Inside money, markets, and big tech

How an engineer at a crypto-security startup lost $100K in a SIM-swapping hack

Even the pros get hacked sometimes


Nobody is immune to SIM-swapping attacks – and one engineering lead at a cryptocurrency security startup had to learn this lesson the hard way.

In a blog post, Sean Coonce, engineering manager at security-oriented cryptocurrency startup BitGo, has detailed how he lost $100,000 in an unfortunate SIM-swapping hack, which saw his entire Coinbase balance drained.

It all began on a Tuesday night, when Coonce noticed that his phone didn’t have any cellular service. Moments later, he received a notification that someone is trying to log into his Google Account. He tried entering his password to no avail; ultimately, he decided to deal with the situation in the morning – as it was already pretty late.

This, however, turned out to be a huge mistake. By the time Coonce had woken up, the attacker had already gained access to his email and Coinbase accounts. Even worse, since the attacker had deleted all traces of the password recovery emails, Coonce remained unaware of this development.

Indeed, it wasn’t until Thursday morning when Coonce finally realized he’d been targeted in an elaborate SIM-porting attack. Unfortunately, by then the hackers had already emptied his Coinbase funds and moved them to on-chain wallet addresses out of the exchange service’s control.

“Coinbase customer support [confirmed] that a user was able to gain access to my account the night prior and has swept all funds to an on-chain address outside of Coinbase,” Coonce wrote.

Coonce has also prepped up a graphic to walk readers through the timeline of the hack. You can check out the graphic below:

Credit: Sean Coonce / CoinMonks

Following the devastating hack, Coonce has jotted down some security tips that ought to help you better protect your cryptocurrency holdings. Here’s some of his advice:

  • Use a hardware wallet to store your coins
  • SMS-based two-factor authentication is not secure enough, use Google Authenticator or Authy instead (or just get a YubiKey)
  • Resist the urge to share sensitive personal information online
  • Create a secondary email address; binding everything to a single email address is begging for trouble
  • Use offline password managers

For context, Coonce is hardly the only one to fall victim to SIM-swappers. Indeed, there has been a string of reports about similar attacks recently. The good news is that law enforcement is finally starting to catch up with such pesky hackers.

In the meantime, those interested can read his full summary of the $100,000 hack here. Stay safe, peeps.

Published May 21, 2019 — 10:23 UTC