My $340k Hack
Inexplicable T-Mobile phone transfer, Authenticator work-around
On Monday, April 4, 2022, a hacker stole $340,000 worth of crypto from my 401k’s Kraken account. Below is a post-mortem in that, hopefully, others will learn to avoid the mistakes I made.
I awoke on Monday, April 4, around 6 AM Central Time, and could not access my Gmail account. When I asked Gmail to send a recovery code to my phone via SMS or my recovery email account, none arrived. The phone seemed to be working because my home Wi-Fi access allowed sufficient functionality not to suspect my phone number was transferred, and so I figured my problem was some bug, a minor annoyance.
I went to my local T-Mobile shop as soon as it opened at 11 AM to see why I could not get my phone messages. The T-Mobile agent informed me that my SIM chip had 'died,' an unremarkable failure. I noted it was suspicious that I was locked out of my Gmail at the same time, but this additional information made the T-Mobile rep extremely defensive. He then explained how T-Mobile has absolutely nothing to do with Google and that I should contact Google about such matters, etc. There is no Google helpline to answer specific questions about my account, which they should have known.
In retrospect, the local T-Mobile rep who told me my SIM chip malfunctioned should have known my number was transferred earlier that day, which had very different implications. His defensiveness makes me think T-Mobile has a policy of focusing hacked customers on every attack surface but T-Mobile, even at the cost of not divulging relevant information.
With possession of my phone, I could get back into my Google account, still thinking my problem was a mere bug. Then I discovered that my backup email account did not receive a code because someone had changed my recovery email to my Gmail account, i.e., itself, indicating I had been hacked.
I discovered the hacker sent two creepy sexual emails to women pulled from some of my recent conversations. This was probably meant to distract me from attending to the hack, as it did. I wrote these people several emails explaining my situation, hoping they would believe me when I told them I had not sent such emails (of course, that's what a creepy perv would say).
A phone SMS was one of my Gmail recovery devices, so it was obvious how the phone hacker could access it (click ‘forgot password’ and get a temporary password sent to the phone). Unfortunately, I used Google's password manager, so once the hacker had my Google account access, he could access all my other usernames and passwords.
While an online password manager like Google is not super secure, I felt safe because my traditional finance accounts would be difficult to hack. These inform me about transactions, and they have a one or two-day grace period where transactions can be reversed. As for crypto, all my accounts on regulated exchanges were secured by Authy (Gemini) or Google's Authenticator (Kraken, Coinbase). I supposed these could not be accessed without access to my physical phone and its password; that is, my Authenticator’s various account information was only on my physical phone.
After several calls to T-Mobile, I finally learned that my phone had been transferred at 1:17 AM PT at a T-Mobile store in California near Oakland. I asked T-Mobile how this could have happened, as that store was closed at that time, it was 2k miles from my home, and the thief would need a photo ID and my phone security code. I was given no further explanation, though they would often end their stonewalling with the exasperating phrase: "is there anything else I can help you with today?"
1: 17 AM hacker transfers phone number in Gilroy, CA. This gave him access to my Google account because it used a phone's SMS messaging as a recovery tool. Once in, he could then access the passwords I had on Google's password manager
1: 22 AM accesses my Google account
1:58 AM accesses Kraken account
In the period between getting into my Kraken account and the hour it took to get my coins out, the hacker did the following searches and went to the following URLs. He was logged into my Gmail account then, and this type of information is recorded under Google activity.
“withdraw from kraken”
https://support.kraken.com/hc/en-us/articles/360048656092-How-to-withdraw-funds-from-your-Kraken-account&usg=AOvVaw2oGFinYY_ZxcsWvp_oKiok
“avalanche wallet”
https://www.avax.network/&usg=AOvVaw1b3ozPJI09cm5KStcq8fSC
https://support.avax.network/en/articles/4626956-how-do-i-set-up-metamask-on-avalanche&usg=AOvVaw3MZjNtjYeFqKFil9gV-vSa
https://mathwallet.org/avalanche-wallet/en/&usg=AOvVaw2zZRXM5UFi-xYY3D2k41u9
https://mail.google.com/mail/#search/Funding%202FA
“funding 2fa kraken”
https://support.kraken.com/hc/en-us/articles/360000911763-How-does-two-factor-authentication-2FA-for-funding-deposits-withdrawals-work-&usg=AOvVaw0qkFXWTHaI3kt1VLJNF_2k
“gauth.nl”
https://gauth.apps.gbraad.nl/&usg=AOvVaw0zHn5z4zpPZQPrm4Evo-gf
“tornado eth”
https://tornado.cash/&usg=AOvVaw3FIZBAZWZE8_CYLHuNBu1K
“how long do kraken withdrawals take”
https://support.kraken.com/hc/en-us/articles/360000674046-Cryptocurrency-withdrawal-statuses&usg=AOvVaw1vYeY9SDEqtU1iz63Y86up
2: 32 AM withdraws 903.9399 AVAX tokens ($85k)
2:33 AM Removed the restriction on withdrawals > $100k
2: 48 AM withdraws 2711.91 AVAX tokens ($260k)
I logged into my Coinbase account and discovered the hacker had been on this account earlier that morning, but as there was nothing in there, he did nothing. While my account username and password were in my Google passwords, which he had access to, this account required access to my Google Authenticator. Yet it was not just Authenticator, as the hacker got into my Gemini account that uses Authy.
