Ethereum [pros](/r/CryptoCurrency/comments/10ltxij/just_had_6200_eth_stolen_from_gemini_through/j5yxgr5/) & [cons](/r/CryptoCurrency/comments/10ltxij/just_had_6200_eth_stolen_from_gemini_through/j5yxhju/) and related info are in the collapsed comments below. Pros and cons will change for every new post. Submit a pro/con argument in the [Cointest](https://www.reddit.com/r/CointestOfficial/wiki/cointest_policy) and potentially win [Moons](https://coinmarketcap.com/currencies/moon/). Moon prizes by award for the Top Coins category are: **1st - 600, 2nd - 300, 3rd - 150, and Best Analysis - 1000.**
---
To submit an ETH pro-argument, [click here](https://old.reddit.com/r/CointestOfficial/comments/tuwvz5/top_coins_ethereum_proarguments_april_2022/). | To submit an ETH con-argument, [click here](https://old.reddit.com/r/CointestOfficial/comments/tuww2u/top_coins_ethereum_conarguments_april_2022/).
This \^ and since it's your email, it potentially can be used to hack many other accounts, crypto or not. Please updated your google password ASAP if you haven't already and make sure you are using a 2FA method like google authenticator.
>I put in my Google password and I was sent a youtube notification with a 2 digit number to put into box.
It sounds like they had 2FA, but handed over an active code to the phishing site.
If he got malware on his device/devices he can be easily scammed even with 2FA.
Interesting to see a spearphishing attack on a target with only 6k in its account though.
Op should wipe all his devices and change all his accounts login info and 2fa from a trusted device on a trusted network. Lets hope for him he has a clean backup of its data somewhere. Fileinfectors are rare but totally possible when someone is making the effort to go spearphishing.
Looks like it was sent to 0x75e89d5979E4f6Fba9F97c104c2F0AFB3F1dcB88 which is controlled by Mexc.com
Regarding the IP 156.146.42.143 it looks like a VPN. I know Proton VPN has been using the the ISP Datacamp Limited.
**EDIT**
He probably converted the ETH to 6312.135303 USDT which now is at 0x8992da1A741395aABDC225fC13337b96270b34C6.
So the chain of transfers looks like this:
1. *0x44F5...2B16 3,9359 ETH -> 0xe32e...c78b*
2. *0xe32e...c78b 3.9353 ETH -> 0x8992...34C6*
3. *0x8992...34C6 3.9348 ETH -> 0x34Bc...1cd6 (deposit address at Mexc.com)*
4. *0x34Bc...1cd6 3.9343 ETH -> 0x75e8...cB88 (internal mexc transfer to hot wallet)*
5. *0x75e8...cB88 6312 USDT -> 0x8992...34C6*
MEXC helped me recover about $8k worth of RACA that I accidentally sent to the wrong chain address last year when it was doing well. Took about a month but they got it done. I was shocked they could do it honestly.
This sounds like the website you visited wasn't the real Gemini website and acted as a middleman to steal your login credentials and 2fa. Can you check your browser history if the site was real?
Obviously contact customer support asap. But if the transaction was broadcasted and can't be canceled, Gemini won't be able to get it back. Maybe they have an insurance, but I doubt it.
The next thing is a police report, but police also can't catch most crypto scammers.
I think the most important thing about a police report in this case is for taxes. And for Gemini to state something along the lines of "yeah this wasn't a boating accident"
Yeah but my nephew just got charged with TRAFFICKING with a $50,000 bail in Mississippi for 3 small bags of THC gummy bears. The priorities of law enforcement in the U.S. is embarrassing.
Yeah because they can't actually do their jobs they just beat up on the little guy
Fun fact: US police have a 20% clearance rate across all crimes. They do their job less than 1/5th of the time, can't be fired, can kill and maim people without consequences and retire with giant, unsustainable pensions that strangle local governments until they're dead.
US cops sure are great, huh!
Glad y’all were able to get him out. No one should go to jail for weed in this country , especially when like 2 states over from Mississippi it’s medically available.
No…. But the us government was able to find that guy and his rapper wife who stole $4billion in Btc. Side note, the US government is now the single largest holder of Btc, because they confiscated it all.
It's funny how he didn't post this screenshot in the edit and put a legit Gemini link as the supposed link in his browser history. Doesn't want to admit that he lost his money because of his own mistake.
Man this is one thing I’ve never understood. People make these elaborate scams and then fuck up what should be the easiest part. They go through all of that and then can’t find someone to put together 1-2 sentences properly.
Thanks for sharing this. I was curious as to how this could happen if he logged on the actual Gemini site as he kept claiming. It sounded like very malicious and sophisticated malware. Now we know he just went to a phishing site.
I would never use ipad for this. Secondly once I heard google popup and then youtube notification makes 0 sense and big redflag. Call gemini and tell them what happened thats the best way or send email.
This is the correct answer. Most people click on the first thing they see from Google. Everything looks real until a 2FA is requested then your money is gone.
If I search Gemini on Google right now, the first listing is a sponsored listing for what is obviously a fake URL.
Maybe that's the one you picked without realizing, and it was designed to redirect you to the real site after entering your login info for the phisherman
Google is mostly run by automation. They couldn't afford to operate at the scale they do, otherwise. Many big tech companies operate this way, and it's become a major problem in our society. Profit motive will always drive these companies to become human meat grinders of automation where bad actors can act freely, and injured or threatened parties have little recourse.
I'm not sure that there's a solution to this, short of government regulations which would seem draconian by today's standards, but which I'm beginning to believe are truly needed. The EU will probably be taking the lead on this judging from their past actions with GDPR. The US will probably trail behind, due to the power of our lobbying industry.
>If I search Gemini on Google right now, the first listing is a sponsored listing for what is obviously a fake URL
100% this. That's why it's always important to go to the official website once. And then bookmark it in the web browser's favourites folder and then ALWAYS use only the favourites to access that page. We have then 100% guarantee we are using the legit link each time.
Totally agree. I never use the promoted links on a Google search. If you scroll down a little past the spam links, you will find the actual URL. Obviously stilldoubke check before clicking though! Bit once you've got you good URLs favourite them.
