I was one mistake away from being a victim of the Coinbase Hack

I was one mistake away from being a victim of the Coinbase Leak.  The panic was real and can make you do some dumb things.  My heart was racing, anxiety was taking over and I was freaking out.  

News came out about a month ago about a leak of customer information from Coinbase, involving overseas reps giving away customer information, including your name, email, phone number and even photos of your ID used for KYC.  Coinbase claimed they reached out to everyone affected.  No one ever reached out to me.  I assumed I wasn’t one of the people whose information had been leaked.  That information is passing around the dark web.  I was contacted by 3 people from the USA, all clearly Americans based on their lack of accents. 

This is the story of how I was one mistake away from losing everything on Coinbase.  I made critical errors and some good choices that ultimately saved me.

It was a highly coordinated attack.  They had my information and my ID.  It started with a call that came in on my phone from “Google”, which showed on the caller ID as Google.  This isn’t uncommon for me because Google will call about my ads account for my business and I usually ignore the calls so I don’t need to go through a sales pitch.  This time, I answered.  The attacks from what I can see looking back at whois data, phone numbers, etc looks registered to a privacy domain service in Arizona (not GoDaddy) and possibly owned by someone in Austin.  

I was told that someone was in google’s live chat trying to recover my email (one used on Coinbase) by showing my ID and I had an email saying there was a request to change my recovery email to (baysidediffusing@gmail.com) and this email 100% came from Google and there was a request to change my phone number as well.  Where they got me and was in panic as these emails were coming in from Google.  I was definitely under attack and seeing this in real time while on the phone with “Google”.  They were very patient and as codes were coming in from real google emails, I made the mistake of sharing one with the “rep”.  They now had access to my gmail.  

The hackers instantly made a passkey and recovery codes in the background while I panicked.  I called Coinbase (requesting a call via the app) to make sure no one was trying to get into my account.  I decided to not lock my account because I had whitelisted addresses for cold storage saved and cleared already.  The hackers called me from a new number (an SF number where coinbase does actually call you from if you request a call) and they saw I was sending out funds like crazy from Coinbase.  They referenced the amounts of the transactions with the exact amounts.  How did they know them?  They were in my email and could see the emails from Coinbase saying I sent $X BTC or ETH to Y address.  

While pretending to be security, they told me the “hackers” may have access to my connected accounts on Coinbase, including my Ledger.  I thought my CB Wallet is connected to Coinbase, but you can’t connect a Ledger, so I knew it was bullshit.  They texted me a url to connect to review my connected accounts.  I didn’t touch that and called out the the url which was xxx-coinbase.com and not any kind of subdomain like xxx.coinbase.com.The second they saw me sending out to storage and off the exchange, they tried to come up with ways for me to hand over my cold storage seed.

Thankfully, I know some about managing security in my Google account because of managing my businesses emails and security.  I got them booted from my gmail, passkey deleted and recovery codes deleted, but they had probably 20-30 mins in there while I was on the phone with real Coinbase and their fake security tech.  They scoured my drive as well, which thankfully didn’t have anything in it related to any seed phrases or accounts in any way.  It was mostly some old art files, thankfully.  I did some things right and some wrong and I hope my story can help someone out there avoid this mess.

What I did wrong

1. Because I get calls from Google from time to time, when a call came in on caller ID as Google, I got tricked into thinking it might be real.  They were very knowledgeable, patient and knew exactly how to get what they wanted from me.
   
   

2. I granted access to my email.  They were smart to not totally shut me out and mentioned I’d get an email showing the transcript of the person in Google’s Live support chat who was impersonating me.  They knew if I got totally booted, I’d lock things down, so instead, they created background access to recover my email on their own.
   
   

3. They had access to my email for 30 mins to an hour and a lot could have gone terribly wrong, but that specific email isn’t really used for much, which is how I know it’s 100% connected to the Coinbase hack.
   
   

4. Had I tried to change my Coinbase password while they had access, they could have taken over possibly.
   
   

5. I had my login to the exchange connected to an older email that I rarely use, but has been in plenty of dark web leaks.

