The Sophisticated Phishing Attack That Almost Trapped Even Cybersecurity Experts

Recently, a massive dataset containing 16 billion user information records has been circulating online, which includes both previously leaked data and newly stolen login information. Although most of it is a reorganization of old data, the updated information is still concerning. This is considered one of the largest single account leak collections in history.

Hackers are using this data to launch various attacks, and I have become one of their targets.

The phishing attack launched against my personal devices and accounts on June 19 was the most sophisticated I have encountered in my ten-year career in cybersecurity. The attackers first created the illusion that my account was being attacked on multiple platforms, and then impersonated an employee of a trading platform to offer "help." They combined social engineering tactics with coordinated strategies across SMS, phone calls, and forged emails, all designed to create a false sense of urgency, credibility, and scale effect. This false attack had a wide reach and was highly authoritative, which is the key reason why the attack was so deceptive.

Below, I will detail the attack process, analyze the dangerous signals within it, and the protective measures I took. At the same time, I will share key lessons and practical advice to help investors ensure safety in an increasingly evolving threat environment.

Historical data and recently leaked data can be used by hackers to implement highly targeted multi-channel attacks. This once again underscores the importance of layered security, clear user communication mechanisms, and real-time response strategies. Both institutional and individual users can gain practical tools from this case, including verification protocols, domain recognition habits, and response steps, which can help prevent momentary lapses from turning into significant security vulnerabilities.

SIM Card Hijacking

The attack began around 3:15 PM one afternoon, with an anonymous text message claiming that someone was attempting to trick the mobile carrier into disclosing my phone number to others. This method of attack is known as SIM swapping.

It is important to note that this message does not come from a shortcode, but rather from a regular 10-digit phone number. Legitimate businesses typically use shortcodes to send messages. If you receive a message from an unknown standard long number claiming to be a business, it is highly likely to be a scam or phishing attempt.

This information also contains contradictory content. The first text message indicates that the leak occurred in the San Francisco Bay Area, while subsequent messages state that it happened in Amsterdam.

SIM swapping can be extremely dangerous once successful, as attackers can obtain one-time verification codes used by most companies to reset passwords or access accounts. However, this is not a real SIM swap; the hacker is laying the groundwork for a more sophisticated scam.

One-time Verification Code and Password Reset

The attacks then escalated, and I received one-time verification codes supposedly from a payment platform, sent via SMS and instant messaging software. This made me believe that someone was trying to log into my accounts on various financial platforms. Unlike suspicious operator messages, these verification codes indeed came from seemingly legitimate short codes.

Phishing Phone Calls

About five minutes after receiving the message, I received a call from a California number. The caller, who identified himself as "Mason," spoke with a genuine American accent and claimed to be from the investigation team of a trading platform. He said that there had been more than 30 attempts to reset passwords and invade accounts through the platform's chat window in the past 30 minutes. According to "Mason," the so-called attacker had passed the first layer of security verification for the password reset but failed at the second layer of authentication.

He told me that the other party could provide me with the last four digits of my ID card, the complete driver's license number, home address, and full name, but failed to give the complete ID number or the last four digits of the bank card associated with the account. Mason explained that it was this contradiction that triggered the platform's security team's alert, prompting them to contact me to verify the authenticity.

Legitimate exchanges will never proactively call users unless you initiate a service request through the official website.

Security Check

After informing me of the "bad news", Mason suggested protecting my account by blocking additional attack vectors. He started with API connections and associated wallets, claiming he would revoke their access to reduce risk. He listed several connected entities, including certain trading platforms, analysis tools, wallets, etc., some of which I didn't recognize, but I assumed they might be ones I had set up and forgotten.

At this point, my vigilance has decreased, and I even feel reassured due to the platform's "active protection."

So far, Mason has not requested any personal information, wallet addresses, two-factor authentication codes, or one-time passwords, which are typically common requests from phishers. The entire interaction process is highly secure and preventive.

Covert Pressure Tactics

Next, there was the first attempt to exert pressure, creating a sense of urgency and vulnerability. After completing the so-called "security check," Mason claimed that the protection for senior accounts on the platform had been terminated due to my account being flagged as high risk. This means that my wallet assets on the platform are no longer covered by insurance, and if an attacker successfully steals the funds, I will not be able to receive any compensation.

Looking back, this set of arguments should have been an obvious flaw. Unlike bank deposits, crypto assets are never protected by insurance. Although exchanges may keep customer dollars in insured banks, the exchanges themselves are not insured institutions.

Mason also warned that a 24-hour countdown has already begun, and overdue accounts will be locked. Unlocking will require a complex and lengthy process. Even more frightening is that he claimed if the attacker obtains my full Social Security number during this period, they could even steal funds while the account is frozen.

Later, I consulted the real platform customer service team and learned that locking the account is indeed their recommended security measure. The unlocking process is actually simple and secure: by providing a photo of the ID and a selfie, the platform can quickly restore access after verifying the identity.

Then I received two emails. The first one was a confirmation letter for the platform news subscription, which was just a normal email triggered by the attacker submitting my email through the official website form. This is clearly an attempt to confuse my judgment with official emails to enhance the credibility of the scam.

