6x9
DevTools Creator
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
US resident Adam Griffin lost almost $500 thousand in cryptocurrency after the theft of his Google account. The scammers organized a scheme that included a call from a Google number to warn the owner that his Gmail account had allegedly been hacked.
https://i.ibb.co/HXsKjm3/b3620dd60629b548aad896a1cee3c306.pngAfter that, they sent alerts to the man to take security measures for email directly from google.com. Ultimately, when Griffin clicked "yes" in response to this request, he lost access to the account.
https://i.ibb.co/qDRx7pL/d9f42543c45fc02d4aeaed5c96bc782f.pngThe man received a call for the first time on May 6. Someone introduced himself as a Google customer service representative and said that Griffin's account was being accessed from Germany. When the man punched the caller's number, it turned out that it belonged to Google Assistant, an artificial intelligence-based service that organizes calls.
At the same time, Griffin received an email from google.com's email address warning him that his Google account had been hacked. The message contained a "Google support incident identification number" and information about a Google representative who allegedly spoke to him on the phone. The name of the caller and the name indicated in the letter coincided.
As it turned out later, the letter was sent through Google Forms, a service available to all Google Docs users. According to tripwire.com's Graham Cluley, phishers use Google Forms to create a security alert message and then change the form's settings to automatically send a copy to any email address. Then they send an invitation to fill out the form to themselves.
"So, the attacker receives an invitation to fill out a form - and enters the email address of the alleged victim, not his own. Hackers take advantage of the fact that emails are sent directly through Google Forms (from the google.com domain). This is a legitimate domain that increases the credibility of the email and reduces the likelihood of it being intercepted in transit by email filtering solutions," Cluley said back in 2023.
A Google "spokesperson" told Griffin that he would receive a notification that would allow him to regain control of the user's account. At the same time, a message appeared on the man's smartphone allegedly from Google with the question: "Are you trying to recover your account?" In fact, the scammers triggered the alert simply by going through the Google account recovery process for Griffin's Gmail address.
"As soon as I clicked yes, I gave them access to my Gmail mail, which was synchronized with Google Photos," the man said.
Griffin many years ago used Google Photos to save images of the secret phrase seed, which protected his cryptocurrency wallet, which was used by attackers. They were able to transfer about $450 thousand from the Exodus wallet.
Just minutes after the Gmail account was hacked, Griffin received a call from someone claiming to be a Coinbase employee who also informed him that someone in Germany was trying to take over his account.
A subsequent investigation revealed that the attackers used his Gmail account to access his Coinbase account through a VPN connection in California by providing a multi-factor code from the Google Authenticator app.
When the thieves tried to withdraw $100,000 worth of cryptocurrency from Griffin's Coinbase wallet, the exchange sent him an email saying that the account was blocked and he would have to provide additional documents for verification before withdrawing the money.
Just days after Griffin's robbery, a scammer posing as a Google representative managed to steal 45 bitcoins — roughly $4,725,000 at today's exchange rate — from a 42-year-old resident of Northern California. In the evening On May 15, he received a message from Google about an account security issue, after which he received a call from a "representative" of the company. The man thought the call was caused by his recent registration with Google's Gemini AI. However, the caller said that they were trying to hack his account from Germany, and then the same thing happened as with Griffin. The man then allegedly received a call from the security service of Trezor, a company that manufactures encrypted hardware devices for securely storing cryptocurrency keys offline. The caller said that someone had sent a request to Trezor to close his account and forwarded a message sent from a Gmail account to a man that contained his name, social security number, date of birth, address, phone number, and email address.
Then the man believed that his Trezor account had indeed been hacked. The caller convinced him to "recover" his account by entering the cryptocurrency seed phrase on a phishing site (verify-trezor[.]io), which imitated the official resource. Almost immediately, all funds were withdrawn from the account.
As a result, both men recognized the voice of the caller from an interview with Junset, a podcaster covering cryptocurrency fraud. An unknown person admitted that he is a teenager and works in a group that formed in the game Minecraft. "No one is arrested. There are no consequences. I have little legal side cases like business and stuff that I can pull things through. If you saw me in real life, I'd look like a normal kid walking to school with a backpack and all that shit, and you'd never think that kid was stealing," he said enthusiastically. The teenager explained that they often use an automated bot that initiates calls to victims, alerting them that suspicious activity has been noticed in their account and they should press "1" to speak with a company representative. This process, he explained, essentially self-selects the people who are most likely to be exposed to their social engineering schemes.