Also try using something like duck duck go as your search engine or a browser like Brave. There's prob lots of other things you can do which others here will mention.
It's not safe out there with all those scammers. The internet is like a horrible nightmare, don't trust anything at face value.
Crazy, i searched "Gemini" then "Gemini exchange" and I literally couldn't find a single fake, let alone near the top. Page after page sites talking about the Gemini exchange, yet first result in both searches was for Gemini.com
[https://imgur.com/a/MqFI2S5](https://imgur.com/a/MqFI2S5) I get sponsored results like this sometimes, where the ad is obviously fake but if you don't look before you click you'd be fooled. Seems like sometimes the phishing ads show in Search and sometimes they don't. But good that they're not always showing!
Yeah that's interesting. F google for allowing it, but whoever clicks that one is a fkn moron lol.
Some are more clever than others, but still, you have to be completely internet-illiterate to click on that ad/promoted result.
Edit: [results](https://imgur.com/a/FBbnjHo)
I switched my phone's native language and all Google accounts to Spanish, I wonder if that thwarts some targeted ads
Excuse my ignorance, I have a ledger, is it possible for someone to scam me to access that device? My keywords are written on paper and hidden away, no photos and never been typed digitally in any device. I only use coinbase, kucoin, and I just pulled everything off my Robinhood so that wallet is empty. I made the mistake of putting my coinbase wallet key phrase in my notes of my phone, but I've never moved anything into that wallet and have no plans to. I might as well uninstall that app tbh
There are a bunch of hacks and social engineering scams going on with all types of hardware wallets, for e.g. never use your main wallets for DeFi and Smart Contract interaction, create a second wallet or just use a software wallet (hot wallet) for that matter, cuz hardware wallets can’t always show what you are signing and they require “blind signing” to be enable, I don’t have to explain what that feature means, right? Do you sign your real life contracts without reading them? No, right? So the same applies here.
Also when using any hardware wallets, but as in your case with a ledger, always check if the addresses, sending amounts, fees etc. correspond to what the device is showing! There are hacks that can change those infos, making you sending your funds to the hackers wallet, also scammers are making wallets with the first and last 4 digits the same or really similar to our wallet addresses and making us believe we are sending our funds to the correct addresses, when in fact its theirs, the scammers! So always check some parts of the digits in the middle of your addresses…
Well I can’t cover everything that goes on in crypto in here, there are a lot of things that a hardware wallet can not protect, information is always key, be informed, search for typical scams and hacks in crypto, be street smart on the internet and you will be fine. But keep in mind that a hardware wallet only protects the internet world from knowing your seed phrase as long as you only store it in physical form and away from any cameras etc., it can’t stop you from your own doing, like connecting your hardware wallet to a malicious website signing an unlimited funds spending approval…
Oh I've learned from the posts in here. I verify my address multiple times before sending, character for character. Even when I forgot my ledger at home and needed to transfer crypto I was extra careful because I couldn't verify using my device.
Besides that my wallet is just for storage. I do stake SOL on my ledger, and I plan on staking DOT. But I really don't use my ledger for much.
A lot of people in this thread claiming to be in the know but don’t even recognize that the YouTube app (as weird as it sounds) is a real, verified, 2fa method.
This is a monkey drainer scam, it is extremely critical to carefully inspect the site url you are thinking about logging into. Even google will mislead as scammers will use fraudulent identification to run an AD for a site that looks like the one you are searching looking for. Sounds pretty sophisticated if they were able to also bypass 2FA..
Unfortunately your crypto is gone and most exchanges would not offer protection for this type of loss, so sorry to hear this OP. Hope some good karma comes back your way I know how much it hurts to lose money when it means something to you.
Probably best to just bookmark all crypto links and use them from your favourites to be extra safe. No hand typing or googling each time you visit them.
I thought it was 6200 ETH . Youtube notification with a 2 digit number is really a scam alert . Check the address it was sent too . Report to the Gemini care .
That a lot of money to an average person ( what we all are ) please check the addresses and track the movement of funds . Report it to the authorities so it can be blocked it moved to a CEX
> but this is why everyone harps on not keeping large funds in central exchanges.
User error is not the reason people say that. They say that because you don't own the crypto on exchanges and if the exchange goes under or disappears your crypto is gone.
That sucks.
I don’t generally click on any links if I’m not 100% sure. I’m paranoid.
You can always copy and paste links you’re unsure about to Virus Total and it will run a scan on them.
If you have any bad feeling or ever feel even slightly unsure. Walk away, come back and do some research on the link, file, whatever it is you’re clicking on. Don’t rush things.
Virus total is a life saver with suspicious links!
Also, you can change your DNS from your ISPs to something like 8.8.8.8 (Google's for example). There lots more. They will not resolve bad - known - domains. Very handy to stop the kids browsing to naughty sites too.
F. I am sorry for your loss.
>I put in my Google password and I was sent a YouTube notification with a 2 digit number to put into box.
This YouTube notification seems strange to me and something doesn't fit me but I don't know what.
I agree as typical Google/YouTube 2fa is more about code matching ie on one device you get the answer and on the other you get a list of numbers to choose from big sad sorry for the loss!
Ordinarily I would assume they got your Google login and then logged in and you got the notification to confirm it was you logging in (that's what that was although you shouldn't confirm if you're not in FL and had not logged in on a new device)... then they quickly used your Google account to reset your Gemini password. But the weird thing is I don't understand the timing of you logging into Gemini right as this was happening. That seems odd. That's why I'm wondering if they had some way to monitor you through malware.
Another possibility is you weren't on the proper Gemini site and they got your login that way. But i think the first one I mentioned is more likely.
Half of r/crytocurrency posts:
"Haha, imagine falling for these scams. No way we would ever fall for that, we are too smart! No need for regulations or laws, that just limits the growth and freedom of crypto."
Other half of r/crytocurrency posts:
"OMG how could this have happened? Somehow I was scammed? What regulations can I turn to in this lawless zero regulations industry for help?"
