Join us at TNW Conference 2022 for insights into the future of tech →

Inside money, markets, and Big Tech

This article was published on May 21, 2019

How an engineer at a crypto-security startup lost $100K in a SIM-swapping hack

Even the pros get hacked sometimes

How an engineer at a crypto-security startup lost $100K in a SIM-swapping hack
Mix
Story by

Mix

Former TNW Writer

Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about his work on Twitter.

Nobody is immune to SIM-swapping attacks – and one engineering lead at a cryptocurrency security startup had to learn this lesson the hard way.

In a blog post, Sean Coonce, engineering manager at security-oriented cryptocurrency startup BitGo, has detailed how he lost $100,000 in an unfortunate SIM-swapping hack, which saw his entire Coinbase balance drained.

It all began on a Tuesday night, when Coonce noticed that his phone didn’t have any cellular service. Moments later, he received a notification that someone is trying to log into his Google Account. He tried entering his password to no avail; ultimately, he decided to deal with the situation in the morning – as it was already pretty late.

This, however, turned out to be a huge mistake. By the time Coonce had woken up, the attacker had already gained access to his email and Coinbase accounts. Even worse, since the attacker had deleted all traces of the password recovery emails, Coonce remained unaware of this development.

Indeed, it wasn’t until Thursday morning when Coonce finally realized he’d been targeted in an elaborate SIM-porting attack. Unfortunately, by then the hackers had already emptied his Coinbase funds and moved them to on-chain wallet addresses out of the exchange service’s control.

“Coinbase customer support [confirmed] that a user was able to gain access to my account the night prior and has swept all funds to an on-chain address outside of Coinbase,” Coonce wrote.

Coonce has also prepped up a graphic to walk readers through the timeline of the hack. You can check out the graphic below:

Credit: Sean Coonce / CoinMonks

Following the devastating hack, Coonce has jotted down some security tips that ought to help you better protect your cryptocurrency holdings. Here’s some of his advice:

  • Use a hardware wallet to store your coins
  • SMS-based two-factor authentication is not secure enough, use Google Authenticator or Authy instead (or just get a YubiKey)
  • Resist the urge to share sensitive personal information online
  • Create a secondary email address; binding everything to a single email address is begging for trouble
  • Use offline password managers

For context, Coonce is hardly the only one to fall victim to SIM-swappers. Indeed, there has been a string of reports about similar attacks recently. The good news is that law enforcement is finally starting to catch up with such pesky hackers.

In the meantime, those interested can read his full summary of the $100,000 hack here. Stay safe, peeps.

Also tagged with