I had not saved any recovery information for Authy or Authenticator, so I was perplexed about how the hacker had gotten in. Perhaps they could repopulate them by asking the exchanges for a Master Key or other such information. I asked Kraken, etc., if they knew how Authenticator could be transferred, but they all put up a wall of silence once informed of my hack, saying they would only respond to law enforcement officials in this matter for compliance reasons.
On Gemini, I had only a trace amount of money, but I had a linked bank account. The hacker initiated a deposit of $50k from my connected bank account within the Gemini account (i.e., he didn't log into my bank account), which enabled the hacker to buy $50k worth of bitcoin. The hacker could not withdraw that bitcoin until the $50k bank transfer was settled in two days. This would have worked if I had been distracted for the week, but I closed that position immediately and canceled my bank transfer. I lost about $1k on the hacker's Bitcoin trade as the price declined.
Searching online, I found the T-Mobile fraud office, but it could only be reached by snail mail. I informed them about my hack and got a reply a few weeks later, telling me they were glad they had solved my problem (I did get my phone number back!). They did not mention how my phone number could be transferred when the store was closed, whether the sales rep listed on that transfer existed, etc.
I could see logs of my sessions with the various exchanges that morning. The IPs used differed each time but all from my hometown metro area of Minneapolis. They were close enough to get through standard fraud protection algorithms, though this tactic is easy to do with a VPN. Clearly, he knew my name, address, etc., and that I probably had crypto on various exchanges.
A mere 75 minutes after accessing my iPhone, the hacker withdrew $90k worth of AVAX coins (this transaction on the AVAX blockchain). This account had an extra security feature enabled that required a separate process for withdrawals of more than $100k, but somehow, he was able to disable that requirement, rendering it pointless. Looking back at Kraken's emails to my attached email account, I could see a Kraken message notifying me of the withdrawal restriction change around the time the hacker's initial withdrawal was processed. Kraken would not respond to the specifics of my case, so I do not know the protocol that enabled this disabling.
This secondary Kraken account withdrawal restriction was also in my Google Authenticator, so it seems either the hacker did not see this additional Authenticator item, or his Authenticator access only had initial log-in accounts. Alternatively, he used some other means of getting around the initial Authenticator log-ins via a mere email account connected to my Kraken account, and relevant emails were erased from my email account by the hacker before I could see them. [I found out later you can access Authenticator via a phone app as the default, unbeknownst to me, saves to the cloud, see here]
After the final Kraken withdrawal restriction was removed, he withdrew the remaining AVAX tokens, worth around $260k at the time (tx here). This all occurred within 90 minutes of accessing my phone as I was sound asleep.
The hacker never even tried to access my traditional financial accounts.
A common issue in my case is that anytime I spoke with someone from one of my hacked accounts, they would ask the same stupid questions and give the same stale advice. For example, they all asked if I had recently shared my passwords with anyone and told me to change them. Every conversation included this annoying 5-minute lecture.
I contacted the FBI's cybersecurity squad, giving them all the information I had from the various activity logs at each account. I asked the FBI if they could find which T-Mobile employee transferred my phone while the store was closed, as this seemed like an insider job. Strangely, all the FBI would say about T-Mobile, and my phone hack was that they doubted T-Mobile was at fault, giving me no other information. The FBI did mention they would check into the IPs used to access my various accounts, but nothing ever came of that, which makes sense because they were probably spoofed IP addresses facilitated by a VPN. They were uninterested in figuring out how the hacker was able to disable my Kraken withdrawal restriction or get around my Authenticator.
I hired a lawyer who told me that to get restitution from T-Mobile, I would need first to get around the standard EULA's 'contract of adhesion,' enabling me to have the standing to file a negligence claim where I could sue for damages. These would take $100k+ and a couple of years.
My lawyer also told me that my T-Mobile hack was probably related to two T-Mobile data breaches in 2021. He got this insight from one of his assistants, which shows up in a quick web search. However, these hacks only contained customer information like address, phone, and social security numbers, which would be insufficient to transfer a phone number. I had to show my photo ID and my T-Mobile security code, something not in my Google passwords, to get my phone number back.
My lawyer hired a cyber security 'expert,' but this clown merely summarized the account log information I had given him (for $5k). This crypto expert's only recommendation was to check the various IPs used to access my accounts, the same singular insight the FBI had. The area is so new that experts in the field can get by with useless superficial knowledge, as the non-experts who hire them have even less knowledge.
I learned that just about everyone on the web advertising a crypto recovery service or who claims they can rectify account hacks is a hacker himself. You hear about white-hat hackers rescuing or tracing stolen funds, but any useful and honest ones are probably focused on those multimillion-dollar hacks. If you mention your hack in any chat rooms, you will get a handful of DMs from people eager to hack you a second time (their Reddit or Twitter profiles are always new). Worst, I posted about a minor scam by the pseudo-anti-hacker hackers Nobelium Hackers and Ghostpay on the Reddit/cryptoscams forum, and it was inexplicably removed for ‘violating content policy.’ It appears scammers know the right words to invoke the automated acceptance of a complaint, allowing them to keep their reputation clean on the web.
Since then, I have stopped using email services like Gmail as a password manager for all but my most trivial accounts. I still have crypto off the exchange per the truism "not your keys, not your coin." I intend never to trust centralized exchanges, even when they supposedly have extra security features like a withdrawal restriction (e.g., Kraken's WD restriction can be disabled instantly, unbeknownst to me).
Dear Eric, brother in the Lord, I am so sad that this happened to you. I will tighten up what I store in my Google Account, deleting passwords for financial and social/search websites.
Wow, Eric. I'm so sorry this happened to you.