DApp Phishing in Coinbase Wallet - I Lost Over $50,000
A few days ago, all my money, $58,797, in my Coinbase Wallet drained from my wallet without me knowing about it until I opened my wallet.
I believe there is a major security issue in Coinbase Wallet where users can easily get phished to give a DApp (Decentralized Application) to take control and grant spending permission to an external entity.
My empty wallet 😢 |
Contacting Coinbase/Wallet Support, which is the only way I know of to reach out to them, was not helpful. All they said is that I may have leaked the recovery phrase, without looking into the details I provided. I found a recent review on Google that describes the situation really well.
A recent user review on Google Play Store. |
I am going to describe what happened in details.
My brother-in-law showed me his Coinbase Wallet a few weeks ago where he joined a mining pool and they were giving out Ethereum every day. He is also a Coinbase user so he showed me the Coinbase app to get too.
I was new to cryptos, so I installed both apps from the Google Play Store to my Android phone and started my journey.
Reading about Coinbase Wallet from Google's search results, it is considered one of the most secure wallets out there:
Coinbase Wallet version 25.8.398 |
The "mining pool" I joined is a DApp with the address u2e-free.com. This address is only accessible using a DApp browser inside the wallet (or with a wallet browser extension that I found out later).
The DApp u2e-free.com |
The DApp also has a promotional website here: https://u2e-free.vip/
I was totally confident with Coinbase Wallet's reputation, ignoring the suspicion of the unrealistic high profit. I believed that as long as money stays in my safe Coinbase Wallet and no one else knows my recovery phrase, it cannot be taken out without my approval.
I was wrong. All my money drained from my Coinbase Wallet through this transaction:
https://etherscan.io/tx/0x28fe570dc54f6432db9fd7b7fce68083c081f9eff69c8334a30c9077d22e775c
Reviewing the transaction, there is something that does not look right: the address that interacted with the USDT contract (highlighted in orange) is not the same address with my address (highlighted in yellow). How can another address drained my wallet?
Thus, I looked further and found a transaction that granted Authorized Spender permission in a Smart Contract to an external entity:
https://etherscan.io/tx/0x5d3b28977f2f9b591f705bd24eeb777d50b9c35dd19cc3bf80223377f7072f7f
I looked further into what that entity is doing and discovered that the entity is draining money from a lot of other wallets too.
Reviewing one of the addresses where that entity transferred money to, we can have some ideas on the amount of moneys that were taken. This entity has been active since 10/16/2021 and is currently draining people's wallets.
IN/OUT transactions of the entity. The transactions of my brother-in-law and mine are highlighted. |
Based on the research I did above, I believe Coinbase Wallet on mobile got compromised due to a major security issue: its DApp browser may execute (malicious) Smart Contract APIs, such as the API granting Authorized Spender permission, without any awareness from users*.
A safe Internet browser would inform users if a site is requesting the user's location or if a camera or microphone is going to be used. Users must give approval.
This is not the case for Coinbase Wallet on mobile. I never see any permission request while visiting that malicious DApp telling me that they are granting Approved Spender permission to a different entity.
I believe that U2E-Free app is exploiting that vulnerability in Coinbase Wallet and users are getting all of their money stolen.
I was contacting Coinbase multiple times after my research and provided them with details, questioning them whether it is possible for a DApp to take control of Coinbase Wallet, and here's what they told me:
If you did not authorize any outgoing transactions from your Coinbase Wallet, it means that your recovery phrase has been compromised.
Even though cryptos was new to me, I am really familiar with the Internet and know how to keep secrets safe. Also, it was not my address that made the transfer action, but a different entity. They failed to acknowledge their vulnerability and accused users of leaking the recovery phrase.
Coinbase support information are misleading people to believe that as long as their recovery phrase is safe, no other entity can take money out of their wallet, which is not true. I found the following article dated back in February discussing the issue:
Bad Actors Abusing ERC20 Approval to Steal Your Tokens!
Surprisingly, this issue still exists in Coinbase Wallet.
From the article, you can use https://revoke.cash in your DApp browser to query if there are transactions that granted the Approved Spender permission and revoke them. Coinbase Wallet has no interface listing these transactions that may drain your wallet.
I believe there are a lot of other victims aside from my brother-in-law and me. I have gathered the following reviews of Coinbase Wallet recently posted on Google Play Store. I believe they are users who are in the same situation as us:
Update 2/3/2022: I have restored my original position and believe it was accurate after further analysis of the issue. Thus I restored the text that I marked as delete earlier.