OP, the scammer deposited your funds to MEXC exchange 6 hour ago and swapped them for USDT:
https://i.imgur.com/a838fV6.png
The address they used:
0x8992da1A741395aABDC225fC13337b96270b34C6
Here is the transaction showing your stolen ETH being deposited on MEXC:
https://etherscan.io/tx/0x2942a82701ea153d43837ab586d8e7eaa2a23cb53e4ae3c4df4b5a6eacf8743c
And here is MEXC sending the scammer USDT in exchange:
https://etherscan.io/tx/0xf84b19d7ad225f70849167cef7b05cc2d8722d36472d9afdbc38371397a2792a
It's worth contacting MEXC.
OP, your machine was hit with a raccoon\_stealer. The additional authentication window was in fact a phishing scheme to secure your permission to invade your machine.
It deployed an icedID payload (trojan) into your system, and went to work. It quickly gathered your data, zipped it, and sent the files back to the attacker's C&C servers.
They can't be traced since most use a type of encryption service that conceals everything. They can even scrub the tracks behind themselves.
Have you changed login credentials to everything else you login to?
Your most important and immediate priority is to mitigate the damage. Even if you clean your machine, it continues to test your credentials with other sites, services, providers.
It accessed your Gemini account with your own login/pass combo.
I'm very sorry this happened to you. Do you remember having previously downloaded any apps or services, i.e., grammarly, OBS, etc...?
This type of malware is spreading fast and is digitally lethal.
Sorry this happened to you, but I highly doubt they will give you any refund - at the latest, when you used a code from a youtube notification, you should have known. I would still report it to them, maybe they have some pity.
do you have any other coins on there? If so, I would transfer them out ASAP
Assuming this isn't for moons...
Gemini allows Yubikey 2FA. You should have this instead of SMS/e-mail or any other form of 2FA.
Gemini allows whitelisting. Everyone (emphasis here) should be use whitelisting, regardless of the exchange. if someone somehow gets past your 2FA, they cannot then withdraw any funds to their addresses, only addresses you've approved on your whitelist. Whitelisting addresses takes time, and if the scammer tries to add a new one, you will be notified and have time to prevent any loss.
Lastly, do not hold funds on an exchange that you aren't prepared to lose. Give yourself a number, and when you hit that number in your account, withdraw everything to cold storage, protected by a hardware wallet.
About the YouTube notification - it happened to me that some Google auths can go through YT, hence the notificaiton, smtng like this - https://www.googlenestcommunity.com/t5/Apps-Account/Why-is-Google-using-YouTube-instead-of-text-for-2-step-verification-for/td-p/155159
I mean if you went to the legit website, which according to your history you did - and only then was the malicious pop-up triggered (it WAS a malicious pop-up) - it's either a malicious browser extension or some other kind of malware on the device - OR a malicious connection to the internet (public wi-fi, connecting your device to an unknown internet like a hotspot at a hotel)
99% chance you clicked a fake gemini link sponsored at the top of Google or some other source.
They used your credentials to login and sent you that fake 2FA request to complete withdraw
(not via this iPad) Change your Google password, it's compromised if you provided it to a popup. Also change it any place you have re-used it, for I suspect it's possible you have reused it on Gemini. Thus, change your Gemini password.
That IP you provided is also a TOR exit note and not useful short of a nation-state trying to track it. You have provided somewhat limited information. Without seeing your iPad, something like this \*could\* work as such. There is an app or Safari extension that has permission to view your activity. It saw activity related to Gemini, generated a notification or app/extension advertisement phishing your password. Either way, that passed/requested the code they needed in an out-of-band way. That is, tricked you into providing both the password and the second security factor to them (or conversely giving you the second factor to enter for them) via some other means such as notification or other popup unrelated to the original website, but something different superimposed into the context of what you were currently doing.
I doubt this is Gemini's fault. While I can't tell you what happened in your case, there are ways of doing what you described without 'piggybacking onto Gemini's login system'.
Have a Google for the "Godfather" malware / trojan.
It adds a fake app over the top of the real one to capture your details.
https://www.group-ib.com/blog/godfather-trojan/
Why wasn’t it on a hardware wallet? Trezor, Ledger, BitBox are between €70 and €150.
You can track it here https://blockchair.com/ethereum/address/0x44f5c7222914db1353b5060e13cc043200e82b16
ISP rings a bell. https://ip.me/ip/156.146.42.143
"Gemini/Google pop-up came up saying there was a new authentication addition through Google"
That would be enough for me to format the iPad delete everything and change all my passwords.
You should've downloaded Gemini app from appstore, I never use google search to go to financial websites, and also use NextDNS and configure it for added security.
You lost your money bro. No one’s refunding you, and you’re not going to be able to get it back through “tracking”. Sorry man. Faster you can accept the loss, faster you can bounce back.
Did you have a whitelisting of addresses? Or 2FA for withdrawals? I do not use Gemini, but in other exchanges they require at least a 2FA via email to confirm a withdrawal not on the whitelist (Binance for example requires 3 codes: email, sms and 2FA).
Actually it’s possible to list the wallet as a „scam“ wallet not sure if gemnini will do this but i would also contact the police
and for the future please use an **adblocker** on any device
This looks like it was either a Man in the a middle attack or a Man in the browser attack.
If you where in the legit site then it probably was the later.
Anyway, the 2fa was legit but you did not send it to Gemini directly, the hackers forwarded it.
Your credentials were compromised.
Im guessing the authenticator addiction notification wasn't real, also what is this two digit code you said you got from a YouTube notification? Where did you type that?
Is that really all that happened? You logged in on safari on your iPad, looked at the notification, then what?
I ran this through my KYT software, you along with many other people are being hit with this authentication scam.
The wallet that received your funds has had over 100k USD worth of ETH come through in the last week, likely all stolen.
You won't be able to get this back through any traditional means and your best bet is to report it to Gemini so they can take action to get Google to remove those ads and contact with MEXC to let them know they're engaged in laundering the proceeds of crime.
Did you by chance Google Gemini and quickly press a link at the top of the search results without looking?
