DApp Phishing in Coinbase Wallet - I Lost Over $50,000

A few days ago, all my money, $58,797, in my Coinbase Wallet drained from my wallet without me knowing about it until I opened my wallet.

I believe there is a major security issue in Coinbase Wallet where users can easily get phished to give a DApp (Decentralized Application) to take control and grant spending permission to an external entity.

My empty wallet 😢

Contacting Coinbase/Wallet Support, which is the only way I know of to reach out to them, was not helpful. All they said is that I may have leaked the recovery phrase, without looking into the details I provided. I found a recent review on Google that describes the situation really well.

A recent user review on Google Play Store.

I am going to describe what happened in details.

My brother-in-law showed me his Coinbase Wallet a few weeks ago where he joined a mining pool and they were giving out Ethereum every day. He is also a Coinbase user so he showed me the Coinbase app to get too.

I was new to cryptos, so I installed both apps from the Google Play Store to my Android phone and started my journey.

Reading about Coinbase Wallet from Google's search results, it is considered one of the most secure wallets out there:

Thus, I chose to install Coinbase Wallet as my first crypto wallet to start mining, with full trust in the app. Here's the version of Coinbase Wallet that I had installed:

Coinbase Wallet version 25.8.398

The "mining pool" I joined is a DApp with the address u2e-free.com. This address is only accessible using a DApp browser inside the wallet (or with a wallet browser extension that I found out later).
The DApp u2e-free.com

The DApp also has a promotional website here: https://u2e-free.vip/

For the first 10 days, the DApp gave out Ethereum as expected and it was a big profit so I added a lot of Tether (USDT) to my wallet. The more USDT I had in my wallet, the higher the yield.
The big "profit" rates (per day)

I was totally confident with Coinbase Wallet's reputation, ignoring the suspicion of the unrealistic high profit. I believed that as long as money stays in my safe Coinbase Wallet and no one else knows my recovery phrase, it cannot be taken out without my approval.

I was wrong. All my money drained from my Coinbase Wallet through this transaction:

https://etherscan.io/tx/0x28fe570dc54f6432db9fd7b7fce68083c081f9eff69c8334a30c9077d22e775c

The transaction where my money was stolen

Reviewing the transaction, there is something that does not look right: the address that interacted with the USDT contract (highlighted in orange) is not the same address with my address (highlighted in yellow). How can another address drained my wallet?

Thus, I looked further and found a transaction that granted Authorized Spender permission in a Smart Contract to an external entity:

https://etherscan.io/tx/0x5d3b28977f2f9b591f705bd24eeb777d50b9c35dd19cc3bf80223377f7072f7f

My Coinbase Wallet was compromised somehow. It granted Approved Spender permission to an external entity to spend unlimited USDT in my wallet. Notice that there is $0 at risk because they took it all.

I looked further into what that entity is doing and discovered that the entity is draining money from a lot of other wallets too.

The "spender" is draining a lot of wallets, including mine (highlighted)

Reviewing one of the addresses where that entity transferred money to, we can have some ideas on the amount of moneys that were taken. This entity has been active since 10/16/2021 and is currently draining people's wallets.

IN/OUT transactions of the entity. The transactions of my brother-in-law and mine are highlighted.

Based on the research I did above, I believe Coinbase Wallet on mobile got compromised due to a major security issue: its DApp browser may execute (malicious) Smart Contract APIs, such as the API granting Authorized Spender permission, without any awareness from users*.

A safe Internet browser would inform users if a site is requesting the user's location or if a camera or microphone is going to be used. Users must give approval.

This is not the case for Coinbase Wallet on mobile. I never see any permission request while visiting that malicious DApp telling me that they are granting Approved Spender permission to a different entity.

I believe that U2E-Free app is exploiting that vulnerability in Coinbase Wallet and users are getting all of their money stolen.

I was contacting Coinbase multiple times after my research and provided them with details, questioning them whether it is possible for a DApp to take control of Coinbase Wallet, and here's what they told me:

If you did not authorize any outgoing transactions from your Coinbase Wallet, it means that your recovery phrase has been compromised.

Even though cryptos was new to me, I am really familiar with the Internet and know how to keep secrets safe. Also, it was not my address that made the transfer action, but a different entity. They failed to acknowledge their vulnerability and accused users of leaking the recovery phrase.

Coinbase support information are misleading people to believe that as long as their recovery phrase is safe, no other entity can take money out of their wallet, which is not true. I found the following article dated back in February discussing the issue:

Bad Actors Abusing ERC20 Approval to Steal Your Tokens!

Surprisingly, this issue still exists in Coinbase Wallet.

From the article, you can use https://revoke.cash in your DApp browser to query if there are transactions that granted the Approved Spender permission and revoke them. Coinbase Wallet has no interface listing these transactions that may drain your wallet.

I believe there are a lot of other victims aside from my brother-in-law and me. I have gathered the following reviews of Coinbase Wallet recently posted on Google Play Store. I believe they are users who are in the same situation as us:



















Update 2/3/2022: I have restored my original position and believe it was accurate after further analysis of the issue. Thus I restored the text that I marked as delete earlier.

* Correction 12/30/2021: Coinbase Wallet did have this Confirm Payment dialog when tapping on Receive:

This dapp is requesting an action, which could take money from your wallet. Make sure you trust this site.

I could not reproduce this on u2e-free.com because that DApp validates Ether balance before calling approve and my wallet was low on Ether. However, I was able to trigger this dialog on https://www.p2p-eth.com. I have edited this post based on this new understanding.

