How a hacked phone number cost Jered Kenna millions in bitcoins

Jered Kenna was pretty cautious with his bitcoins, keeping his savings mostly offline. But his process had one big flaw, and it cost him a lot.

Writer Laura Shin tells the tale in an exclusive Forbes article. She describes how Kenna’s troubles first started coming to light when he was notified that passwords were reset on two of his email addresses. He tried creating new passwords by prompting the email service to send him text messages with a code, to no avail.

“I called the company to make sure I hadn’t forgotten to pay my phone bill, and they said, you don’t have a phone with us. You transferred your phone away to another company,” Kenna told Shin.

He ultimately discovered that a hacker faked his identity and moved his phone number from T-Mobile to a carrier called Bandwidth that was linked to a Google Voice account the hacker controlled. Shin writes:

Once all the calls and messages to Kenna’s number were being routed to them, the hacker(s) then reset the passwords for Kenna’s email addresses by having the SMS codes sent to them (or, technically, to Kenna’s number, newly in their possession). Within seven minutes of being locked out of his first account, Kenna was shut out of of up to 30 others, including two banks, PayPal, two bitcoin services – and, crucially, his Windows account, which was the key to his PC.

Though he did have some bitcoins in online services, particularly since his businesses accept bitcoin as payment, he kept almost all his bitcoins on an encrypted hard drive. “It was essentially my never-sell-this-until-it-goes-to-a-billion-dollars nest egg,” he says. He had kept it offline for most of the past several years, but had connected that device in recent weeks to move them somewhere more secure and sell some. Though he had locked it with a 30-character password, the hackers moved the coins off. And unlike a credit card transaction, a transfer of a cryptocurrency is irreversible.

Bitcoin hunger fuels ransomware surge

Kenna’s story is part of a larger trend of hackers aggressively going after bitcoins. A perfect example of this is the surge in ransomware, where attackers use malware to lock accounts and demand ransom payments in exchange for returning control to the victim.  In many cases, the bad guys want their payment in bitcoins.

The scope of the problem was made clear in a September 2016 survey of 1,250 consumers Sophos polled in the US , UK, Germany, Switzerland and Austria. ReRez Research conducted the study and asked consumers about their awareness of phishing, ransomware, malware, spyware, hack attacks and other prevalent cyberthreats. More than 30% of those surveyed were not familiar with ransomware or perceive it as a low threat, despite being among the most notorious and debilitating cyberthreats right now.

“Those within cybersecurity circles know ransomware has become a lucrative billion-dollar business for an army of cybercriminals who use toolkits developed by super hackers,” John Shaw, vice-president of Sophos’ Enduser Security Group, said after the survey results were released last week. “Consumers are the most vulnerable to ransomware, malware and spyware, because unlike at work, they don’t have an IT department looking over their shoulder and handling cyber security as part of a full time job.”

With ransomware awareness low and the hunger for bitcoins high, we can expect to see a lot more of this.

The weakest link

As Kenna’s situation demonstrates, even heightened awareness isn’t enough sometimes. Despite Kenna’s precautions, all it took for the hacker to succeed was access to a phone number he used for more than one account. Security experts have long warned against using the same phone number or password for multiple accounts because of this type of situation.

Shin writes:

In a larger wave of bitcoin scams that have hit everyone from everyday people to hospitals, Kenna’s experience is only one of a spate of recent hackings of high-profile cryptocurrency industry players such as venture capitalists, entrepreneurs, C-level executives and others who have had their phone numbers hijacked, some of whom have also suffered financial losses, several of whom have been threatened or ransomed, and one of whom was put in physical danger.

But the security weakness being exploited here is not one that only affects cryptocurrency industry players — they are simply being targeted first because such transactions cannot be undone. The security loophole these hackers are milking can be used against anyone who uses their phone number for security for services as common as Google, iCloud, a plethora of banks, PayPal, Dropbox, Evernote, Facebook, Twitter, and many others. The hackers have infiltrated bank accounts and tried to initiate wire transfers; used credit cards to rack up charges; gotten into Dropbox accounts containing copies of passports, credit cards and tax returns; and extorted victims using incriminating information found in their email accounts.

Kenna’s situation is a stark reminder that once your bitcoin (and ID) are gone, you can’t get them back.