Bitcoin (BTC) self custody provider Casa warns about physical attacks against Bitcoin holders, as they publish a blog post describing details of a recent incident.
Their client’s bad Tinder experience combines elements of social engineering, sim swapping, and a more old-school drugging and robbing attack.
One of our clients was targeted on a dating app and ended up being drugged with the goal of draining his crypto accounts. This is the story of the attack and our postmortem analysis of what went wrong and what went right. https://t.co/co3XacQGQp
— Jameson Lopp (@lopp) July 8, 2021
Devil’s Breath
According to the story, an alleged Bitcoin holder and trader found his date via the mobile app Tinder, where he contacted a woman who claimed to be a “cryptocurrency trader.”
As the two met up in person, he noticed that her pictures were slightly different from her in-person appearance, but he didn’t think much about it.
The victim remembers that “she said her parents bought her 1 bitcoin for $30,000, but otherwise she didn’t talk about crypto for the rest of their time together.”
In the course of their date, two decided to go back to the man’s apartment, and somewhere in the interim, the woman laced his drink with scopolamine, also called ‘Devil’s Breath,’ or a benzodiazepine, drugs renowned to cause memory loss as well as inhibition impairment.
According to the post, “he believes the woman picked up his phone and asked him to show her how to unlock it and find his passwords.”
The man woke up the next day and his phone was missing, even though all of his other belongings, including a wallet with cash, debit cards, and ID were still there.
Saved by the multisig
The victim immediately checked “various accounts from his laptop and saw that purchases from his bank account had been attempted at several exchanges and Bitcoin withdrawals had been attempted from other custodial services,” as the attacker tried to strip him naked, figuratively.
“Many of our clients will also have password managers and 2FA on their phone. In the case of this client, though he was not using SMS 2FA, he was using TOTP 2FA via a google authenticator app on the phone. Since the attacker had coerced his phone unlock pin from him, they had access to 2FA for all of his accounts,” mentioned the post as the author drew a parallel to so-called sim swap attacks.
He eventually lost only a small amount of Bitcoin as one of his exchange accounts was compromised, while the biggest percentage of his total holdings were saved thanks to the multisig setup he had.
The attacker only had one of the victim’s five keys, which enabled him to block other requested purchases and withdrawals by contacting custodians and filing a compromise.