When he brought his Android smartphone home following a trip to the store to fix its screen, Van Thang found that $83,000 worth of his cryptocurrency tokens had disappeared.
“My phone suddenly turned off as I was using it. When I brought it to a store to fix, the employees there said the screen was damaged and needed to be replaced. They told me to wait for half a day. I didn’t think much about it, I gave them my phone and went home,” said Thang, a resident of the central Quang Ngai Province.
He said there was a crypto wallet named Metamask in his phone with five tokens worth $83,000 in it. He said he didn’t sign out of all his accounts on the phone as the screen was only damaged recently and he trusted the store anyway.
“I never provided the store my phone’s password, so it’s difficult to accuse them of anything. But I don’t know how my account could have been compromised, because to sign in and transfer money away from Metamask, a password would be needed along with two-factor authentication,” Thang said, adding that the tokens were definitely lost during the period his phone was fixed as he constantly checked his wallet giving it for repairs.
When he shared the incident on social media, he learned that several others have also lost thousands of U.S. dollars worth of cryptocurrency after getting their phones fixed.
A Reddit account named Hoang Vu said he lost over $20,000 worth of cryptocurrencies after having his smartphone screen fixed at a local store. Vu said that just a few hours after their phone was left behind to be fixed, their email account said an unknown device had logged into it. Even though the email was immediately signed out and had its password changed, the cryptocurrencies were gone.
“I tried to reason with the store but failed, so I had no choice but to return home,” Hoang Vu said.
Hoang Vu tried to get his/her tokens back by going on the Internet and looking for third-party help.
“Someone said they wanted a $3,000 down payment and 20 percent of the tokens in order to use a ‘premium recovery service’. I said I don’t have that much money, so they said I could use a cheaper service for $1,000 and 10 percent of the tokens,” Hoang Vu said, adding that he turned down the offer, fearing it could be a scam.
A phone technician in HCMC said it was easy to bypass a phone’s passwords using specialized tools. Someone with enough skills can even extract registration details on any smartphone, especially on cheaper Android phones with poor security.
The Phong, an expert on blockchains and cryptocurrency, said that if tokens are lost, it would be nearly impossible to get them back due to their anonymous and decentralized nature. Authorities could not help because cryptocurrency was yet to be recognized as legal in Vietnam. He also recommended against getting online help to recover the tokens as most of such services were scams.
Phong said users should not put all their tokens into one cryptowallet. Instead, they should split them to lower risks should their wallets be compromised. They should also keep a security code for their wallets on a piece of paper or on a portable USB instead of storing it online, apart from using other security advices like turning on multiple-factor authentication.
Vo Do Thang, director of cybersecurity firm Athena, said users should log out of all their accounts before getting their phones fixed.
“It’s best to restore your phone to factory settings before getting them fixed.”