colm Gallagher and mitchellinvestllc@gmail.com. Not sure if these accounts belong to the attacker or another victim, but tried searching for these addresses.
Colm Gallagher is a software engineer at Google:
mitchellinvestllc@gmail.com seems to have also stolen from this user on Reddit:
I have had the same issues for the last two months. I had random charges for balances between $400–800. I didnt have money on it as I usually use cashapp for my subscriptions services and only load money immediately before a subscription such as SlingTV would come out. Anyway, I canceled my card and got a new number. Surprisingly, the new number has been compromised as well now and I’m not sure how. Not only that but I found out that one of my subscription which is Nvidea Go for game streaming service is still able to charge the old card number 🤔. How is that possible? During the same time last month that the cashapp had charges, I had GPay give me tons of notifications that there were failures to send money. I logged it and found that my gpay account tried to send money to a single number like 9 times for random amounts of money. Then the attempt was to a gmail address Mitchellinvestllc. Most of my cards had attempted to be charged but most did not go through due to the amount of funds in the accounts. They tried to send $498 to Mitchellinvestllc(bogus person) with the same card for my brokerage account twice and failed but somehow it was allowed to go through the last time.
Key learnings
- Do not leave VNC ports open secured only with a password. It will eventually be cracked.
- Set up 2-factor authentication for all Coinbase transactions to prevent funds being transferred in case someone has access to your browser session.
- Do not use Coinbase. They do not insure cryptocurrency transactions and their customer support is non-existent.
- Link your financial accounts to apps like Mint or Truebill and enable push notifications on your phone. I was first alerted to the unusual activity on my accounts via push notifications from these services.
September 25, 2021: Update
Was finally granted access to my Coinbase account today. Sold the remaining BTC for $1,539.32, ultimately reducing my total loss to $1,275. Will transfer everything out of Coinbase and will never use again.
