A hacker stole $50k from my bank account and all they had access to was my gmail


The Story

My name is Adam Draper, I run an accelerator for Bitcoin startups called Boost VC and on January 14th, 2015 I had $50,000 stolen from me. Which is a lot of money, and the worst part is, I don’t know who did it, so I can’t take my rage out on them. So this was my $50,000 lesson.

A month ago I came to work pretty stressed about our new Tribe at Boost, which started on February 2nd. We had only accepted around 5 companies (out of a hopeful 20)and I was worried that we wouldn’t have enough Bitcoin companies to fill out the session. So I had 13 interviews set up for January 14th as a part of interview week for Boost. Little did I know that a hacker picked my busiest day of the year to really mess with me. This is what my schedule looked like:

(Side note, we ended up oversubscribed this session with 25 Bitcoin companies)

At around 12:30pm my partner Brayton Williams made a comment about an excessive amount of furniture I bought. I found this curious because I had not bought any furniture recently, I had bought a rug, but I wasn’t sure I would define a rug as furniture. I didn’t really think anything of it and ignored the comment and began to discuss the interview we had just had with him.

About thirty minutes later, he brought it up again. “So I don’t think you would do this, but I just wanted to check to make sure, I have a bill here for $50,000 worth of furniture that Arsenio (changed the name of my accountant) is trying to get Boost to pay for.” I thought this was some sort of joke, I am frugal, and would not spend that much money on anything, let alone furniture. I immediately called my accountant to get to the bottom of this. Unfortunately Arsenio was busy, so I left a message.

I then read the emails from Brayton’s account that he was referring to. It turns out that the “Hacker” who I will refer to here on out as “Thief”, was in my account when I was in my account, having a conversation with my accountant. Later I discovered that Thief changed the settings on my gmail to make all emails from my accountant/anyone associated with wiring money go directly into my gmail trash. This made it so that even if I was working in my Inbox, I would never see replies from these people. It is super eerie to see emails from your email account that you did not write:

They started with :

“Wire from Ghost… Boost will re-imburse Ghost.
thanks,
Adam”

Ghost is my personal entity, and Boost is Boost. I did not change these names. The creepiest part of this was that this person saw enough of my emails to see that I never capitalize “thanks” for my sign off. Attached to this email was an invoice for $50,500 worth of furniture from Daviana Burton Office Supplies.

This is the invoice:

Looks professional enough. And Arsenio (my accountant) has received wire instructions from me via email before, normally for an investment in a company. But guess what, if you search for Daviana Burton office supplies, there is nothing that pops up… because it doesn’t exist. The bank is real though. TCF Bank in Chicago.

So Thief was smart enough to make a fake invoice, and to change the filters in my email.

My accountant, Arsenio, emailed me upset. I finally got Arsenio to call me.

“So that wasn’t you?” Arsenio was quickly thinking about what happened.

“I thought it was odd, but wanted to respect your privacy”

We called my bank (Wells Fargo) to get them to red-flag the wire, but it was already 2pm and all the wires had been released. I’m sure your reaction will be the same as mine when I said “Why don’t you just reverse the wire?”, it turns out that the banking system is completely messed up.

I always assumed that even if someone had access to my bank account and passwords, and they tried to wire money out of my accounts, a bank would be able to shut it down really fast, and if a wire or ACH did go out, they would be able to recall it. It turns out when a wire is released, it disappears into an infinite abyss that is a different banks network. And each bank has identity protections around their clients and do not work together, and are both worried about being legally attacked by their clients, so no one really helps you.

So at this point, I had been hacked, $50,000 was out of my account, but someone was still in my gmail account, so I had to change that. I immediately changed all my passwords, and added two factor authentication to everything. (All Bitcoin and tech people are shaking their heads in wonder right now, wondering why I didn’t have those set up anyway… It’s because I thought I was secure with my awesome password)

After I felt comfortable that my email was under my own control, I wanted to find this person, so I did what any non-engineer would do, and asked my friends on Facebook. It’s always helpful to have highly skilled computer friends on your friend list! They reached out with links to IP tracking pages and bits of information that someone would probably find useful. It was most helpful to have a map of where the IP Address came from. Unfortunately, most people told me it was on Tor and likely it was rerouted through this IP and not trackable.

This is where the IP Address tracked to. You can see that it is across the street from a deli. But also it was probably rerouted in this direction, so the person was most likely still not in this area.

So over the course of the last month, I have spoken with 4–5 hackers I respect to being at the top of their field in understanding what could have happened. I spoke with someone at Coinbase, a couple friends reached out from the Bitcoin community to assist, and Boost VC alumni are great at this stuff too.

What I learned while talking to these people:

  1. People in the Bitcoin and VC community were being targeted… I happen to be at the intersection of both of these. I was not the first attack.
  2. Some people had been blackmailed.
  3. What people do in TV shows to track down “hackers” doesn’t exist in the real world.
  4. The best offense is a good defense (Change all passwords, get computer wiped, get two factor authentication).
  5. I will most likely never figure out who was responsible for the theft.

The Recovery of Funds

Wells Fargo customer support since the theft has been horrible. I spoke with six people when the money was stolen, one of them said “every day you don’t get your money back, the less likely it is you will get your money” and all of them said that Wells Fargo was doing everything they could.

I got an email two weeks later essentially saying, “Just found out about the fraud on this wire”, which means for two weeks, while I was emailing people at Wells Fargo to do things, they were not doing anything. AND The first thing Wells Fargo did when they found out that this was actually fraud… they made me sign something called a “Hold Harmless and Indemnification Agreement”, basically making me sign something that says I can’t sue them, before they do anything to help me.

I am going to be changing banks. Not because I lost money, but because the support has been awful. I still don’t get updates about my money unless I ask for them, and the updates just blame it on the other bank. I don’t think anyone is even trying to talk to TCF Bank. I called a bunch of times, but there is nothing there. I have found that TCF Bank has been penalized for not red flagging things before . I recommend not banking with TCF Bank. I also recommend not banking with Wells Fargo but for different reasons.

This was a long winded way of saying, if you do not have 2 factor authentication, go get it. They only had to hack into my email and they were able to get enough information in my email to be able to steal from me.

I wrote this up to warn others.

I would recommend getting:

  • 1Password
  • Clef (I invested, and yes I was an investor in a 2FA company, yet never used 2FA, now I do religiously)
  • And enable 2FA wherever you can on Facebook, Gmail and anything else you don’t want people getting into
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.