Inside money, markets, and big tech

Sim-swappers hack League of Legends star out of $200K worth of cryptocurrency

It's not all fun and games

league of legends, peng, doublelift, cryptocurrency, bitcoin, blockchain, sim swap

It’s not as easy as it sounds being a professional gamer. A League of Legends superstar has had $200,000 in cryptocurrency stolen from them – directly from their Coinbase account.

In a YouTube video spotted by Dot Esports, Yiliang “Doublelift” Peng describes how he awoke one morning last week to messages from his bank telling him he is overdrawn on his account.

While the exact details of the hack have not been officially confirmed, Peng does have his suspicions.

What happened?

Peng states that around a couple of weeks before the theft, he had experienced some abnormal cellphone coverage which he now believes to have been part of the scammer’s “genius plan.”

The League of Legends star believes that he was a victim of “sim swapping” – a fraudulent tactic attackers employ to dupe carrier employees into giving them access to the victim’s phone number.

Peng’s mobile provider confirmed the number had been reported as lost or stolen, and could have been transferred.

By obtaining access to Peng’s mobile phone number, the scammer could then gain access to his email and Coinbase accounts. As Coinbase uses mobile phone numbers as part of its two-factor authentication process (2FA), the scammer was not prevented from accessing Peng’s account when challenged.

The scam didn’t end here. The attacker then went on to employ an intricate system of email filters which prevented Peng from realizing the hack was taking place.

Emails that confirmed Coinbase transactions sent to Doublelift’s inbox were forwarded to a hidden email address – most likely belonging to the scammer. After this, emails were then deleted from Doublelift’s inbox. It happened so quickly Doublelift never saw any of the suspicious Coinbase activity.

The intricate – and clearly well-planned – heist is another in a string of scams that have seen unwitting victims conned out of their cryptocurrency. Last month, a Finnish millionaire lost $35 million in an illegitimate cryptocurrency investment.

While Doublelift isn’t setting any records for the highest value of assets stolen, it is certainly unnerving that scammers can covertly obtain such large sums. Doublelift remains confident he will get his lost funds back, so it might not all be bad news for the gamer.

Of course you should always use 2FA. But if you ever notice unusual activity on your mobile phone that you use for it, speak to your carrier to make sure your number hasn’t been compromised in a “sim swap” scam.

Published September 18, 2018 — 09:36 UTC