The second more disturbing email came from an address that appears to be the official domain of the platform, stating that my premium account protection has been canceled. This email, which seems to come from a legitimate domain, is very misleading - it could have been easily recognized as suspicious if it came from a dubious domain, but it appears genuine and credible because it shows as an official address.

Suggested Remedies

Mason then suggested transferring my assets into a multi-signature wallet called "Vault" to ensure security. He even asked me to search for the official documentation to prove that this has been a legitimate service of the platform for many years.

I expressed that I was unwilling to make such a significant change without sufficient investigation. He stated that he understood and encouraged me to research carefully, while supporting me to contact the operator first to prevent SIM swapping. He mentioned he would call back in 30 minutes to continue the follow-up steps. After hanging up, I immediately received a text message confirming the call and appointment.

Call Back and "Vault"

After confirming that there was no SIM transfer attempt at the carrier, I immediately changed all account passwords. Mason called back as scheduled, and we began discussing the next steps.

At this point, I have verified that "Vault" is indeed a real service provided by the platform. It is a custody solution that enhances security through multi-signature authorization and a 24-hour withdrawal delay, but it is not a true self-custody cold wallet.

Mason then sent a seemingly relevant domain link, claiming that it could review the security settings discussed in the first call. Once the review is completed, the assets can be transferred to the Vault, and at this moment, my expertise in cybersecurity finally comes into play.

After entering the case number he provided, the opened page displayed the so-called "API connection removed" and "Create Vault" buttons. I immediately checked the website's SSL certificate and found that this domain, registered only a month ago, had no relation to the platform. Although SSL certificates can often create a false sense of legitimacy, legitimate company certificates have clear ownership, and this discovery made me stop my actions immediately.

Legitimate platforms clearly state that they will never use unofficial domains. Even when using third-party services, it should be in the form of a subdomain. Any operations involving accounts should be conducted through the official APP or website.

I expressed my concerns to Mason, emphasizing that I only wished to operate through the official app. He argued that using the app would cause a 48-hour delay, while the account would be locked after 24 hours. I again refused to make a hasty decision, and he then stated that he would escalate the case to the "Tier 3 Support Team" in an attempt to restore my advanced account protection.

After hanging up the phone, I continued to verify the security of other accounts, and the feeling of unease grew stronger.

"Level 3 Support Team" Incoming Call

About half an hour later, a Texas number called. Another person with an American accent claimed to be a level three investigator, handling my account recovery application. He stated that a review period of 7 days was needed, during which the account would remain uninsured. He also "thoughtfully" suggested opening multiple Vaults for different on-chain assets, seeming professional but never mentioning specific assets, only vaguely referring to "Ethereum, Bitcoin, etc.".

He mentioned that he would apply to the legal department to send chat records, and then he started promoting Vault. As an alternative, he recommended a third-party wallet called SafePal. Although SafePal is indeed a legitimate hardware wallet, this is clearly a pretext to gain trust.

When I questioned the suspicious domain again, the other party still tried to dispel the doubts. At this point, the attacker may have realized that it was difficult to succeed and ultimately gave up on this phishing attack.

Contact the real customer service of the platform

After ending the call with the second fake customer service representative, I immediately submitted an application through official channels. The real customer service representative quickly confirmed that there were no abnormal login or password reset requests for my account.

He suggested locking the account immediately and collecting the attack details to submit to the investigation team. I provided all the fraudulent domain names, phone numbers, and attack vectors, and specifically inquired about the sender permission issues of addresses that appeared to be official emails. Customer service acknowledged that this is very serious and promised that the security team would conduct a thorough investigation.

When contacting the exchange or custodian's customer service, be sure to do so through official channels. Legitimate companies will never proactively contact users.

Experience Summary

Although I was fortunate not to be deceived, as a former cybersecurity professional, this near-miss experience has left me feeling deeply unsettled. Had it not been for my professional training, I might have been scammed. If it were just an ordinary unknown call, I would definitely have hung up right away. It was the meticulously crafted series of actions by the attackers that created a sense of urgency and authority, making this phishing attempt so dangerous.

I have summarized the following warning signals and protective suggestions, hoping to help investors safeguard their funds in the current online environment.

Danger Signal

Creating Chaos and Urgency Through Collaborative False Alarms

The attacker first creates an illusion of simultaneous attacks on multiple platforms by exchanging a series of SIM cards to send alerts and one-time verification code requests from multiple services ( simultaneously via SMS and instant messaging software ). This information likely only requires obtaining my phone number and email address to trigger, and this information is easily accessible. At this stage, I believe the attacker has not yet gained deeper account data.

Mixing short codes with regular phone numbers

Phishing information is sent using a combination of SMS short codes and regular phone numbers. While businesses typically use short codes for official communications, attackers can spoof or recycle these short codes. However, it is important to note that legitimate services will never use regular phone numbers to send security alerts. Messages from standard-length numbers should always be viewed with suspicion.

Require operations through unofficial or unfamiliar domains

The attacker asked me to access