Episode 2 – Coinbase Account Hacked, $70,000 Lost
Matthew Piliaci is our guest for Episode 2 of ‘How I Got Hacked’. Through a SIM swapping attack, cybercriminals gained access to his Coinbase account, converted all his digital assets to Bitcoin, and stole the equivalent of $70,000.
| Date: | March 2021 |
| Type of Hack: | SIM Swap Attack |
| Type of Storage | Centralized Exchange |
| Value of loss (at time): | Approx. $70,000 |
| Value on Jan 1st, 2025: | Approx $137,000 |
A SIM swap is a type of scam where a hacker takes control of your phone number by tricking your mobile carrier into transferring it to their SIM card.
Getting Custody Wrong
Crypto was created to give people the power to be their own bank, and take control of their finances back from intermediaries. From that lens, self-custody – where you hold your own private keys and thus truly control your crypto – is more than just the most secure way to manage your crypto.
After all, if not self-custody then why crypto?
“I knew I was not going to get it back. I just wanted to hear that, you know? So I could come to terms with it.”
Mistake #1: Storing crypto on a centralized exchange
Matthew stored his assets in a Coinbase account, opening him up to this attack. To explain, accounts for custodial wallets like those of centralized exchanges use the web2 standard email/password combination to log in to your account.
These accounts often use your phone number as a method of two-factor authentication (2FA), making it possible to use your phone to access your account or alter your account information, such as your login email address or password. One downside of using your phone as 2FA is that it can open you up to SIM swapping attacks.
These attacks essentially involve a hacker tricking your mobile phone carrier into transferring your phone number to their SIM card, allowing them to take control of any associated accounts.
“I logged in to my account, and I saw that everything was gone. And I was like, zero balance, no… no. And my heart just… Help?.”
$70,000The value of Matthew Piliaci’s assets stolen via sim swapping
Doing It Right
Situations like this are not possible when you practice secure self-custody. Unlike the custodial crypto wallets of centralized exchanges, non-custodial wallets require you to safeguard your private keys with a seed phrase/secret recovery phrase. While this puts more responsibility on the user to properly store their seed phrase, it prevents third parties from accessing your crypto via SIM swapping.
For any situations where you do need secure 2FA, you can always use Ledger Security Key, an app that allows you to use your Ledger device with websites that support passkeys and multi-factor authentication (MFA).
For some more tips on securely managing your crypto, read our articles on Ledger Academy to learn about hardware wallets and self-custody in crypto.
Watch Episode 2 of ‘How I Got Hacked’ for the full story.
