Full Report
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device.
Analysis Summary
# Incident Report: Sophisticated Google Account Takeover Leading to Cryptocurrency Theft
## Executive Summary
This incident details a highly sophisticated social engineering and phishing attack targeting cryptocurrency holders via methods that leveraged legitimate Google infrastructure. Attackers gained control of a victim's Gmail account by convincing them to approve a fraudulent account recovery prompt, subsequently accessing synced services like Google Photos to retrieve a wallet seed phrase, leading to the theft of approximately $500,000 in cryptocurrency. The attack relied on deep impersonation, utilizing legitimate Google phone numbers, spoofed Google domain emails (via Google Forms), and leveraging the victim's trust in security alerts.
## Incident Details
- Discovery Date: Not explicitly stated immediately following the event, but the initial compromise occurred on May 6th.
- Incident Date: May 6th (for Adam Griffin's initial loss); May 15, 2024 (for the second major victim, Tony).
- Affected Organization: Adam Griffin (Seattle area firefighter) and Tony (Northern California professional).
- Sector: Individual/Personal Finance (Cryptocurrency Holders).
- Geography: Seattle Area and Northern California, USA.
## Timeline of Events
### Initial Access
- Date/Time: May 6 (Adam Griffin) / Evening of May 15, 2024 (Tony).
- Vector: Vishing (Voice Phishing) combined with Email Spoofing via Google Forms.
- Details: Attackers called the victims, impersonating Google Support, claiming their Gmail accounts were being accessed from Germany. They used a genuine Google phone number ((650) 203-0000) and sent convincing emails originating from genuine `google.com` addresses (sent using the Google Forms service to bypass normal filtering).
### Lateral Movement
- Attackers initiated Google account recovery for the victim's Gmail address.
- The victim was tricked into approving the malicious account recovery prompt ("Is it you trying to recover your account?").
- Upon clicking "yes," the attacker gained access to the Gmail account.
- Access to Gmail led to access to synced services, specifically Google Photos, where the victim had stored an image of their cryptocurrency wallet seed phrase.
- Attackers then used the recovered seed phrase to drain funds from the victim's Exodus wallet.
- Later, attackers used the compromised Gmail to access the victim's Coinbase account (using provided multi-factor codes, possibly via Google Authenticator codes stored in the Google account) and attempted further transfers, which were eventually blocked by Coinbase security protocols requiring additional verification.
### Data Exfiltration/Impact
- **Exfiltration:** The primary data exfiltrated was the cryptocurrency wallet seed phrase stored digitally in Google Photos.
- **Impact:** Theft of approximately $450,000 in cryptocurrency from the Exodus wallet. A second victim reported the theft of 45 BTC (approx. $4,725,000 market value) in a similar attack.
### Detection & Response
- **Detection:** Griffin realized the extent of the loss immediately after the fraudulent Coinbase call and the subsequent Coinbase lock notice. Response actions described are limited to the victim's realization and subsequent contact with an FBI contact.
- **Response actions taken:** The victim contacted an FBI contact. Coinbase intervention successfully prevented a secondary transfer attempt.
## Attack Methodology
- **Initial Access:** Vishing combined with highly convincing phishing emails generated via Google Forms, forcing the victim to authorize an account takeover via a legitimate-looking Google prompt.
- **Persistence:** Gained full control of the primary Google account, which housed multiple linked services (Photos, Authenticator codes).
- **Privilege Escalation:** Exploited the legitimate Google account recovery mechanism by tricking the user into approving the attacker’s control request.
- **Defense Evasion:** Used Google Forms to send emails from the legitimate `google.com` domain, bypassing standard email filtering solutions.
- **Credential Access:** No direct credential theft occurred; access was gained via social engineering leading to MFA bypass/user authorization.
- **Discovery:** Internal reconnaissance via access to Google Photos.
- **Lateral Movement:** Moving from Gmail access to Google Photos to retrieve the seed phrase, and then to Coinbase using MFA codes associated with the Google account ecosystem.
- **Collection:** Acquiring the seed phrase for wallet access.
- **Exfiltration:** Transfer of cryptocurrency funds from the Exodus wallet.
- **Impact:** Significant financial loss in cryptocurrency.
## Impact Assessment
- **Financial:** Loss of approximately $450,000 for the primary victim described; $4.7 million lost by a second victim (Tony).
- **Data Breach:** Sensitive data (cryptocurrency seed phrase) was exposed and utilized.
- **Operational:** Business operations were not directly affected, but personal digital security and financial standing were severely compromised.
- **Reputational:** Not explicitly stated, but significant personal distress was noted.
## Indicators of Compromise
- **Network indicators:** Communication originated via a legitimate Google support number: **(650) 203-0000**. Subsequent account accesses originated from a VPN connection in California (during the Coinbase breach attempt).
- **File indicators:** Image file containing a cryptocurrency seed phrase stored in Google Photos.
- **Behavioral indicators:** The attacker impersonating "Ashton" from Google Support; use of seemingly legitimate Google security alert emails sent via Google Forms.
## Response Actions
The provided text focuses primarily on the victim's reactions rather than established organizational response protocols.
- **Containment measures:** Not detailed, though Coinbase manually locked the account after the unusual transfer attempt.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Victim contacted an FBI contact following the realization of the theft.
## Lessons Learned
- Security-conscious individuals can still be victims of highly sophisticated, multi-layered social engineering attacks leveraging trusted brands (Google).
- Relying on caller ID or email sender domain alone is insufficient when unsolicited security alerts occur.
- Storing highly sensitive recovery information (like seed phrases) in cloud services synced to primary email accounts (like Google Photos) presents a critical single point of failure.
- Engaging with or antagonizing cybercriminals after a breach can lead to personal threats and doxing attempts.
## Recommendations
- Never respond to unsolicited security calls. If suspicion arises, **Hang up, Look up, and Call back** using an independently verified, official company phone number.
- Use the strongest MFA methods available, such as phishing-resistant passkeys or physical security keys, especially for high-value accounts like Gmail.
- Google users holding significant cryptocurrency should strongly consider enrolling in Google’s **Advanced Protection Program**.
- Utilize long, unique passphrases for primary email accounts, as email credentials are the key to digital identity.
- Do not store cryptocurrency seed phrases digitally on services linked to primary accounts.