A prominent crypto trader was the victim of a sophisticated phishing scam when hackers attempted to drain his Coinbase account, in what he calls “one of the most complex scams in crypto that I have seen to date.”
On Wednesday, Jacob Canfield took to Twitter to warn Coinbase users of what he thought was “some sort of data breach.” Canfield received a text message saying that his Coinbase two-factor authentication (2FA) had been changed. Shortly thereafter, he received three phone calls from a fake Coinbase customer support line that registered as a San Francisco number.
The scammers asked Canfield if he was traveling outside of the US and if he had requested a 2FA and email change. After replying he hadn’t, they sent a text message verifying that they had cancelled the change requests — but forwarded him to a fake Coinbase ‘security’ team to verify his account in order to avoid a 48-hour suspension.
The scammers requested the verification code, but Canfield refused to provide it. “He then got angry and hung up the phone on me,” the crypto trader explained.
“For those unaware, the code they sent was my actual 2FA, but they sent it from their own email and were logging into my account to drain it while we were on the phone.” Indeed, screenshots of the emails sent by scammers appear to be from Coinbase, but sent from Amazon’s email provider.
Coinbase denies data breach in complex crypto phishing scam
This sophisticated phishing scam has raised several questions within the crypto community. For one, how did the scammers manage to prompt Coinbase to send a real 2FA verification code email to Canfield? One user said this suggested that the scammers were already able to login to Canfield’s account through a data breach.
According to Canfield, it remains unclear. “I’m not sure if they were logging in or already logged in and were requesting a withdrawal,” Canfield replied. “My email is pretty locked down with multiple authentications so perhaps they were already in my Coinbase account.”
However, as crypto sleuth Parrot Capital pointed out, Coinbase replied to the situation and claimed no data breach had taken place. Users suggested the breach occurred through a third-party — many pointed the finger at CoinTracker as the source of the leak, which has a tax prep partnership with Coinbase. CoinTracker denied this but did admit that there was a data breach back in December “where [Canfield’s] email may have been included.”
While Canfield quickly caught onto the scam, he worries that many could fall prey to the sophisticated phishing attempt. Crypto sleuth ZachXBT pointed out that others had been targeted in a similar scam.
“It wasn’t the actual 2FA since I don’t use SMS or email authentication,” Canfield explained. He didn’t stick around to see how the scammers could have drained his account, but suggested a data breach from a third party or through the dark web had occurred.
“Still, better to be safe than sorry and change all your passwords if you’re on Coinbase,” Canfield cautioned users.