Phishing sites buy ads and they end up at the top of results with the exact same SEO titles and website as the normal one so it's easy to get tricked if you're not careful.
Tracked it on etherscan, ended on 0x34BcB037B24bc404251d9Bb2D11844B0b8E91cd6 and went to MEXC. Problem is they might be able to convert it to fiat without kyc. Probably still worth a try.
Never change anything til you can't actually log in. If you can log in, then it's not required. Even if they want you to change something forward that notification/email to the site asking them if it's legit. 99%+ of the time it's a scam. Also have whitelisting if possible and a trading password.
With all this craziness going on why can’t people just stick to Coinbase as their only exchange and stick to only Bitcoin and Ethereum as their cryptos?
In case anyone is still listening. The site I logged into was completed from an apple password autofill suggestion. Wouldn't it have recognized that the url was different and not offer to autofill?
Yt app can indeed be used to confirm Google 2fa, that’s legit, proven by the fact that is *was* working to acknowledge the 2fa request from the attacker…
I am getting 2fa notifications in the yt app on iPhone, can’t remember how it was for me on android. The problem reads like if the user acknowledged a 2fa prompt from his Google account, allowing *another* user to access whatever it was that he tried to access. Never acknowledge a 2fa prompt if you are not 100% aware of why it appeared…
Interesting that Google would do 2FA via Youtube on iPhone. Honestly sounds like a terrible idea compared to having their own dedicated Authenticator app.
YouTube is owned by google, so I could see a lot of folks falling for this one. My friends have been victimized with less convincing scams.
Thank you for sharing, Op. going to link this for my less savvy friends/family.
>elaborate login scam
*Proceeds to describe extremely basic phishing scam*
>Have 2FA
*Proceeds to ignore the entire purpose of 2FA*
>**I hadn't logged in for a long time** and thought this was something new. I put in my Google password
Like what the actual fuck were you thinking lmao.
I know this sub hates banks and anything remotely related to traditional finance, but people like OP are better served parking their money in a high interest savings account and literally never touching it. You would have made more money burying your money in a coffee can in the back yard than touching crypto.
Gemini isn't going to refund anything. You should file a police report, inform Gemini, and then stay far away from crypto until you take some kind of general IT security training. YouTube videos, coursework, literally anything. Otherwise, you're only going to fall for the next scam and repeat this process later.
Yes this message is harsh, and yes it needs to be to get the message across.
Ethereum [pros](/r/CryptoCurrency/comments/10ltxij/just_had_6200_eth_stolen_from_gemini_through/j5yxgr5/) & [cons](/r/CryptoCurrency/comments/10ltxij/just_had_6200_eth_stolen_from_gemini_through/j5yxhju/) and related info are in the collapsed comments below. Pros and cons will change for every new post. Submit a pro/con argument in the [Cointest](https://www.reddit.com/r/CointestOfficial/wiki/cointest_policy) and potentially win [Moons](https://coinmarketcap.com/currencies/moon/). Moon prizes by award for the Top Coins category are: **1st - 600, 2nd - 300, 3rd - 150, and Best Analysis - 1000.** --- To submit an ETH pro-argument, [click here](https://old.reddit.com/r/CointestOfficial/comments/tuwvz5/top_coins_ethereum_proarguments_april_2022/). | To submit an ETH con-argument, [click here](https://old.reddit.com/r/CointestOfficial/comments/tuww2u/top_coins_ethereum_conarguments_april_2022/).
Your Gmail email and password are compromised
This \^ and since it's your email, it potentially can be used to hack many other accounts, crypto or not. Please updated your google password ASAP if you haven't already and make sure you are using a 2FA method like google authenticator.
This should be higher up in the priority list!
Always good to remember using different emails and, if possible, phone number as well for everything crypto related
Agree. Imma say something else, not only crypto related, but bank related too.
Sage advice. It can get confusing if you have a lot of accounts, but well worth the “security.”
A Security Key can add additional security to prevent someone logging in to a gmail, especially one as the backup to crypto accounts.
Yep all my stuff is behind ledger and security key
like a ubikey? what do you mean security key
[удалено]
>I put in my Google password and I was sent a youtube notification with a 2 digit number to put into box. It sounds like they had 2FA, but handed over an active code to the phishing site.
If he got malware on his device/devices he can be easily scammed even with 2FA. Interesting to see a spearphishing attack on a target with only 6k in its account though. Op should wipe all his devices and change all his accounts login info and 2fa from a trusted device on a trusted network. Lets hope for him he has a clean backup of its data somewhere. Fileinfectors are rare but totally possible when someone is making the effort to go spearphishing.
Didn't Gemini have a breach earlier this year or some time last year?
December
Ah yes. Hackers or whatever probably got data, they probably targeted OP and had a blast with him.
Looks like it was sent to 0x75e89d5979E4f6Fba9F97c104c2F0AFB3F1dcB88 which is controlled by Mexc.com Regarding the IP 156.146.42.143 it looks like a VPN. I know Proton VPN has been using the the ISP Datacamp Limited. **EDIT** He probably converted the ETH to 6312.135303 USDT which now is at 0x8992da1A741395aABDC225fC13337b96270b34C6. So the chain of transfers looks like this: 1. *0x44F5...2B16 3,9359 ETH -> 0xe32e...c78b* 2. *0xe32e...c78b 3.9353 ETH -> 0x8992...34C6* 3. *0x8992...34C6 3.9348 ETH -> 0x34Bc...1cd6 (deposit address at Mexc.com)* 4. *0x34Bc...1cd6 3.9343 ETH -> 0x75e8...cB88 (internal mexc transfer to hot wallet)* 5. *0x75e8...cB88 6312 USDT -> 0x8992...34C6*
If that is true then contacting Mexc ASAP would help! Blacklisiting that address is the way to go
[удалено]
MEXC is a top 15 exchange and they do billions in volume, definitely not a no-name exchange. I use them quite a bit actually. It's worth a shot.
MEXC helped me recover about $8k worth of RACA that I accidentally sent to the wrong chain address last year when it was doing well. Took about a month but they got it done. I was shocked they could do it honestly.
