League of Legends Superstar Loses Entire Cryptocurrency Balance to Port-Out Scam

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,060
League of Legends pro Yiliang "Doublelift" Peng recently recounted on a Twitch live-stream how he lost his entire Coinbase account balance to a port-out scam. He says that a few weeks prior to the theft, his T-Mobile phone's service was terminated and the device was listed as lost or stolen. He thought that T-Mobile had a network glitch and forgot about it. The hacker took over his email and emptied his Coinbase account. To hide that activity, the hacker had all emails from Coinbase flagged as spam, forwarded to the hacker's email and then automatically deleted from Doublelift's email account.

Mr. Peng's bank contacted him when his bank account was seriously overdrawn and that is how he discovered the hack. When Doublelift tried to secure his email account, the hacker used his phone's authenticator app to take access back. He hopes to get the money stolen from his bank account reimbursed as it was considered fraudulent transactions by the bank. The $200,000 in cryptocurrency held in the Coinbase account will not be reimbursed.

NA LCS 2018 MVP returns to youtube to recounts an insane story that occured a few weeks back to match the insane Kai'Sa gameplay that also happened on stream never before seen.
 
Heh, seriously compromised bank security if all you need is e-mail and a phone app to access the bank. My bank won't give any information about the account without a personal visit to the office - and yes, they do check your id.
 
Just more "news" that cellphones aren't secure, and you should never use them as 2FA anything :)

Also Coinbase supports TOTP, so if you do use coinbase grab a hardware key like Yubikey, and use that to store the key.
 
2fa is garbage but it's also t-mobiles fault for not being suspicious. You get what you pay for.
 
been in the crypto game a long time -- and as much as it sucks for him I have zero sympathy for anyone who leaves money on coinbase or exchange. Unless it's in your private wallet that you have the secret key for, it's not secure.

For that level of money I'd have a dedicated airgapped PC that held the encrypted wallet and only online for the 5 seconds it takes to send the transaction.
 
The real issue is our phone lines aren't as secure as they should be. How many more port outs and swatting events need to take place before we fix this?
 
been in the crypto game a long time -- and as much as it sucks for him I have zero sympathy for anyone who leaves money on coinbase or exchange. Unless it's in your private wallet that you have the secret key for, it's not secure.

For that level of money I'd have a dedicated airgapped PC that held the encrypted wallet and only online for the 5 seconds it takes to send the transaction.

Just don't toss the hopelessly outdated PC/laptop into the trash a few years later.

And 2fa that requires a Personalized Tracking Device to function isn't really secure considering that most PTDs exist on networks operated by companies who's secondary business model is monitoring all data flowing through the device and selling the results to 3rd parties.
 
Considering how poor smartphone security is, it's his fault for putting so much into his smartphone.
 
Someone worked REALLY hard for that Coin. Now if they would only apply a fraction of that talent and effort for something good, As stated Phone security sux. Keep your Finances away from phone apps. Verify DIRECTLY if issues occur,
 
hopefully it's insur.... oh wait, it probably wasn't.

also who doesn't look in their spam folder?

i always check mine for important stuff that falls through the cracks.
 
Just more "news" that cellphones aren't secure, and you should never use them as 2FA anything :)
I refuse to use mine to verify YouTube, Facebook, LinkedIn, etc, too, because I just knew it was making my accounts less secure, not more.
 
By criminals, for criminals. Suckers too, suckers are good best.

Considering how poor smartphone security is, it's his fault for putting so much into his smartphone.

Much like a PC, smart phone security is every bit as good as the user makes it. That's probably the problem. Compounded by the fact that these things are really just nasty, little data miners that insert themselves right in the middle of your life. You just can't replace vigilance, that's the other problem... The average smart phone user is just an average person that doesn't understand any of this shit. Companies and criminals have been preying on these waters like the feast will never end.

I'm going to call it now: These companies aren't keeping their houses in order and are counting on "getting away with it" going forward. Their total lack of regard for privacy and security is going to get the long arm shoved right up their asses and the whining will be abso-fucking-lutely biblical.
 
He says that a few weeks prior to the theft, his T-Mobile phone's service was terminated and the device was listed as lost or stolen. He thought that T-Mobile had a network glitch and forgot about it.



hmmm.. really hard to care much when he couldnt even be bothered to really look into his own phone account being canceled because they thought it was lost or stolen
 
So when the scammers called saying there was a problem with his cell phone account I take it he gave them his real info instead of making stuff up?

