Dr. Anders Apgar was out for dinner last month with his family, and his phone would not stop buzzing. It looked like a robocall, so he tried to ignore it.
But the calls would not stop. Then his wife’s phone also started to ring.
“When she picks it up, a banner came across, a notification that says, ‘Your account’s in jeopardy,'” he said.
The warning, which he said was a text message, prompted him to pick up his phone. That was when the couple’s nightmare started.
It’s the kind of nightmare many crypto account holders around the country are facing as hackers target a boom in the industry, cybersecurity experts said.
The Apgars, who are both Maryland-based obstetricians, began investing in cryptocurrency several years ago. By December, their account had grown to about $106,000, mainly held in bitcoin. Like millions of investors across the country, their account is with Coinbase, the country’s largest cryptocurrency platform.
When Apgar picked up the phone, a female voice said, “Hello, welcome to Coinbase security prevention line. We have detected unauthorized activity due to failed log-in attempt on your account. This was requested from a Canada IP address. If this (is) not you, please press 1, to complete precautions recovering your account.” The call lasted just 19 seconds.
Alarmed, Apgar pressed 1.
He said he cannot remember if he manually entered his two-factor authentication code or if it came up automatically on his screen. But what happened in that moment led to his account being locked in less than two minutes. As Apgar has not regained access, he said he assumes the fraudsters stole most if not all of the crypto, but he can’t be sure.
“It was just dread and an emptiness of just, ‘Oh my gosh, I can’t get this back,'” he said.
The Apgars were targeted by a particularly insidious type of fraud that takes advantage of two-factor authentication, or 2FA. People use 2FA, a second level of security that often involves a passcode, to safeguard a range of accounts at crypto exchanges, banks or anywhere else they carry out digital transactions.
But this new type of fraud goes right at that 2FA code, and it uses people’s fear of their accounts being hacked against them. In taking action they think will protect them, they actually expose themselves to thieves.
The fraud tool is called a one-time password, or OTP, bot.
A report produced by Florida-based cybersecurity firm and CNBC contributor Q6 Cyber said the OTP bots are driving substantial losses for financial and other institutions. The damage is hard to quantify now because the bot attacks are relatively new.
“The bot calls are crafted in a very skillful manner, creating a sense of urgency and trust over the phone. The calls rely on fear, convincing the victims to act to ‘avoid’ fraud in their account,” the report said.
The scam works in part because victims are used to providing a code for authentication to verify account information. At first listen, the robocalls can sound legitimate — especially if the victim is harried or distracted by other things at the moment the call comes in.
“It’s human nature,” said Jessica Kelley, a Q6 Cyber analyst who authored the report. “If you receive a call that tells you someone’s trying to sign in to your account, you’re not thinking, ‘Well, I wasn’t trying to.'”
The bots began showing up for sale on messaging platform Telegram last summer. Kelley identified at least six Telegram channels with more than 10,000 subscribers each selling the bots.
While there is no official estimate on the amount of crypto stolen, Kelley said fraudsters routinely brag on Telegram about how well the bots have worked, netting for each user thousands or hundreds of thousands of dollars in crypto. The cost of the bots ranges from $100 a month to $4,000 for a lifetime subscription.
“Before these OTP bots, a cybercriminal would have to make that call himself,” Kelley said. “They would have to call the victim and try to get them to divulge their personal identifiable information or bank account PIN or their 2FA passcode. And now, with these bots, that whole system is just automated and the scalability is that much larger.”
“Once the victim inputs that 2FA code, or any other information that they requested the victim put in their phone, that information gets sent to the bot,” Kelley said. The bot “then automatically sends it to the cybercriminal, who then has access to the victim’s account.”
She said criminals could “potentially steal everything, because with these transactions, they can do them one after the other until the amount is basically drained.”
In a statement to CNBC, a Coinbase spokesperson said, “Coinbase will never make unsolicited calls to its customers, and we encourage everyone to be cautious when providing information over the phone. If you receive a call from someone claiming to be from a financial institution (whether Coinbase or your bank), do not disclose any of your account details or security codes. Instead, hang up and call them back at an official phone number listed on the organization’s website.”
David Silver, another Coinbase customer, knew the company would not be calling him. He recently received a robocall saying there was a problem with his account.
“And immediately, it was an electronic voice that told me it was Coinbase Fraud Department,” he said. “And I immediately turned to the lawyer sitting next to me and said, ‘Start videoing.’ I knew instantaneously what this was and what it was going to be.”
Attorney David Silver
CNBC
Silver knew what the call was about because he is not just a Coinbase client — he is an attorney who specializes in cryptocurrency and financial fraud cases.
Silver pressed 1 and found himself on a live call. A person got on the line pretending to be a Coinbase employee.
“And they immediately started telling me things that I know are in violation of what Coinbase would do,” he said. “For instance, they will never ask for your password. They will never try and take over your computer.”
Silver asked if he could be sent an email verifying that the call was from Coinbase. The answer was no.
“And their answer was no because there’s only certain ways that you can mask the email coming directly from a domain that nowadays, the domain carriers such as GoDaddy, Google — it’s very hard to spoof email coming from the domains,” he said. “And they weren’t willing to send me the email. I would say that was my last shred of hope that they were legitimate is when I asked them to send me the email and they said no.”
After nearly seven minutes, Silver was asked to share his computer screen. He ended the call.
“I’m not surprised I got the call. But I do question how they had my personal cell phone number and where they’re getting that information to tie me to Coinbase,” he said.
Apgar said he wishes he had never answered the phone. To make matters worse, he has been unable to get his account access restored, he said. When CNBC reached out to Coinbase about the Apgars regaining access to their account, a company spokesperson said the matter was turned over to its security team.
Apgar said Monday that he had just responded to an email from Coinbase to help restore access to the account.
Customer service at Coinbase has been a widespread problem, CNBC found last year. Customers around the country said hackers were draining their accounts but when they turned to Coinbase for help they could not get a response. After the story, Coinbase set up a phone support line to help customers, but even that has been fraught with problems.
Asked what he could have done differently, Apgar said it’s simple: not answer the phone.
Email tips to investigations@cnbc.com