Last week, hackers took over the cellphone number and email account of Cody Brown, the founder of a virtual reality production studio called IRL. The attackers then logged into his account on the cryptocurrency exchange Coinbase and drained it, stealing around $8,000, according to Brown's reconstruction of the heist.
Brown, of course wasn't very happy about it.
"When you are robbed on Coinbase there is literally no one to call. There is no fraud hotline. You are out $8k and they tell you to text a Twitter account or send them an email," Brown told Motherboard in an online chat. "And right now, their own optimistic estimate for response time is that they will get back to you in 5 days."
Read more: Bitcoin Is Worth $2,000. What?
And it seems that he's not the only one being targeted.
Authy, the cloud provider that allows users to get a two-step authentication code to go with their password, sent an alert to Coinbase users this week.
"Due to a recent increase in sophisticated attacks targeting Coinbase users, we are taking extra precaution to protect your account," Authy wrote.
The company added that they are seeing not only simple social engineering and password theft attacks but also "attackers are porting phone numbers (also known as SIM swapping)." This is a slightly more sophisticated attack where hackers call the cellphone company of the victim and pretend to be them, convincing a support rep to issue a new SIM card, and hijacking the victim's number. At that point, they can leverage that to log into the victim's email and online wallet account.
Unfortunately, as Motherboard reported last year, this is still relatively easy to pull off.
Asked about these incidents, Coinbase sent the following statement, while declining to clarify whether the hacking attempts have increased.
"Broad awareness of security is increasingly important as more of our lives move online and the price of digital currencies continues to increase," the company wrote. "Coinbase strongly recommends using unique, strong passwords and 2-factor authentication like TOTP (e.g. Google Authenticator, Duo, etc) for both email and digital currency wallets."
Gemini, the exchange launched by the Winklevoss brothers, did not respond to a request for comment. But a quick search on Twitter shows that this type of attack seem to be more common lately.
If you have Bitcoin or Ether on an online wallet or exchange, enable two-factor authentication right now. And avoid using SMS as the second factor, as it's been proven to be weak and easily to circumvent. Instead, use an app like Google Authenticator or Authy, or even better, use a security key if your provider allows it. And if you can, maybe consider storing your cryptocurrency offline. Even Coinbase recognizes this is important. The company wrote a blog post about it seven months ago, but still doesn't prompt users to move away from SMS as second factor.
"Coinbase grew by 400,000 users in the past 30 days," Brown told me via chat. "this is also likely to be a problem for a tonnnnnn of their new users."
As cryptocurrencies grow in value, they become even more juicy targets for scammers or hackers. Don't let them have an easy time pwning you.
Disclosure: the author owns a small amount of Ether.
This story has been updated to include Coinbase's comment.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.