142 comments

[ 3.6 ms ] story [ 104 ms ] thread
As soon as I read the headline, I knew that the problem was...

> In just 40 minutes, the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.

One of the many, many benefits of irreversible transactions.

> I made mistakes, yes

His first mistake was keeping six figures worth of 'cash' in a wallet that anyone with less than 40 minutes of access to can swipe.

> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.

Can somebody explain what exactly this means, and how it works?

What did the account did the email actually come from? Was it legit from legal and he just submitted the request or was it a real spoofing
Does anyone know how the email from (or appearing to be from) @google.com works? Wouldn't the Apple account reject it because it fails DKIM/etc?
The load bearing question is, why didn't the attacker also clear out OP's bank account, retirement savings, and max out his credit cards? Unfortunately, the difference is that banks care literally at all about their customers accounts being emptied.
> Be skeptical of unknown calls. If something feels off, hang up and restart the conversation by contacting the company directly.

I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.

> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.

Ugh, google

> Ugh, google

In my experience most authenticators cloud sync automatically, at least on iOS. For most people, this is a benefit. Otherwise, lose your phone and you're stuck, I doubt most people secure recovery codes properly either.

Same exact scam happened to me three weeks ago and I almost fell for it. The guy was very sharp and sounded very authentic.

Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?

Can someone please explain to me what it means for authenticator codes to be “cloud-synced”? Is that solely dependent on whether you’re using the Google Authenticator app while signed in to your Google Account? Is it possible to not have them “cloud-synced” if you are signed in?
One wrong point in this. Google Authenticator does not cloud sync by default. You specifically have to accept the cloud sync option that you are prompted with.
> Google enabled Authenticator cloud sync by default.

Never understood this convenience and never will. This is exactly the wrong way to deal with people losing their authenticator secrets.

i regularly check reddit scams to know about the scams and i recently dodged one which wanted my details !
How did they get the passwords to his Google and Coinbase accounts? He reused passwords? The same one for Google as for Coinbase? Or did they reset his Coinbase password via his Gmail? The post doesn't make this explicit, but it warns against password reuse.
(comment deleted)
Mistake cost him 80k. Author is feeling burnt, but the cost is the cost at transaction time.
(comment deleted)
I notice none of the pieces of advice are "don't keep a hundred thousand dollars in a Coinbase account".
I recommend not investing in crypto at all because it’s an attractive nuisance and has no useful purpose other than speculation and money laundering.
One thing I really hate is that some companies with poorly design customer service flows actually REQUIRE you to read a code they text you over the phone to a rep.

At least now more companies include a "never read this over the phone" note in their authentication texts.

I got scammed because somebody put a fake bank location into Google Maps and so the Google voice caller ID said it was my bank. Luckily, I realized I got scammed and called the bank up right away and they got the charges reversed, which is why I still use that bank. Moral of the story: never trust inbound calls. They are the easiest vector for scammers to spoof.
Coinbase STILL doesn't freeze user accounts for a token amount of time, 24 hours or so, after resetting a password‽

Part of the blame should be levied on Coinbase if this is the case.

(I'm assuming this guy at least uses unique passwords...)

I get scam calls with Google in the caller ID everyday.

It kinda sucks that in 2025, voice calls are now near-zero trust.

Is there really no velocity behind any open/consortium replacement to traditional voice calls?