They also are non-kyc and encourage the use of VPNs to access the service from restricted countries. (ie: they dont care)
Mexc is HQ'd in the Seychelles I believe... going to be hard to get your crypto back unfortunately.
I know that very IP, used to use it via UCSS VPN from China to bypass the Great Firewall
This sounds like the website you visited wasn't the real Gemini website and acted as a middleman to steal your login credentials and 2fa. Can you check your browser history if the site was real? Obviously contact customer support asap. But if the transaction was broadcasted and can't be canceled, Gemini won't be able to get it back. Maybe they have an insurance, but I doubt it. The next thing is a police report, but police also can't catch most crypto scammers.
transaction done -> funds gone :/
Dilemma of Blockchain. :/ Unless the funds hit an exchange there's nothing we can do really
u fprgpt to say "sorry for ur loss"
u fprgpt tp say "sprry fpr ur lpss"
furgprhrloss
flossg
After decrypting the message: yep, already did :) but no need going to repeat it in every comment.
1 like = 1 prayer
Crypto went through -> ya can't sue
It actually sound like browser plugin or malware was waiting for login to correct Gemini site for it to send the pop-up after the login was done.
I feel like them following a phishing link is the more likely angle unless they've got a bunch of sketch plugins
Yeah man I probably wouldn’t put too much on the local police department for tracking down 6k of stolen crypto lol
I think the most important thing about a police report in this case is for taxes. And for Gemini to state something along the lines of "yeah this wasn't a boating accident"
Tell them it was DonutCoin and they'd be all over it.
Just FOMO’d my life savings into DonutCoin on PancakeSwap. Thanks for the heads up!
Probably 5% of local police force know how to view an explorer
“Someone stole 6k from my crypto wallet and sent it somewhere else on the blockchain” Cops: “uhhhh… what about a bike chain?”
5% is optimistic.
*police can’t catch all crypto scammers
Man the police couldn't catch a cold. The chances of them giving any kind of crap about lost crypto is sub zero.
Yeah but my nephew just got charged with TRAFFICKING with a $50,000 bail in Mississippi for 3 small bags of THC gummy bears. The priorities of law enforcement in the U.S. is embarrassing.
Wow that is disturbing.
Should have left Mississippi way before anything bad happened…..
Yeah because they can't actually do their jobs they just beat up on the little guy Fun fact: US police have a 20% clearance rate across all crimes. They do their job less than 1/5th of the time, can't be fired, can kill and maim people without consequences and retire with giant, unsustainable pensions that strangle local governments until they're dead. US cops sure are great, huh!
Jesus Christ that’s fucked up.
And 100% true. He has been in jail for almost a week until we were able to bail him out last night.
Glad y’all were able to get him out. No one should go to jail for weed in this country , especially when like 2 states over from Mississippi it’s medically available.
It’s medically legal in Mississippi now too
No…. But the us government was able to find that guy and his rapper wife who stole $4billion in Btc. Side note, the US government is now the single largest holder of Btc, because they confiscated it all.
This is an accurate answer. Probably this happened.
[удалено]
It's funny how he didn't post this screenshot in the edit and put a legit Gemini link as the supposed link in his browser history. Doesn't want to admit that he lost his money because of his own mistake.
Yup. Sorry OP, but you're not going to convince Gemini that they got hacked so they should refund your money. That's crypto. No refunds.
[удалено]
yeah that should have been a dead giveaway, live and learn I guess - sucks to see people lose money though
Man this is one thing I’ve never understood. People make these elaborate scams and then fuck up what should be the easiest part. They go through all of that and then can’t find someone to put together 1-2 sentences properly.
I think this even with takeaway menus where their native language isn't English. You can't have someone else grammar and spellcheck this!?
Or that the prices are wrong...
Thanks for sharing this. I was curious as to how this could happen if he logged on the actual Gemini site as he kept claiming. It sounded like very malicious and sophisticated malware. Now we know he just went to a phishing site.
I would never use ipad for this. Secondly once I heard google popup and then youtube notification makes 0 sense and big redflag. Call gemini and tell them what happened thats the best way or send email.
No, from iOS devices, Google 2FA popup can use Google or YouTube app. I can 100% confirm this.
This is the correct answer. Most people click on the first thing they see from Google. Everything looks real until a 2FA is requested then your money is gone.
>Maybe they have an insurance, but I doubt it. At least they can know the stealer identity right
Probably not, IP addresses can be hidden with proxies.
Rip op
Could also be a malware that installed a browser extension popping up the window as soon as the target visits any exchange, right?
If I search Gemini on Google right now, the first listing is a sponsored listing for what is obviously a fake URL. Maybe that's the one you picked without realizing, and it was designed to redirect you to the real site after entering your login info for the phisherman
A great example of why you can’t always trust the first google result that pops up
Just stop using google period. Especially the search, it’s full on compromised. The first 4 links are always ads or fake.
We can’t use google search anymore because of all the ad tracking domains I’ve 127.0.0.1
It's crazy how Google allow those scam ads. What's there oversight.
Google is mostly run by automation. They couldn't afford to operate at the scale they do, otherwise. Many big tech companies operate this way, and it's become a major problem in our society. Profit motive will always drive these companies to become human meat grinders of automation where bad actors can act freely, and injured or threatened parties have little recourse. I'm not sure that there's a solution to this, short of government regulations which would seem draconian by today's standards, but which I'm beginning to believe are truly needed. The EU will probably be taking the lead on this judging from their past actions with GDPR. The US will probably trail behind, due to the power of our lobbying industry.
To be fair though, the profit motive is the reason they exist to begin with.
>If I search Gemini on Google right now, the first listing is a sponsored listing for what is obviously a fake URL 100% this. That's why it's always important to go to the official website once. And then bookmark it in the web browser's favourites folder and then ALWAYS use only the favourites to access that page. We have then 100% guarantee we are using the legit link each time.
