Working with @_SEAL_Org we were able to retrieve a malware file that was installed on my computer during a @Zoom call with a youtube personality of over 90k subs.
Below I will share details about that person, my experience, and this malicious software known as GOOPDATE ↓
Below I will share details about that person, my experience, and this malicious software known as GOOPDATE ↓
https://twitter.com/jakegallen_/status/1910437715671474512
First and foremost, if you use ZOOM please read this thread first! Do not read the rest of the thread until you understand what the ELUSIVE COMET threat.
https://x.com/jakegallen_/status/1910702560266318287
On April 4th, I was reached out to by @tacticalinvest_ who was requesting a podcast interview, who then had me follow up on Telegram.
Generally, this is nothing out of the ordinary and very common in crypto as many people prefer active communication on Telegram.
Generally, this is nothing out of the ordinary and very common in crypto as many people prefer active communication on Telegram.
Practicing some due diligence before, as I was not familiar with the account, I checked to see what type of verifiable information was out there.
✅ Mutual follows
✅ History of consistent posts and videos
✅ Larger audience
✅ Twitter link in youtube description and matches twitter that DMed me
✅ TG handle in Twitter DMs matches TG that was DMed
✅ Mutual follows
✅ History of consistent posts and videos
✅ Larger audience
✅ Twitter link in youtube description and matches twitter that DMed me
✅ TG handle in Twitter DMs matches TG that was DMed
So I scheduled a call for 4 days later. Generally, upon interview requests, I'll schedule multiple days out from initial contact in case something comes up.
The interview went from 2pm PST - 3PM PST on April 8th.
During the interview @tacticalinvest_ had his screen turned off. This is also something not uncommon in crypto, but is a red flag.
I asked him at the beginning of the interview if he was going to have his camera on and he said "No, because I am recording from other cameras in the room."
Obviously, in retrospect, this is sus but when you're on a call with somebody and ready to record you just move forward.
The interview went from 2pm PST - 3PM PST on April 8th.
During the interview @tacticalinvest_ had his screen turned off. This is also something not uncommon in crypto, but is a red flag.
I asked him at the beginning of the interview if he was going to have his camera on and he said "No, because I am recording from other cameras in the room."
Obviously, in retrospect, this is sus but when you're on a call with somebody and ready to record you just move forward.
But, while the interview was ongoing @tacticalinvest_ was downloading malware on my computer known as goopdate.
Which was powerful enough to steal >$100k in digital assets from my Bitcoin and Ethereum wallets, as well as log into my twitter, gmail, and other accounts.
Which was powerful enough to steal >$100k in digital assets from my Bitcoin and Ethereum wallets, as well as log into my twitter, gmail, and other accounts.
Its unkown if Tactical Investing is part of this same ELUSIVE COMET scam ring but as you can see in the video below there are dozens of associations with it.
For this scam to take place, its said that the guest of the @Zoom video call allows "remote access" to the host of the call, which is a requestable feature that is DEFAULT ON for every Zoom account.
For this scam to take place, its said that the guest of the @Zoom video call allows "remote access" to the host of the call, which is a requestable feature that is DEFAULT ON for every Zoom account.
With that said, I personally do not remember clicking a button to give remote access nor saw any displays during the call that remote access was given.
This doesn't mean this wasn't the case, just saying I saw no signs during the call that remote access was on or given.
I am in contact with @Zoom, who reached out after the last thread reached 500k views.
The conversation is still in its early stages and I remain optimistic change will come of this and the countless victims of this scam can work on a resolution with Zoom.
There have been dozens of people reaching out to me who have lost money to this scam, some upwards of $400k.
This doesn't mean this wasn't the case, just saying I saw no signs during the call that remote access was on or given.
I am in contact with @Zoom, who reached out after the last thread reached 500k views.
The conversation is still in its early stages and I remain optimistic change will come of this and the countless victims of this scam can work on a resolution with Zoom.
