Scott Melker, also known as the “Wolf of All Streets,” says he was the victim of a SIM swap attack in February but managed to avoid losing any crypto assets.
In a Aug. 4 post on Melker’s website titled Security Tips And Lessons Learned From My Hack, the trader said he was able to protect access to his bank accounts, credit cards, and crypto exchanges after a hacker assumed his identity by tricking his phone carrier and diverted Melker’s communications to the hacker’s phone.
According to Melker, the hacker had access to his number and text messages — which would have given them access to all his funds if he’d relied on two-factor authentication (2FA) delivered via text message.
However he used a form of 2FA (Google Authenticator, Authy) which was kept on a separate, offline device. “This is the single thing that largely saved me from the most damage,” said Melker.
“Even with my logins and passwords, they were unable to access my 2FA. This gave me enough time to contact my banks, credit cards, crypto exchanges, etc. and have my accounts locked.”
Words of warning
Hackers reportedly stole $8.7 in crypto assets from Reggie Middleton, CEO of crypto firm Veritaseum, in a series of T-Mobile SIM swap attacks in July 2017. Investor Michael Terpin Terpin also claims that he lost $24 million worth of crypto as a result of two AT&T SIM swap hacks that occurred between 2017-2018.
So how does Melker suggest avoiding a similar fate?
“Never use SMS verification as a part of your 2FA,” Melker stated definitively. “[Hackers] are counting on this vulnerability in a SIM-Swap attack. 2FA is a double edged sword – it offers protection when used correctly (on a separate device), but allows easy access to everything if it is simply a text message to your phone – because the hacker will be receiving your texts and calls.”
He recommended using an authenticator (Google’s version over Authy which he said could be hacked) on a separate, offline device and not on your present phone.
“The minute they swap your SIM card, everything on your present phone becomes a liability.”
He recommended using 2FA for all accounts, from social media to banking, and to stop using Chrome, which he said has “astounding” vulnerabilities. In regards to crypto assets in particular, Melker encouraged traders to remove their phone numbers from exchanges, and keep their assets in cold storage.
“Clearly we cannot trust the phone companies to protect us,” he said.