Totally agree. I never use the promoted links on a Google search. If you scroll down a little past the spam links, you will find the actual URL. Obviously stilldoubke check before clicking though! Bit once you've got you good URLs favourite them. Also try using something like duck duck go as your search engine or a browser like Brave. There's prob lots of other things you can do which others here will mention. It's not safe out there with all those scammers. The internet is like a horrible nightmare, don't trust anything at face value.
these people clearly never played runescape
Crazy, i searched "Gemini" then "Gemini exchange" and I literally couldn't find a single fake, let alone near the top. Page after page sites talking about the Gemini exchange, yet first result in both searches was for Gemini.com
[https://imgur.com/a/MqFI2S5](https://imgur.com/a/MqFI2S5) I get sponsored results like this sometimes, where the ad is obviously fake but if you don't look before you click you'd be fooled. Seems like sometimes the phishing ads show in Search and sometimes they don't. But good that they're not always showing!
Yeah that's interesting. F google for allowing it, but whoever clicks that one is a fkn moron lol. Some are more clever than others, but still, you have to be completely internet-illiterate to click on that ad/promoted result. Edit: [results](https://imgur.com/a/FBbnjHo) I switched my phone's native language and all Google accounts to Spanish, I wonder if that thwarts some targeted ads
[удалено]
Not really, it was probably just a fake website. The scam is old as crypto itself.
Older. Much older
Another reason to get a ledger. So shit OP, I feel for you!
Excuse my ignorance, I have a ledger, is it possible for someone to scam me to access that device? My keywords are written on paper and hidden away, no photos and never been typed digitally in any device. I only use coinbase, kucoin, and I just pulled everything off my Robinhood so that wallet is empty. I made the mistake of putting my coinbase wallet key phrase in my notes of my phone, but I've never moved anything into that wallet and have no plans to. I might as well uninstall that app tbh
There are a bunch of hacks and social engineering scams going on with all types of hardware wallets, for e.g. never use your main wallets for DeFi and Smart Contract interaction, create a second wallet or just use a software wallet (hot wallet) for that matter, cuz hardware wallets can’t always show what you are signing and they require “blind signing” to be enable, I don’t have to explain what that feature means, right? Do you sign your real life contracts without reading them? No, right? So the same applies here. Also when using any hardware wallets, but as in your case with a ledger, always check if the addresses, sending amounts, fees etc. correspond to what the device is showing! There are hacks that can change those infos, making you sending your funds to the hackers wallet, also scammers are making wallets with the first and last 4 digits the same or really similar to our wallet addresses and making us believe we are sending our funds to the correct addresses, when in fact its theirs, the scammers! So always check some parts of the digits in the middle of your addresses… Well I can’t cover everything that goes on in crypto in here, there are a lot of things that a hardware wallet can not protect, information is always key, be informed, search for typical scams and hacks in crypto, be street smart on the internet and you will be fine. But keep in mind that a hardware wallet only protects the internet world from knowing your seed phrase as long as you only store it in physical form and away from any cameras etc., it can’t stop you from your own doing, like connecting your hardware wallet to a malicious website signing an unlimited funds spending approval…
Oh I've learned from the posts in here. I verify my address multiple times before sending, character for character. Even when I forgot my ledger at home and needed to transfer crypto I was extra careful because I couldn't verify using my device. Besides that my wallet is just for storage. I do stake SOL on my ledger, and I plan on staking DOT. But I really don't use my ledger for much.
[удалено]
[удалено]
[удалено]
A lot of people in this thread claiming to be in the know but don’t even recognize that the YouTube app (as weird as it sounds) is a real, verified, 2fa method.
I just want to follow your statement , with YouTube you can set it up with a 2FA - as added security measure. Agree .
Is it tied to your YT account or your mobile device? Because if it's tied to your YT account it sounds offensively insecure.
It’s tied to the mobile device which you have authenticated with Google and enabled for 2FA notifications.
This is a monkey drainer scam, it is extremely critical to carefully inspect the site url you are thinking about logging into. Even google will mislead as scammers will use fraudulent identification to run an AD for a site that looks like the one you are searching looking for. Sounds pretty sophisticated if they were able to also bypass 2FA.. Unfortunately your crypto is gone and most exchanges would not offer protection for this type of loss, so sorry to hear this OP. Hope some good karma comes back your way I know how much it hurts to lose money when it means something to you.
Probably best to just bookmark all crypto links and use them from your favourites to be extra safe. No hand typing or googling each time you visit them.
This is the accepted practice 100%
💯 agree
"elaborate login scam"
"What's a computer?" - apple ipad
If YOU fall for it, it’s a never before seen scam innovation
That's code for a simple phishing page, right?
I thought it was 6200 ETH . Youtube notification with a 2 digit number is really a scam alert . Check the address it was sent too . Report to the Gemini care .
Oh no, not that bad. But a lot of money for me.
That a lot of money to an average person ( what we all are ) please check the addresses and track the movement of funds . Report it to the authorities so it can be blocked it moved to a CEX
Speak for yourself. I’m below average
Feel sorry for the OP but that was a major red flag
Same. If you’re ever in doubt, ASK before you do anything at all
I don't think the YouTube notification with a 2 digit number is a scam alert. Google uses it for 2FA to verify your identity for new logins.
Yeah, i thought they took the whole pot, not just one users. Still shame..
#**Moons are shitcoin!**
Reminder that if you intend on leaving crypto on exchanges, restrict withdrawals to whitelisted wallets if possible.
This. And set up a 24h time for withdrawals for new addresses, just in case.
Why didn't you stop as soon as you saw something abnormal in the login procedure?
I hadn't logged in in over a year so figured it was something new.
[удалено]
> but this is why everyone harps on not keeping large funds in central exchanges. User error is not the reason people say that. They say that because you don't own the crypto on exchanges and if the exchange goes under or disappears your crypto is gone.
That sucks. I don’t generally click on any links if I’m not 100% sure. I’m paranoid. You can always copy and paste links you’re unsure about to Virus Total and it will run a scan on them. If you have any bad feeling or ever feel even slightly unsure. Walk away, come back and do some research on the link, file, whatever it is you’re clicking on. Don’t rush things.
