Earlier this year, a complaint was filed in the U.S. District Court for the District of New Jersey alleging a cryptocurrency theft where an unknown hacker stole approximately $40 million in bitcoin from the victim's cryptocurrency wallets. The attack involved a series of sophisticated phishing emails designed to impersonate legitimate communications from Google and a hardware cryptocurrency wallet provider.
The scheme began with the victim receiving a phishing email from a fake Google Workspace Alerts account falsely claiming that he was deceased and mentioning that there was a legal matter involved with his Google account.
The victim later received another phishing email that appeared to come from the support account of the victim's hardware cryptocurrency wallet provider attempting to trick him into providing his extended public key by claiming that his private key recovery service had been initiated – a service to which he had never subscribed. The victim suspected the email was a phishing attempt and contacted the hardware cryptocurrency wallet provider via their legitimate support channel to inform them of the scam. In response, he received a series of misleading emails that attempted to further convince him to follow the fraudulent instructions. These included emails misrepresenting that the original phishing email was genuine and persuading the victim that he should provide his extended public key to protect his assets.
The victim also sought advice from a Reddit group dedicated to issues with the hardware cryptocurrency wallet provider, where he received conflicting advice from users, including one encouraging him to follow the fraudulent instructions. Approximately an hour after the victim communicated his situation on Reddit, the victim discovered that both the account of the user – who responded to his post – and the victim's own Reddit account had been deleted.
The incident prompted the victim to take immediate action to secure his assets. He moved his crypto assets from his hardware cryptocurrency wallet to a different wallet and began changing other passwords to prevent further unauthorized access. Despite his efforts, his cryptocurrency wallets were eventually compromised, and 521.99931468 bitcoin was transferred from his wallets to an address controlled by the hacker.
Key Security Lessons
This case demonstrates that even hardware wallets are vulnerable when combined with sophisticated social engineering attacks. Holland & Knight recommends the following precautions:
- If you receive unexpected communications about your cryptocurrency holdings or unusual account notifications, do not click links or provide information.
- Never share extended public keys or private keys with anyone, regardless of how legitimate the request appears.
- Use multiple authentication factors for all cryptocurrency-related accounts.
- Verify support communications through alternate channels before responding to emails about account security.
- Establish emergency response procedures in advance to quickly freeze accounts if you suspect compromise.
- Consider multi-signature arrangements requiring multiple parties to authorize high-value transactions.
- Store cryptocurrency in hardware wallets (cold storage) and back up recovery phrases offline in physically secure, tamper-evident environments.
- Consider using multiple types of hardware wallets to spread holdings across different platforms to prevent a single point of failure from being catastrophic.
- Avoid publicly revealing your involvement in cryptocurrency on social media platforms, as attackers typically target individuals who advertise their involvement in cryptocurrency.