There have been dozens of people reaching out to me who have lost money to this scam, some upwards of $400k.
The next day, on April 9th, I was opening the garage at my house to get in my car when I started receiving notifications of assets being sold on OpenSea.
This was particularly strange because i had approvals turned off and the assets were inside of a ledger cold storage wallet.
Within 10 minutes I grabbed my ledger and logged into the wallet.
Immediately, I went to revoke cash to remove approvals. That was not working. I tried multiple times and it just would not revoke. Red ❌ everytime.
So then I moved over the etherscan to start revoking approvals.
This was particularly strange because i had approvals turned off and the assets were inside of a ledger cold storage wallet.
Within 10 minutes I grabbed my ledger and logged into the wallet.
Immediately, I went to revoke cash to remove approvals. That was not working. I tried multiple times and it just would not revoke. Red ❌ everytime.
So then I moved over the etherscan to start revoking approvals.
By this point many of my grails were sold below floor prices.
I thought the exploit was done, until just a few minutes later all of my assets were listed again.
At this point, I knew this was something much larger than a simple phishing scam. This person had access to my entire wallet.
So I took my ledger and logged in on a different computer to see if that made a change.
I thought the exploit was done, until just a few minutes later all of my assets were listed again.
At this point, I knew this was something much larger than a simple phishing scam. This person had access to my entire wallet.
So I took my ledger and logged in on a different computer to see if that made a change.
At this point the scammers knew I was at my computer. So they sent a bunch of fake ERC20 tokens into the hacked wallet, around 2:40PM PST, and about 30 minutes after I made contact with the wallet.
I'm not sure what this method does but I assume its to scramble transactions or freeze activity in the wallet so they can transfer the proceeds out.
Not completely sure but its something notable as it shows they were actively managing the situation to prevent me from moving assets out of the wallet.
I'm not sure what this method does but I assume its to scramble transactions or freeze activity in the wallet so they can transfer the proceeds out.
Not completely sure but its something notable as it shows they were actively managing the situation to prevent me from moving assets out of the wallet.
After all was said and done I was able to save about 25% of assets in the wallet.
As far as the ledger goes, I'm not too sure how they accessed the wallet. I had only logged in a few times over the 3 years I set it up and never wrote the password down anywhere digitally.
After review, I don't think its a ledger hack but something related to my desktop.
By the end of the day I was devastated and exhausted. I thought the hack was related to a seed phrase compromise but wasnt sure. I asked a ton of people and reached out to @_SEAL_Org for help.
As far as the ledger goes, I'm not too sure how they accessed the wallet. I had only logged in a few times over the 3 years I set it up and never wrote the password down anywhere digitally.
After review, I don't think its a ledger hack but something related to my desktop.
By the end of the day I was devastated and exhausted. I thought the hack was related to a seed phrase compromise but wasnt sure. I asked a ton of people and reached out to @_SEAL_Org for help.
The next day I began to suspect this could be related to the @tacticalinvest_ zoom call after reading about the ELUSIVE COMET scam.
During the call Tactical Investing said the show would be released in a few days. So I reached out to him and all of the sudden the release was moved to a few weeks.
This is the last DM we have had together. He has not reached out at all since the hack took place.
During the call Tactical Investing said the show would be released in a few days. So I reached out to him and all of the sudden the release was moved to a few weeks.
This is the last DM we have had together. He has not reached out at all since the hack took place.
Just as I became suspicious of Tactical Investing and thought the attack was over my X account became compromised, just ONE HOUR after I DMed Tactical Investing.
Luckily, I was on a different computer so the DMs were limited and I managed to contain the situation quite quickly.
But we did go back and forth between resetting Twitter passwords before I was able to lock him out of my emails and socials.
This screenshot is what one of the DMs looked like. He was trying to get people on a video call through Brave and Zoom.
Luckily, I was on a different computer so the DMs were limited and I managed to contain the situation quite quickly.
But we did go back and forth between resetting Twitter passwords before I was able to lock him out of my emails and socials.