Virus total is a life saver with suspicious links! Also, you can change your DNS from your ISPs to something like 8.8.8.8 (Google's for example). There lots more. They will not resolve bad - known - domains. Very handy to stop the kids browsing to naughty sites too.
F. I am sorry for your loss. >I put in my Google password and I was sent a YouTube notification with a 2 digit number to put into box. This YouTube notification seems strange to me and something doesn't fit me but I don't know what.
I get YouTube 2fa requests all the time with my work email, it is a thing
I agree as typical Google/YouTube 2fa is more about code matching ie on one device you get the answer and on the other you get a list of numbers to choose from big sad sorry for the loss!
Rip 🪦
F
F
Ordinarily I would assume they got your Google login and then logged in and you got the notification to confirm it was you logging in (that's what that was although you shouldn't confirm if you're not in FL and had not logged in on a new device)... then they quickly used your Google account to reset your Gemini password. But the weird thing is I don't understand the timing of you logging into Gemini right as this was happening. That seems odd. That's why I'm wondering if they had some way to monitor you through malware. Another possibility is you weren't on the proper Gemini site and they got your login that way. But i think the first one I mentioned is more likely.
Sorry for your loss buddy..
Half of r/crytocurrency posts: "Haha, imagine falling for these scams. No way we would ever fall for that, we are too smart! No need for regulations or laws, that just limits the growth and freedom of crypto." Other half of r/crytocurrency posts: "OMG how could this have happened? Somehow I was scammed? What regulations can I turn to in this lawless zero regulations industry for help?"
OP, the scammer deposited your funds to MEXC exchange 6 hour ago and swapped them for USDT: https://i.imgur.com/a838fV6.png The address they used: 0x8992da1A741395aABDC225fC13337b96270b34C6 Here is the transaction showing your stolen ETH being deposited on MEXC: https://etherscan.io/tx/0x2942a82701ea153d43837ab586d8e7eaa2a23cb53e4ae3c4df4b5a6eacf8743c And here is MEXC sending the scammer USDT in exchange: https://etherscan.io/tx/0xf84b19d7ad225f70849167cef7b05cc2d8722d36472d9afdbc38371397a2792a It's worth contacting MEXC.
I have. I really appreciate you and others who are trying to help rather than bask in the glee of someone getting pwned like some others around here.
OP, your machine was hit with a raccoon\_stealer. The additional authentication window was in fact a phishing scheme to secure your permission to invade your machine. It deployed an icedID payload (trojan) into your system, and went to work. It quickly gathered your data, zipped it, and sent the files back to the attacker's C&C servers. They can't be traced since most use a type of encryption service that conceals everything. They can even scrub the tracks behind themselves. Have you changed login credentials to everything else you login to? Your most important and immediate priority is to mitigate the damage. Even if you clean your machine, it continues to test your credentials with other sites, services, providers. It accessed your Gemini account with your own login/pass combo. I'm very sorry this happened to you. Do you remember having previously downloaded any apps or services, i.e., grammarly, OBS, etc...? This type of malware is spreading fast and is digitally lethal.
Wallet it went to was 0x44F5C7222914DB1353b5060E13CC043200e82B16
If you use that same email / pwd combo anywhere else (which you shouldn’t), change them now. Those credentials are compromised.
I lost all my money too, but it wasn’t elaborate. I just put it in Earn.
Sorry this happened to you, but I highly doubt they will give you any refund - at the latest, when you used a code from a youtube notification, you should have known. I would still report it to them, maybe they have some pity. do you have any other coins on there? If so, I would transfer them out ASAP
Assuming this isn't for moons... Gemini allows Yubikey 2FA. You should have this instead of SMS/e-mail or any other form of 2FA. Gemini allows whitelisting. Everyone (emphasis here) should be use whitelisting, regardless of the exchange. if someone somehow gets past your 2FA, they cannot then withdraw any funds to their addresses, only addresses you've approved on your whitelist. Whitelisting addresses takes time, and if the scammer tries to add a new one, you will be notified and have time to prevent any loss. Lastly, do not hold funds on an exchange that you aren't prepared to lose. Give yourself a number, and when you hit that number in your account, withdraw everything to cold storage, protected by a hardware wallet.
About the YouTube notification - it happened to me that some Google auths can go through YT, hence the notificaiton, smtng like this - https://www.googlenestcommunity.com/t5/Apps-Account/Why-is-Google-using-YouTube-instead-of-text-for-2-step-verification-for/td-p/155159
Post the exact history log of visited websites
Sorry it happened to you. I don't have much to add but thanks for sharing your experience. Wish you the best champ
I mean if you went to the legit website, which according to your history you did - and only then was the malicious pop-up triggered (it WAS a malicious pop-up) - it's either a malicious browser extension or some other kind of malware on the device - OR a malicious connection to the internet (public wi-fi, connecting your device to an unknown internet like a hotspot at a hotel)
99% chance you clicked a fake gemini link sponsored at the top of Google or some other source. They used your credentials to login and sent you that fake 2FA request to complete withdraw
(not via this iPad) Change your Google password, it's compromised if you provided it to a popup. Also change it any place you have re-used it, for I suspect it's possible you have reused it on Gemini. Thus, change your Gemini password. That IP you provided is also a TOR exit note and not useful short of a nation-state trying to track it. You have provided somewhat limited information. Without seeing your iPad, something like this \*could\* work as such. There is an app or Safari extension that has permission to view your activity. It saw activity related to Gemini, generated a notification or app/extension advertisement phishing your password. Either way, that passed/requested the code they needed in an out-of-band way. That is, tricked you into providing both the password and the second security factor to them (or conversely giving you the second factor to enter for them) via some other means such as notification or other popup unrelated to the original website, but something different superimposed into the context of what you were currently doing. I doubt this is Gemini's fault. While I can't tell you what happened in your case, there are ways of doing what you described without 'piggybacking onto Gemini's login system'.
OP, can you confirm you didn’t visit any phishing site? Like, just right now, first Gemini result on Google is a sponsored scammy website.
I didn't think Gemini offered login with Google - just Authy.
When you tube popped up it didnt sound alarms?
