A single "yes" click on a Google prompt cost two cryptocurrency investors millions after falling victim to sophisticated phone scammers impersonating Google support, reports Brian Krebs on KrebsOnSecurity.
Adam Griffin, a Seattle-area firefighter, lost $450,000 from his Exodus wallet after receiving a call from a fake Google representative. The scammer had called from an actual Google Assistant phone number and sent security alerts directly from google.com using Google Forms. After Griffin clicked "yes" on a Google prompt, the thieves gained access to his Gmail account – and discovered he had stored his cryptocurrency wallet's secret seed phrase as an image in Google Photos. Armed with this recovery phrase, they quickly drained his funds. When the crooks later attempted to steal an additional $100,000 from Griffin's Coinbase account, the platform's security measures caught and blocked the transaction.
Just days later, the same scam group struck again, this time phishing 45 bitcoins (worth $4.7 million) from Tony, a California father of two. The scammers convinced Tony to enter his cryptocurrency seed phrase into a fake Trezor website (verify-trezor[.]io) that mimicked the real platform. They had gained his trust through a similar Google impersonation scheme, followed by a call claiming to be from Trezor's security team warning about account closure.
The mastermind behind the scheme, who goes by "Daniel," later bragged about his success in a recorded call with cryptocurrency podcaster Junseth. "No one gets arrested," Daniel boasted. "It's almost like there's no consequences."
Google confirmed to Krebs this was a "narrow and targeted attack" reaching a "very small group of people." The company emphasized that the real Google will never initiate calls to users about account security issues.
"I know I definitely made mistakes, but I also know Google could do a lot better job protecting people," Griffin told KrebsOnSecurity, noting how easily the criminals abused multiple Google services in their elaborate scheme.
The lesson: never trust unsolicited calls about account security, even if they appear legitimate. As Krebs advises, "Hang up, look up, and call back" using official contact information you verify independently.
Previously:
• Being a Craigslist scammer is hard work
• YouTube let a contentID scammer steal a popular video
• YouTubers attacked by Paris scammers after exposing rigged cups and ball game (video)
• Scammer poses as MSNBC's Ari Melber, cons former Boeing employee out of $20,000 (so far)
• YouTuber uses worthless currency to trick notorious Paris street scammers
• Watch this voice actor's excellent prank on a scammer
• 'Scamanda' podcast tells the story of a cancer scammer
• Negligent Airbnb host is a scammer's dream