This screenshot is what one of the DMs looked like. He was trying to get people on a video call through Brave and Zoom.
I spent the entire weekend reseting passwords, wiping computers, changing wallets, and dealing with social ramifications of it.
The 2nd and 3rd order effects from something like this can be quite confusing.
I am lucky to have @_SEAL_Org's help, as well as the enormous amount of support from people who have reached out.
The 2nd and 3rd order effects from something like this can be quite confusing.
I am lucky to have @_SEAL_Org's help, as well as the enormous amount of support from people who have reached out.
I'm not joking when I say there could be hundreds of people who have been affected by this.
Most people who have reached out have lost a lot of money and feel quite embarrassed for this situation.
Its pretty unanimous that people want change from @Zoom which includes a variety of resolutions for the victims, change in the nature of the remote control feature, removal of it as a requestable default feature, and even more pursuant things.
But for sure THIS SHOULD NOT BE A DEFAULT SETTING.
Most people who have reached out have lost a lot of money and feel quite embarrassed for this situation.
Its pretty unanimous that people want change from @Zoom which includes a variety of resolutions for the victims, change in the nature of the remote control feature, removal of it as a requestable default feature, and even more pursuant things.
But for sure THIS SHOULD NOT BE A DEFAULT SETTING.
Where does it go from here?
With the succesful retrieval of the malware file it can now be analyzed by security teams to understand the origin and nature of it.
I am in contact with @Zoom (for what its worth) and am optimistic that it can lead to change. I have been told the CEO of Zoom has been made aware of the situation, but I have not been personally contacted from anybody other than through twitter or email of their official channels.
The community is now aware of the dangers of using desktop applications for interviews and video calls. Should be suggested to use browser based video calls from here on out, or just avoid zoom entirely.
For the victims, its still a bit ambiguous. If you have been affected you can continue to reach out to me and when progress is made with Zoom I can keep you in the loop in regards of a resolution or any updates.
With the succesful retrieval of the malware file it can now be analyzed by security teams to understand the origin and nature of it.
I am in contact with @Zoom (for what its worth) and am optimistic that it can lead to change. I have been told the CEO of Zoom has been made aware of the situation, but I have not been personally contacted from anybody other than through twitter or email of their official channels.
The community is now aware of the dangers of using desktop applications for interviews and video calls. Should be suggested to use browser based video calls from here on out, or just avoid zoom entirely.
For the victims, its still a bit ambiguous. If you have been affected you can continue to reach out to me and when progress is made with Zoom I can keep you in the loop in regards of a resolution or any updates.
As for me, I will continue to run my companies @EmblemVault and @AgentHustleAI as a builder in the industry.
I have updated my security practices that have become a bit more rigorous.
From a loss standpoint, losing that amount of money sucks. Especially when it comes to very rare assets that are hard to attain and spent years working on.
Unfortunately, its part of the wild wild west within the ownership layer of the internet.
I'll continue to move forward, share my isights of the industry, build great products, and remain as authentic as possible.
Really appreciate everybody who's shown support throughout this process, provided information, and helped out.
We will comeback stronger than ever 🙏
I have updated my security practices that have become a bit more rigorous.
From a loss standpoint, losing that amount of money sucks. Especially when it comes to very rare assets that are hard to attain and spent years working on.
Unfortunately, its part of the wild wild west within the ownership layer of the internet.
I'll continue to move forward, share my isights of the industry, build great products, and remain as authentic as possible.
Really appreciate everybody who's shown support throughout this process, provided information, and helped out.
We will comeback stronger than ever 🙏
@EmblemVault @AgentHustleAI The best thing you can do is share the thread so that everybody can be aware of Goopdate, video conferencing, and potential attack vectors.
The community deserves to know these dangers and should be aware!
The community deserves to know these dangers and should be aware!
https://x.com/jakegallen_/status/1911834004690751955
• • •
Missing some Tweet in this thread? You can try to
force a refresh