Location: United States

Comments

  1. Mattador4828December 2, 2021 at 3:43 PM

    Hey any way I could get in touch with you? This just happened to me and a few others

    ReplyDelete
    Replies
    1. A Crypto Scam VictimDecember 14, 2021 at 10:27 AM

      I think we should all get in touch and hopefully we can do something about this. Please email me at cryptoscamvictims@gmail.com.

      Delete
  2. John MasehiDecember 17, 2021 at 11:21 AM

    It happened to me and I lost 44035 USDT from my Coinbase Wallet. U2E-free customer service said I was picked as a lucky user but I had to add $76000 USDT to my Coinbase Wallet during contract period (from November 29th through December 5th) in order to receive reward which I refused because I have never pledged additional funds nor I agree voluntarily to authorize U2E-Free took my USDT from Coinbase Wallet. Furthermore, U2E-free customer service asked me to request withdrawal request that took about 24 hours which I did and they never return my USDT and finally they asked me to add 16000 USDT for me to unfreeze my funds and threatened to freeze my funds indefinitely. I totally agree with all of the comments above that Coinbase Wallet is not secure at all and scammer behind this is U2E-Free who steals money from many Coinbase Wallet users.

    ReplyDelete
    Replies
    1. A Crypto Scam VictimDecember 17, 2021 at 10:22 PM

      Thanks for speaking up. They told my brother-in-law the same. He believed them and did what they asked. The money went out of his wallet and into the "pool" a total of 4 times, totaling over 200,000 USDT.

      U2e-free.com is not the only app. There are a lot of other similar apps that I believe all belong to the same scam group. Some examples include:

      * coinbasewallet.club discussed here: https://www.reddit.com/r/liquiditymining/comments/rf3lku/scam_coinbasewalletclub/

      * eth-eventwil.com discussed here: https://www.reddit.com/r/CryptoCurrency/comments/r7v5c1/lost_30k_in_coinbase_wallet_scam_help/

      A common pattern that I see is that these apps are running and scamming inside Coinbase Wallet. I just found this article: https://www.globalantiscam.org/post/coinbase-s-lack-of-accountability-presents-a-security-vulnerability

      That website, https://www.globalantiscam.org, is the Global Anti-Scam Organization (GASO) that I just found yesterday. I think this site is an honest support group for victims like us.

      They also have online support chat and other useful resources.

      Delete
    2. John MasehiDecember 27, 2021 at 8:31 AM

      Thanks for tips, yes I have filed complaints both Coinbase and U2E-free to FTC (SEC referred me to FTC) let's see if they will investigate. Also, I notice Joseph Fowler's comments below and he got his refund (great for him!) after filing complain through FTC and yes I am interested to hear more in efforts to get more refunds for all victims.

      Delete
  3. A Crypto Scam VictimDecember 21, 2021 at 1:29 AM

    For more resources on what can be done, there is a community of victims on Reddit that is discussing what to do here:

    https://www.reddit.com/r/eth_liquidity_scam/comments/rc39l5/now_that_we_are_approaching_100_members_lets/

    Here are the steps that I took:

    1. Report the case to IC3 (FBI) using this link: https://www.ic3.gov/Home/FileComplaint

    2. Save a PDF copy of the report

    3. Contact the Global Anti-Scam Organization (GASO) and fill out this form: https://www.globalantiscam.org/contact-us

    4. GASO will send us a spreadsheet to fill in the information and ask us to attach the FBI report

    After that, they will help trace the money transactions and group victims together by platforms and escalate that to the FBI. The FBI will investigate and take appropriate actions quicker and more effective when working on the cases in group.

    I have done the above steps.

    ReplyDelete
  4. A Crypto Scam VictimDecember 21, 2021 at 2:15 AM

    Great video: https://www.youtube.com/watch?v=W4-EEddpwx4&t=633s

    ReplyDelete
  5. John MasehiJanuary 3, 2022 at 4:03 PM

    I found a lawsuit against Coinbase:
    https://unicourt.com/case/pc-db5-alfia-v-coinbase-global-inc-1072512

    ReplyDelete
    Replies
    1. JosieJanuary 19, 2022 at 7:53 PM

      This just happened to me this week, exactly as you described. But the website or DAPP name is called Aaveeth, mine shows that I participated in a Erc20 Smart Contract. I only ask because the so called 'financial adviser' that I'm talking to told me to ask for the reward and then the customer service told me I pledge on the said contract and I must put in $20,000. Then all of a sudden all of my money was gone and now in the so called Mortgage in that same DAPP account. I lost almost $10,000 and I don't know if Coinbase is able to help me or not. They seem to not understand what I'm talking about. It feels like they are part of scamming people this easily. I will file a report this week.

      Delete
    2. A Crypto Scam VictimJanuary 19, 2022 at 10:43 PM

      Hi Josie, please don't listen to those fake support and add money to your wallet. Please follow the steps outlined above.

      Delete
  6. AnonymousApril 29, 2022 at 8:22 PM

    I got done too. Did you get your money back?

    ReplyDelete
  7. AnonymousJuly 6, 2022 at 4:30 PM

    Have any of you recovered your money

    ReplyDelete

Post a Comment

Popular posts from this blog

Inside The Scammer's DApp

Image
With Chrome Dev Tools , I was able to look inside the client code of https://u2e-free.com. This site is the scam dapp that drained all my USDT after my Coinbase Wallet granted them unlimited spending of my USDT. The site is a single-page web application written in Vue.js v2.6.12 and web3.js . Below is the tree view of the site. The application supports two different languages in its UI — English and Chinese, with English as the primary language. I concluded that English is the primary language because there are untranslated texts for the Chinese version as shown below. Next I will focus on the code that implements the Receive button. This is the most important action because it is what obtained the permission to spend unlimited USDT from victims' wallets. Below is the receive function that implements the action. The function above does the following: Obtain the USDT Contract Get the estim
Read more