The guy also shared that his group committed a $1.2 million theft on the bitcoin investment platform SwanBitcoin. When the podcaster shared this information on social media, the CEO of Swan said that they were able to stop this transaction.
Apparently, the teenager did not like the fact that his voice was broadcast around the world. As a result, someone filed a copyright infringement claim on Soundcloud, where a recording of a podcast with him was posted. The complaint alleged that the recording included a copyrighted song, even though it did not contain background music. However, Soundcloud deleted the audio file. As the podcaster explained, it is impossible to restore the recording on the platform, since it requires him to provide personal data, including the address, in order to transfer them to the author of the complaint.
When the podcaster asked the teenager how potential victims could protect themselves from such attacks, he explained that if the victim did not have Google Authenticator synchronized with their Google Cloud account, then it is not so easy for scammers to penetrate accounts on cryptocurrency exchanges.
By default, Google Authenticator syncs all one-time codes with the user's Gmail account. To change this setting, you'll need to open Authenticator on your mobile devicee, select your profile picture, and then click "Use without an account" from the menu. You can print a copy of your one-time backup codes and save them in a safe place. You can also download Google Authenticator to another mobile device. Otherwise, if you turn off cloud sync, if you lose the only smartphone with the app, it will be difficult to restore access to the account when it is blocked.
In response to questions from KrebsOnSecurity, Google said it was a narrow phishing campaign targeting "a very small group of people." "We are aware of this narrowly targeted and targeted attack and have strengthened our defenses to block recovery attempts by this attacker," they said, explaining that in reality, a Google employee would never call a client.
However, both men say that they continue to receive calls "about account security" from people posing as employees of Google or one of the cryptocurrency platforms. "It's like you're put on a list, and then those lists are looked at over and over again," they note.
Griffin even made a couple of recordings of conversations with scammers, during which he tried to ask them about their personal lives. After that, he began to receive threatening calls, and the FBI asked the man not to talk to the hackers anymore.
https://i.ibb.co/HXsKjm3/b3620dd60629b548aad896a1cee3c306.pngAfter that, they sent alerts to the man to take security measures for email directly from google.com. Ultimately, when Griffin clicked "yes" in response to this request, he lost access to the account.
https://i.ibb.co/qDRx7pL/d9f42543c45fc02d4aeaed5c96bc782f.pngThe man received a call for the first time on May 6. Someone introduced himself as a Google customer service representative and said that Griffin's account was being accessed from Germany. When the man punched the caller's number, it turned out that it belonged to Google Assistant, an artificial intelligence-based service that organizes calls.
At the same time, Griffin received an email from google.com's email address warning him that his Google account had been hacked. The message contained a "Google support incident identification number" and information about a Google representative who allegedly spoke to him on the phone. The name of the caller and the name indicated in the letter coincided.
As it turned out later, the letter was sent through Google Forms, a service available to all Google Docs users. According to tripwire.com's Graham Cluley, phishers use Google Forms to create a security alert message and then change the form's settings to automatically send a copy to any email address. Then they send an invitation to fill out the form to themselves.
"So, the attacker receives an invitation to fill out a form - and enters the email address of the alleged victim, not his own. Hackers take advantage of the fact that emails are sent directly through Google Forms (from the google.com domain). This is a legitimate domain that increases the credibility of the email and reduces the likelihood of it being intercepted in transit by email filtering solutions," Cluley said back in 2023.
A Google "spokesperson" told Griffin that he would receive a notification that would allow him to regain control of the user's account. At the same time, a message appeared on the man's smartphone allegedly from Google with the question: "Are you trying to recover your account?" In fact, the scammers triggered the alert simply by going through the Google account recovery process for Griffin's Gmail address.
"As soon as I clicked yes, I gave them access to my Gmail mail, which was synchronized with Google Photos," the man said.
Griffin many years ago used Google Photos to save images of the secret phrase seed, which protected his cryptocurrency wallet, which was used by attackers. They were able to transfer about $450 thousand from the Exodus wallet.
