> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
Can somebody explain what exactly this means, and how it works?
The load bearing question is, why didn't the attacker also clear out OP's bank account, retirement savings, and max out his credit cards? Unfortunately, the difference is that banks care literally at all about their customers accounts being emptied.
> Be skeptical of unknown calls. If something feels off, hang up and restart the conversation by contacting the company directly.
I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
In my experience most authenticators cloud sync automatically, at least on iOS. For most people, this is a benefit. Otherwise, lose your phone and you're stuck, I doubt most people secure recovery codes properly either.
Same exact scam happened to me three weeks ago and I almost fell for it. The guy was very sharp and sounded very authentic.
Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?
Can someone please explain to me what it means for authenticator codes to be “cloud-synced”? Is that solely dependent on whether you’re using the Google Authenticator app while signed in to your Google Account? Is it possible to not have them “cloud-synced” if you are signed in?
One wrong point in this. Google Authenticator does not cloud sync by default. You specifically have to accept the cloud sync option that you are prompted with.
How did they get the passwords to his Google and Coinbase accounts? He reused passwords? The same one for Google as for Coinbase? Or did they reset his Coinbase password via his Gmail? The post doesn't make this explicit, but it warns against password reuse.
One thing I really hate is that some companies with poorly design customer service flows actually REQUIRE you to read a code they text you over the phone to a rep.
At least now more companies include a "never read this over the phone" note in their authentication texts.
I got scammed because somebody put a fake bank location into Google Maps and so the Google voice caller ID said it was my bank. Luckily, I realized I got scammed and called the bank up right away and they got the charges reversed, which is why I still use that bank. Moral of the story: never trust inbound calls. They are the easiest vector for scammers to spoof.
142 comments
[ 3.6 ms ] story [ 104 ms ] threadhttps://x.com/0xzak/status/1967592307714379934
> In just 40 minutes, the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.
One of the many, many benefits of irreversible transactions.
> I made mistakes, yes
His first mistake was keeping six figures worth of 'cash' in a wallet that anyone with less than 40 minutes of access to can swipe.
Can somebody explain what exactly this means, and how it works?
I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
Ugh, google
In my experience most authenticators cloud sync automatically, at least on iOS. For most people, this is a benefit. Otherwise, lose your phone and you're stuck, I doubt most people secure recovery codes properly either.
Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?
Never understood this convenience and never will. This is exactly the wrong way to deal with people losing their authenticator secrets.
At least now more companies include a "never read this over the phone" note in their authentication texts.
Part of the blame should be levied on Coinbase if this is the case.
(I'm assuming this guy at least uses unique passwords...)
It kinda sucks that in 2025, voice calls are now near-zero trust.
Is there really no velocity behind any open/consortium replacement to traditional voice calls?