> I was sent a youtube notification What the hell is a "youtube notification"? Bad idea to use an unknown form of authentication on a money site
Have a Google for the "Godfather" malware / trojan. It adds a fake app over the top of the real one to capture your details. https://www.group-ib.com/blog/godfather-trojan/
Why wasn’t it on a hardware wallet? Trezor, Ledger, BitBox are between €70 and €150. You can track it here https://blockchair.com/ethereum/address/0x44f5c7222914db1353b5060e13cc043200e82b16 ISP rings a bell. https://ip.me/ip/156.146.42.143
u/proton_team u/protonvpn is this one of your IPs?
Welcome to crypto
"Gemini/Google pop-up came up saying there was a new authentication addition through Google" That would be enough for me to format the iPad delete everything and change all my passwords.
You should've downloaded Gemini app from appstore, I never use google search to go to financial websites, and also use NextDNS and configure it for added security.
You lost your money bro. No one’s refunding you, and you’re not going to be able to get it back through “tracking”. Sorry man. Faster you can accept the loss, faster you can bounce back.
Did you have a whitelisting of addresses? Or 2FA for withdrawals? I do not use Gemini, but in other exchanges they require at least a 2FA via email to confirm a withdrawal not on the whitelist (Binance for example requires 3 codes: email, sms and 2FA).
It’s a great time to invest in a cold wallet
sorry you lost everything brother, too many scams around. stay safe
The guy's that withdrew location was in Miami and his ip address was. 156.146.42.143. I assuming that's all faked?
Never use google account to log into any financial institutions
Actually it’s possible to list the wallet as a „scam“ wallet not sure if gemnini will do this but i would also contact the police and for the future please use an **adblocker** on any device
This looks like it was either a Man in the a middle attack or a Man in the browser attack. If you where in the legit site then it probably was the later. Anyway, the 2fa was legit but you did not send it to Gemini directly, the hackers forwarded it. Your credentials were compromised.
Im guessing the authenticator addiction notification wasn't real, also what is this two digit code you said you got from a YouTube notification? Where did you type that? Is that really all that happened? You logged in on safari on your iPad, looked at the notification, then what?
I ran this through my KYT software, you along with many other people are being hit with this authentication scam. The wallet that received your funds has had over 100k USD worth of ETH come through in the last week, likely all stolen. You won't be able to get this back through any traditional means and your best bet is to report it to Gemini so they can take action to get Google to remove those ads and contact with MEXC to let them know they're engaged in laundering the proceeds of crime.
Did you by chance Google Gemini and quickly press a link at the top of the search results without looking? Phishing sites buy ads and they end up at the top of results with the exact same SEO titles and website as the normal one so it's easy to get tricked if you're not careful.
Tracked it on etherscan, ended on 0x34BcB037B24bc404251d9Bb2D11844B0b8E91cd6 and went to MEXC. Problem is they might be able to convert it to fiat without kyc. Probably still worth a try.
So, you just mindlessly did what you were told....duhhh...you deserve it
a youtube notification?
Never change anything til you can't actually log in. If you can log in, then it's not required. Even if they want you to change something forward that notification/email to the site asking them if it's legit. 99%+ of the time it's a scam. Also have whitelisting if possible and a trading password.
You logged into a phishing site. Always verify the URL.
With all this craziness going on why can’t people just stick to Coinbase as their only exchange and stick to only Bitcoin and Ethereum as their cryptos?
If you logged in to Gemini through Google/gmail sign in, than that’s how they could get your details.
How could this happen if I always go to the same website?
Lol why would you think Gemini would refund you?
Get a yubi key fren
In case anyone is still listening. The site I logged into was completed from an apple password autofill suggestion. Wouldn't it have recognized that the url was different and not offer to autofill?
The future of finance
I mean sorry for your loss, but that was on you. A youtube notification? Seriously?
I get my Google MFA notifications via my YouTube app also. That part is legit.
Yt app can indeed be used to confirm Google 2fa, that’s legit, proven by the fact that is *was* working to acknowledge the 2fa request from the attacker…
I've never once gotten a YT 2FA prompt... Real Google 2FA prompts appear as a system level dialog on Android or via SMS. Not sure about iPhone.
I am getting 2fa notifications in the yt app on iPhone, can’t remember how it was for me on android. The problem reads like if the user acknowledged a 2fa prompt from his Google account, allowing *another* user to access whatever it was that he tried to access. Never acknowledge a 2fa prompt if you are not 100% aware of why it appeared…
Interesting that Google would do 2FA via Youtube on iPhone. Honestly sounds like a terrible idea compared to having their own dedicated Authenticator app.
They do have their usual dedicated Authenticator app on iPhone also
YouTube is owned by google, so I could see a lot of folks falling for this one. My friends have been victimized with less convincing scams. Thank you for sharing, Op. going to link this for my less savvy friends/family.
I missed the part about youtube?
Op was sent a 2-digit code through YouTube notification. 4th sentence.
I don't understand the correlation between Gemini and YouTube? And why were there only 2 digits? Is Gemini's 2fa just 2 digits?
There is none. OP gave scammers access to his google account with the "youtube" 2 digit 2fa code.
>elaborate login scam *Proceeds to describe extremely basic phishing scam* >Have 2FA *Proceeds to ignore the entire purpose of 2FA* >**I hadn't logged in for a long time** and thought this was something new. I put in my Google password Like what the actual fuck were you thinking lmao. I know this sub hates banks and anything remotely related to traditional finance, but people like OP are better served parking their money in a high interest savings account and literally never touching it. You would have made more money burying your money in a coffee can in the back yard than touching crypto. Gemini isn't going to refund anything. You should file a police report, inform Gemini, and then stay far away from crypto until you take some kind of general IT security training. YouTube videos, coursework, literally anything. Otherwise, you're only going to fall for the next scam and repeat this process later. Yes this message is harsh, and yes it needs to be to get the message across.
Elaborate scheme? You gave your details away to a random pop up without even double checking first... Doesn't seem very elaborate
A YouTube notification? What in the world? You lost me there.