- On March 21, 2018 Ajay (Name changed) started reaching out to telegram groups to find an emergency contact number of Koinex – The Crypto Asset exchange. He claimed his account was hacked. Ajay set out to reach Koinex’s Lower Parel office after his telegram efforts went in vain.
- Ajay’s version of the story says that he reached before his funds were stolen and asked the Koinex team to freeze his account to prevent any misdeed.
- Koinex’s version of the story says that the scam that Ajay was victim of is something they experience daily and they already had frozen his account to scrutinise the account and prevent any loss to Ajay.
- Ajay’s funds are safe and Koinex account restored. But how did he become a victim and what can you do to stay safe from such scams. That is our story.
On the morning of March 21, Ajay woke up to find an email from Koinex. The email read
We have updated your email address and a password reset link has been sent to the new email…. We have also updated your 2FA settings to Email.
Ajay’s login email was changed, password was reset and 2FA was disabled. Everything keeping his account secure stood compromised. He could not login to his own account.
How did that Happen
Ajay was soon in Koinex office dealing with the staff about his issue. Ajay is a teenager preparing for competitive exams. At this point, a teenager on the verge of losing all his earnings. As Koinex revealed the communication that was supposedly taking place with him, the scam became clear to Ajay. Here’s how it happened:
- The scammer got hold of Ajay’s gmail account. We are still not sure how. He was able to send an email to Koinex Support to change his 2FA and email address due to “Personal concerns”
- Koinex, as per policy asked him to send a selfie with Aadhaar card in hand.
- Scammer sent Ajay’s selfie with Ajay’s Aadhaar card.
- Koinex changes the email address, resets the password and disables 2FA.
How did the Scammer take a selfie with Ajay’s Aadhaar Card
This is where things become interesting. Ajay narrates his realisation to CoinCrunch, “The scammer had taken my picture from Twitter and photoshopped it to look like I am holding my Aadhaar Card”.
It is really hard to believe but Ajay tells us he saw the selfie at Koinex office. “I saw it on their computer. I don’t know how this person got my Aadhaar Card” says Ajay.
This is a case of identity theft, and a well executed one.
What happened Next?
Koinex confirmed Ajay’s funds were safe. For whatever reason the scammer had not spent his funds and luck favoured Ajay. Here’s when the plot thickens.
Ajay tells us that it was after his visit to Koinex office, that Koinex froze the account to avoid any loss. But Koinex told a different tale.
The Koinex Story
“This is not the first time someone has sent us a photoshopped image to gain access to someone else’s account”, Aditya Naik, the Co-founder of Koinex tells CoinCrunch.
“We have strict rules in place and our entire support team follows them. Whenever a major detail like an email address, Phone number is changed or 2FA is disabled, we freeze the account to avoid such issues. We then contact the phone number in our records to confirm with the user if it was indeed him or her who requested the change”, Naik continues.
In the course of the conversation I found out that they receive about 5-10 such cases every month and yet no account was compromised after these strict policies were put in place. Not only Koinex but pretty much all exchanges follow suit.
Aditya’s belief was shot down when I revealed to him about a similar scam that happened with another prominent exchange. Later in the day I reached out to 2 more exchanges to know their policies around such requests and none of them mentioned freezing user accounts after a major change.
They were inclined to the idea of freezing withdrawals whenever a user’s 2FA is disabled. Some exchanges have a policy to not allow email address change.
Chicken or the Egg?
It is Ajay’s word against Aditya’s. We cannot know for sure whether Ajay’s account was frozen by Koinex immediately after his details were changed. It is entirely possible that it was and Ajay just wasn’t made aware of it. It is also possible that Koinex did make a mistake. However, if I was the scammer who went through these lengths to gain access to someone’s account, I would have transferred the funds immediately. Ajay’s funds had not moved.
How to stay safe from scams like these?
Paying attention is your best Defence. Read this in a tweet where defence was spelled incorrectly. Yes, it is wisely said. Pay Attention.
- Pay attention where you share your email address
- Keep an eye before sharing your Aadhaar Details
- Use Google Authenticator for your Gmail account as well
- Keep changing your password regularly
- If you are not going to trade the funds, move them to a private wallet.
- Use different passwords for email, exchanges, banks etc
- Do not click on random links or download random apps on your phone.
- If you change your phone number, inform the exchanges.
Why did the scammer not transfer the funds? Tell us your views in the comments below and share this article to increase awareness.