* Correction 12/30/2021: Coinbase Wallet did have
this Confirm Payment dialog when tapping on Receive
:
I could not reproduce this on u2e-free.com because that DApp validates Ether
balance before calling approve
and my wallet was low on Ether.
However, I was able to trigger this dialog on https://www.p2p-eth.com. I have
edited this post based on this new understanding.
Hey any way I could get in touch with you? This just happened to me and a few others
ReplyDeleteI think we should all get in touch and hopefully we can do something about this. Please email me at cryptoscamvictims@gmail.com.
DeleteIt happened to me and I lost 44035 USDT from my Coinbase Wallet. U2E-free customer service said I was picked as a lucky user but I had to add $76000 USDT to my Coinbase Wallet during contract period (from November 29th through December 5th) in order to receive reward which I refused because I have never pledged additional funds nor I agree voluntarily to authorize U2E-Free took my USDT from Coinbase Wallet. Furthermore, U2E-free customer service asked me to request withdrawal request that took about 24 hours which I did and they never return my USDT and finally they asked me to add 16000 USDT for me to unfreeze my funds and threatened to freeze my funds indefinitely. I totally agree with all of the comments above that Coinbase Wallet is not secure at all and scammer behind this is U2E-Free who steals money from many Coinbase Wallet users.
ReplyDeleteThanks for speaking up. They told my brother-in-law the same. He believed them and did what they asked. The money went out of his wallet and into the "pool" a total of 4 times, totaling over 200,000 USDT.
DeleteU2e-free.com is not the only app. There are a lot of other similar apps that I believe all belong to the same scam group. Some examples include:
* coinbasewallet.club discussed here: https://www.reddit.com/r/liquiditymining/comments/rf3lku/scam_coinbasewalletclub/
* eth-eventwil.com discussed here: https://www.reddit.com/r/CryptoCurrency/comments/r7v5c1/lost_30k_in_coinbase_wallet_scam_help/
A common pattern that I see is that these apps are running and scamming inside Coinbase Wallet. I just found this article: https://www.globalantiscam.org/post/coinbase-s-lack-of-accountability-presents-a-security-vulnerability
That website, https://www.globalantiscam.org, is the Global Anti-Scam Organization (GASO) that I just found yesterday. I think this site is an honest support group for victims like us.
They also have online support chat and other useful resources.
Thanks for tips, yes I have filed complaints both Coinbase and U2E-free to FTC (SEC referred me to FTC) let's see if they will investigate. Also, I notice Joseph Fowler's comments below and he got his refund (great for him!) after filing complain through FTC and yes I am interested to hear more in efforts to get more refunds for all victims.
DeleteFor more resources on what can be done, there is a community of victims on Reddit that is discussing what to do here:
ReplyDeletehttps://www.reddit.com/r/eth_liquidity_scam/comments/rc39l5/now_that_we_are_approaching_100_members_lets/
Here are the steps that I took:
1. Report the case to IC3 (FBI) using this link: https://www.ic3.gov/Home/FileComplaint
2. Save a PDF copy of the report
3. Contact the Global Anti-Scam Organization (GASO) and fill out this form: https://www.globalantiscam.org/contact-us
4. GASO will send us a spreadsheet to fill in the information and ask us to attach the FBI report
After that, they will help trace the money transactions and group victims together by platforms and escalate that to the FBI. The FBI will investigate and take appropriate actions quicker and more effective when working on the cases in group.
I have done the above steps.
Great video: https://www.youtube.com/watch?v=W4-EEddpwx4&t=633s
ReplyDeleteI found a lawsuit against Coinbase:
ReplyDeletehttps://unicourt.com/case/pc-db5-alfia-v-coinbase-global-inc-1072512
This just happened to me this week, exactly as you described. But the website or DAPP name is called Aaveeth, mine shows that I participated in a Erc20 Smart Contract. I only ask because the so called 'financial adviser' that I'm talking to told me to ask for the reward and then the customer service told me I pledge on the said contract and I must put in $20,000. Then all of a sudden all of my money was gone and now in the so called Mortgage in that same DAPP account. I lost almost $10,000 and I don't know if Coinbase is able to help me or not. They seem to not understand what I'm talking about. It feels like they are part of scamming people this easily. I will file a report this week.
DeleteHi Josie, please don't listen to those fake support and add money to your wallet. Please follow the steps outlined above.
DeleteI got done too. Did you get your money back?
ReplyDeleteHave any of you recovered your money
ReplyDelete