The Scammers Almost Got Me

After being in the crypto space for the past six years, (safely!) I almost got scammed out of all of my crypto last night. 

It started with a phone call from a number that I didn’t recognize; most of the time I just let these roll to voice mail as they are 99% telemarketers…but for some reason I answered it. 

“Hello, this is Josh from Coinbase, we’ve seen some login attempts that don’t fit your normal pattern. Have you logged in recently from London?

“We sent you an email earlier today warning you about this potentially malicious login attempt, and haven’t heard from you so I’m calling tonight.” 

“Would you like me to lock out your account for 24 hours?”

At this point my radar was not going off yet because this is exactly the type of phone call that I get from banks if there is a bogus transaction that hits the wire. I honestly thought that he was relaying along important information and I was concerned that someone had gotten into my Coinbase account. 

I did not see Josh’s email because it ended up in my spam folder. (Clue number one!) 

When I checked the “from” address, I saw that it was from “Coinbase.co” and not coinbase.com. Again, this was odd but still not a major red flag. 

At this point I told Josh, “OK, before I go ahead with this I need to know that you are who you say you are, so I know that you’re not trying to socially engineer me.” 

Something was starting to smell off since he kept rushing through his responses and I had to ask him to slow down several times when asked for his name and the ticket number with coinbase. The final flag for me was when I hovered my mouse over the “Submit Verification” link shown above and it was some funky destination address: 

https://ecp.yusercontent.com/mail?url=https%3A%2F%2Fbkt04.img.af.d.sendibt2.com (please don’t click on this) 

Uh-oh. “Hey Josh, I’m not going to click on that link as I’m not sure where you are directing me.”

<click> Josh hung up. 

Phew. I almost gave away the keys to the castle. I have no idea how my phone number and email address was compromised via coinbase. I immediately changed my password just to be sure, and will likely change my email address associated with this account. 

Not your Keys, Not your Cheese

The phrase “not your keys, not your coins” is a popular adage within the cryptocurrency community. It emphasizes the importance of personal ownership and control over one’s private keys, which are cryptographic keys used to access and manage one’s cryptocurrency holdings.

The meaning behind this phrase is simple:

Your Keys: If you personally control the private keys associated with your cryptocurrency, then you have full ownership and control over those funds. This is typically the case when you store your crypto in a private wallet (hardware wallet, software wallet, paper wallet, etc.).

Not Your Keys: If someone else (like a cryptocurrency exchange or a custodial wallet service) controls the private keys for your cryptocurrency, then they technically have control over those funds, not you. Even if the platform shows you a balance, you are relying on that third party to manage and access your funds.

The saying serves as a reminder of the risks associated with storing cryptocurrency on centralized platforms. If an exchange or service gets hacked, goes bankrupt, or faces regulatory issues, users’ funds could be at risk. By controlling your own keys, you can ensure that you always have direct access to and ownership of your cryptocurrency.

The phrase “not your keys, not your coins” means that it’s OK to do transactions at centralized exchanges, however if you want to be your own bank, you’ve got to get your assets off of centralized exchanges. Coinbase has been one of the better exchanges with respect to security, but all the security in the world won’t protect against a social engineering attack where you unwittingly give someone the keys to your castle. 

And watch out for Josh from coinbase.co!