I lost over $50,000 from a DApp phishing scam in Coinbase Wallet
Updated: Feb 22, 2022
When Rambutan saw the earnings on his brother-in-law's Coinbase Wallet account from joining a mining pool, recommended to his brother-in-law by an individual he only met on Facebook [scammer profile here], Rambutan was intrigued. New to cryptocurrency in general, he did some research before downloading both Coinbase and the Coinbase Wallet apps from the Google Play Store to start his journey in crypto investing. When he and his brother-in-law transferred large amounts into their Coinbase Wallet, Rambutan assured his sister that it was akin to putting money in one's own wallet: no one could take it out without one's own permission. Or so he thought.
A few days ago, all my money, $58,797, in my Coinbase Wallet was drained from my wallet without me knowing about it until I opened my wallet.
I believe Coinbase Wallet users can easily get phished to give a DApp (Decentralized Application) to take control and grant spending permission to an external entity.
My empty wallet 😢
Contacting Coinbase/Wallet Support, which was the only way I knew to reach them, was not helpful. All Coinbase said was that I may have leaked the recovery phrase to the scammers, without looking into the details I provided.
I found a recent review on Google that I thought describes the situation really well.
A recent user review on the Google Play Store
What happened to me
My brother-in-law showed me his Coinbase Wallet a few weeks ago after he joined a mining pool and they were giving out Ethereum every day. He is also a Coinbase user, so he showed me the Coinbase app I needed to download. I was new to crypto, so I installed both the Coinbase and Coinbase Wallet apps from the Google Play Store to my Android phone and started my journey.
Reading about Coinbase Wallet from Google's search results, it is considered one of the most secure wallets out there:
Thus, I chose to install Coinbase Wallet as my first crypto wallet to start mining, with full trust in the app. Here's the version of Coinbase Wallet that I had installed:
Coinbase Wallet version 25.8.398
The "mining pool" I joined is a DApp with the address u2e-free.com. This address is only accessible using a DApp browser inside the wallet (or with a wallet browser extension, which I found out later).
The DApp u2e-free.com
The DApp also has a promotional website here: https://u2e-free.vip/, where for the first 10 days, the DApp gave out Ethereum as expected. It was a large profit, so I transferred a lot of Tether (USDT) to my wallet. The more USDT I had in my wallet, the higher the yield.
The big "profit" rates (per day)
I was totally confident with Coinbase Wallet's reputation, ignoring the suspicion of the unrealistic high profit. I believed that as long as money stays in my safe Coinbase Wallet and no one else knew my recovery phrase, it could not be taken out without my approval. I was wrong. All my money drained from my Coinbase Wallet through this transaction: https://etherscan.io/tx/0x28fe570dc54f6432db9fd7b7fce68083c081f9eff69c8334a30c9077d22e775c
The transaction where my money was stolen
Reviewing the transaction, there was something that does not look right: the address that interacted with the USDT contract (highlighted in orange) is not the same address with my address (highlighted in yellow).
How can another address drain my wallet? Thus, I looked further and found a transaction that granted Authorized Spender permission in a Smart Contract to an external entity: https://etherscan.io/tx/0x5d3b28977f2f9b591f705bd24eeb777d50b9c35dd19cc3bf80223377f7072f7f
My Coinbase Wallet granted Approved Spender permission to an external entity to spend unlimited USDT in my wallet after I tapped Confirm. Notice that there is $0 at risk because the scammers took it all in one go.
I looked further into what that entity is doing and discovered that the entity is draining money from a lot of other wallets too.
The "spender" is draining a lot of wallets, including mine (highlighted)
Reviewing one of the addresses where that entity transferred money to, we can have some ideas on the amount of money that were taken. This entity has been active since 10/16/2021 and is currently draining people's wallets.
IN/OUT transactions of the entity. The transactions of my brother-in-law and mine are highlighted.
I was contacting Coinbase multiple times after my research and provided them with details, questioning them whether it is possible for a DApp to take control of Coinbase Wallet, and here's what they told me:
"If you did not authorize any outgoing transactions from your Coinbase Wallet, it means that your recovery phrase has been compromised." Even though crypto was new to me, I am really familiar with the Internet and know how to keep secrets safe. Also, it was not my address that made the transfer action, but a different entity. They did not help explain to me that "authorize outgoing transactions" could be done by tapping Confirm on a dialog sometime in the past.
Coinbase support information are misleading people to believe that as long as their recovery phrase is safe, no other entity can take money out of their wallet, which is not true.
I found the following article dated back in February discussing the issue: Bad Actors Abusing ERC20 Approval to Steal Your Tokens! Surprisingly, this issue still exists in Coinbase Wallet. From the article, you can use https://revoke.cash in your DApp browser to query if there are transactions that granted the Approved Spender permission and revoke them. Coinbase Wallet has no interface listing these transactions that may drain your wallet. I believe there are a lot of other victims aside from my brother-in-law and me. I have gathered the following reviews of Coinbase Wallet recently posted on Google Play Store. I believe they are users who are in the same situation as us, as you can see below.
Update
Coinbase Wallet did have this Confirm Payment dialog when tapping on Receive:
I could not reproduce this on u2e-free.com because that DApp validates Ether balance before requesting approval and my wallet was low on Ether. However, I was able to trigger this dialog on https://www.p2p-eth.com. I have edited this post based on this new understanding.
--Rambutan
Editor's Note: If you are a victim of this scam, please visit the following subreddit: r/eth_liquidity_scam for more information and support, as well as the GASO Live Chat for help and support.
Original post here. Many thanks to Rambutan for allowing us to repost his experience.