What I did right

1. On my Coinbase account, I have set up a passkey, authenticator app, a unique and complex password and white listed withdrawal accounts. If someone tries to add a new address, it takes 48 hours until you can send out to it.  If you turn off white listing, it does the same thing with a 48 hr window.  Had they gained access, they could have possibly brought in funds from my bank account, swapped all assets into BTC or ETH and waited it out to send out.  Having white-listing would have bought me some time to lock my account.
   
   

2. I have cold storage and had the addresses white listed for some crucial assets already, so when the panic hit, I sent out to cold storage ASAP.  I did small test transactions first and then moved what I had off.
   
   

3. When they sent me a URL that looked very close to what could have been a coinbase link because of the way the domain was structured, but even in the panic, I knew to never click any links or ever connect to something.
   
   

4. I requested a call from Coinbase via the app to talk to them.  I’m a CoinbaseOne user and they were pretty helpful, considering how all of my information got leaked because of them.  I was checking to make sure my account wasn’t accessed from any other locations that were not my IP address and to let them know I was under attack and why I was sending out funds quickly and asked for a block on any other IP’s trying to access my account.
   
   

5. I have never stored my cold storage seedphrase online.  Not in a note on my phone, doc in Drive/storage, etc.  If I had and it was in that drive, they could have found it and drained my cold storage as well.
   
   

6. I booted them from having access to my gmail on all fronts before trying to change my password.  They never really had my password in the first place, but they brute force were attacking me to get temporary codes to get in.  I went into the security settings in my gmail account and removed all devices, phones, access, everything before making any changes.  They could have seen or gotten around any password resets if they were reading my emails (they were).
   
   

7. I use passkeys and authenticator on anything financial and on most email accounts. 
   
   

8. Once regaining all control, when their “security” from Coinbase called back, this time a different number, I told them to go eff themselves. 
   
   

9. No social media accounts were tied to that email.  Not my X, nothing.  

Tips to try and stay safe

1. If you use Coinbase, they will never call you unless you have requested a call through their site or app. 
   
   

2. Set up white listing on your cex account and add any self custody addresses for tokens you hold a position in ahead of time.
   
   

3. Get yourself a cold storage option like Ledger, OneKey, Keystone, etc and get used to using it in times when you aren’t in a panic.

4. Use passkeys and unique, complex passwords for sites.  Don’t repeat passwords.  Add the authenticator app as well or get a yubikey.
   
   

5. Use a unique email for any exchanges that aren't used for other things and don’t just use some old email like I did.
   
   

6. Never click random links sent to you.  If you are in a panic, it’s very easy to make mistakes, but you need to breathe and inspect any links before you click (don’t click) and do not ever put your seed phrase into anything. 
   
   

7. Do not keep your seedphrases for anything in a notes app or in storage associated with the email you are using for an exchange, or anywhere.
   
   

8. Look into more encrypted email services like Proton to use instead of gmail. 
   
   

9. Use a separate hot wallet for swaps.  If you are in full degen mode, you shouldn’t ever be connecting any account with many funds in it.  Make a new wallet in Phantom or Solfare, etc to use for that.  Yeah, it can seem annoying to have to send back and forth between wallets, but the small cost and hassle outweighs the chances of losing funds.

In conclusion

This was honestly really scary, well coordinated and hyper focused on me.  When the panic sets in, your chance of making a mistake goes way up because in the moment, you aren’t thinking clearly.  It was a horrible experience and it’s amazing how many people out there are ethically ok with trying to scam people, but that’s the world we live in unfortunately.  Take the time to make sure your accounts are as secure as they can be and set up an escape route  in case someone does get access to your account.  Look into what options you have to lock down your accounts if something does come up and stay paranoid.  People out there 100% have your information and if you use Coinbase, they have enough of it to be very convincing.  Crypto can be scary and self custody is great, but also comes with really understanding how to stay safe.  If you give up your seed phrase, it’s gone for good.  I wish this hadn’t happened to me and I’m thankful that reason kicked in at a point before I lost it all.  I hope that my experience can help someone else be safer.