I get those calls at least twice a month. Always make up random last 4 digits of social and pin number.

Hopefully it at least wastes a little bit of their time.
 
But people want you to embrace digital money, so they can turn that off too when you say something they don't like.
 
Only idiots leave their BTC on a vendor's site. You need your own wallet!
 
  • Like
Reactions: Mega6
like this
He says that a few weeks prior to the theft, his T-Mobile phone's service was terminated and the device was listed as lost or stolen. He thought that T-Mobile had a network glitch and forgot about it. The hacker took over his email and emptied his Coinbase account.

If you don't learn anything else from this guy losing all his shit; when your phone wigs out, get on the phone with your carrier PDQ, cause you're getting fucked.
 
A fool and his money are soon parted. I can write pages upon paged about the ponzi scheme known as Bitcoin on who runs it.. how it is being ran and why people are so fucking stupid to gamble in this ponzi scheme, even as hundreds of millions of dollars are stolen... just this year.

And yet people sill are using it.

Greed is Good - Gorden Gekko
 
Heh, seriously compromised bank security if all you need is e-mail and a phone app to access the bank. My bank won't give any information about the account without a personal visit to the office - and yes, they do check your id.
Your bank doesn't have online banking? My banks do and I wouldn't be shocked if they were susceptible to this. After all, if I have your email account, there's a decent chance I'll know what your bank is. If I know your bank and email address, I can do a password reset. If I have your phone, I can get buy 2 factor authentication texts as well as emails.
 
Your bank doesn't have online banking? My banks do and I wouldn't be shocked if they were susceptible to this. After all, if I have your email account, there's a decent chance I'll know what your bank is. If I know your bank and email address, I can do a password reset. If I have your phone, I can get buy 2 factor authentication texts as well as emails.
Read more carefully - you can't reset your online password just by sending an e-mail for obvious security reasons and the system has a two factor authentication. You have to physically be at the office to authenticate in order to do that. Each time I login to the bank I need two passwords, one for my account and a scond one for the 2FA.
 
Last edited:
Just don't toss the hopelessly outdated PC/laptop into the trash a few years later.

And 2fa that requires a Personalized Tracking Device to function isn't really secure considering that most PTDs exist on networks operated by companies who's secondary business model is monitoring all data flowing through the device and selling the results to 3rd parties.

Except the authentication data is encrypted so nobody watching that traffic gets nothing in reality. Each time it authenticates it sends a unique identifier so even if you crack one message it does you no good. The only scenario I can think of is someone managing to get control of your phone and make a main in the middle attack. This is why nobody in my family has Android phones and I don't allow my family members to jailbreak their iPhones.
 
th?id=OIP.jpg
 
Read more carefully - you can't reset your online password just by sending an e-mail for obvious security reasons and the system has a two factor authentication. You have to physically be at the office to authenticate in order to do that. Each time I login to the bank I need two passwords, one for my account and a scond one for the 2FA.
OK, I don't know if you're saying your bank doesn't allow you to reset your password on line or not, but every bank I've got (3 different ones) allows it. 2FA is not relevant, because the scammer had ported his phone number out so that any text codes would go to the scammer.
 
The real take away from this, which should have been obvious from the start, is that using SMS for 2FA is a dumb idea. Not only is this vulnerable to port-outs its also susceptible to fake towers (i.e. StingRay like devices). Applications that run on your mobile device (Google Authenticaticator and the like) are way more secure than SMS and just as convenient to use. Still those are no where near as secure as some other 2FA options out there, but part of the equation is convenience vs security.
 
Read more carefully - you can't reset your online password just by sending an e-mail for obvious security reasons and the system has a two factor authentication. You have to physically be at the office to authenticate in order to do that.
OK, I don't know if you're saying your bank doesn't allow you to reset your password on line or not, but every bank I've got (3 different ones) allows it. 2FA is not relevant, because the scammer had ported his phone number out so that any text codes would go to the scammer.
Eh, of course no clear text codes are used, the 2FA has its own app with a pin code and challenge/response is encrypted. Again obviously. Man your banks security sucks bad.
 
So if your banking institution only has text 2FA, is that not better than nothing?

On another note Tmobile lets you set up a port out password to prevent this issue.
 
Back
Top