Just minutes after the Gmail account was hacked, Griffin received a call from someone claiming to be a Coinbase employee who also informed him that someone in Germany was trying to take over his account.
A subsequent investigation revealed that the attackers used his Gmail account to access his Coinbase account through a VPN connection in California by providing a multi-factor code from the Google Authenticator app.
When the thieves tried to withdraw $100,000 worth of cryptocurrency from Griffin's Coinbase wallet, the exchange sent him an email saying that the account was blocked and he would have to provide additional documents for verification before withdrawing the money.
Just days after Griffin's robbery, a scammer posing as a Google representative managed to steal 45 bitcoins — roughly $4,725,000 at today's exchange rate — from a 42-year-old resident of Northern California. In the evening On May 15, he received a message from Google about an account security issue, after which he received a call from a "representative" of the company. The man thought the call was caused by his recent registration with Google's Gemini AI. However, the caller said that they were trying to hack his account from Germany, and then the same thing happened as with Griffin. The man then allegedly received a call from the security service of Trezor, a company that manufactures encrypted hardware devices for securely storing cryptocurrency keys offline. The caller said that someone had sent a request to Trezor to close his account and forwarded a message sent from a Gmail account to a man that contained his name, social security number, date of birth, address, phone number, and email address.
Then the man believed that his Trezor account had indeed been hacked. The caller convinced him to "recover" his account by entering the cryptocurrency seed phrase on a phishing site (verify-trezor[.]io), which imitated the official resource. Almost immediately, all funds were withdrawn from the account.
As a result, both men recognized the voice of the caller from an interview with Junset, a podcaster covering cryptocurrency fraud. An unknown person admitted that he is a teenager and works in a group that formed in the game Minecraft. "No one is arrested. There are no consequences. I have little legal side cases like business and stuff that I can pull things through. If you saw me in real life, I'd look like a normal kid walking to school with a backpack and all that shit, and you'd never think that kid was stealing," he said enthusiastically. The teenager explained that they often use an automated bot that initiates calls to victims, alerting them that suspicious activity has been noticed in their account and they should press "1" to speak with a company representative. This process, he explained, essentially self-selects the people who are most likely to be exposed to their social engineering schemes.
The guy also shared that his group committed a $1.2 million theft on the bitcoin investment platform SwanBitcoin. When the podcaster shared this information on social media, the CEO of Swan said that they were able to stop this transaction.
Apparently, the teenager did not like the fact that his voice was broadcast around the world. As a result, someone filed a copyright infringement claim on Soundcloud, where a recording of a podcast with him was posted. The complaint alleged that the recording included a copyrighted song, even though it did not contain background music. However, Soundcloud deleted the audio file. As the podcaster explained, it is impossible to restore the recording on the platform, since it requires him to provide personal data, including the address, in order to transfer them to the author of the complaint.
When the podcaster asked the teenager how potential victims could protect themselves from such attacks, he explained that if the victim did not have Google Authenticator synchronized with their Google Cloud account, then it is not so easy for scammers to penetrate accounts on cryptocurrency exchanges.
By default, Google Authenticator syncs all one-time codes with the user's Gmail account. To change this setting, you'll need to open Authenticator on your mobile devicee, select your profile picture, and then click "Use without an account" from the menu. You can print a copy of your one-time backup codes and save them in a safe place. You can also download Google Authenticator to another mobile device. Otherwise, if you turn off cloud sync, if you lose the only smartphone with the app, it will be difficult to restore access to the account when it is blocked.
In response to questions from KrebsOnSecurity, Google said it was a narrow phishing campaign targeting "a very small group of people." "We are aware of this narrowly targeted and targeted attack and have strengthened our defenses to block recovery attempts by this attacker," they said, explaining that in reality, a Google employee would never call a client.
However, both men say that they continue to receive calls "about account security" from people posing as employees of Google or one of the cryptocurrency platforms. "It's like you're put on a list, and then those lists are looked at over and over again," they note.
Griffin even made a couple of recordings of conversations with scammers, during which he tried to ask them about their personal lives. After that, he began to receive threatening calls, and the FBI asked the man not to talk to the hackers anymore.