Major (and ongoing) Venmo hack is targeting accounts of big name poker pros

[Dan Druff]

Embedded Tweet

https://twitter.com/RealKidPoker/status/1331475856359735299

Embedded Tweet

https://twitter.com/Erik_Seidel/status/1331329401611542529


So obviously this isn't a coincidence. Seidel and Negreanu were clearly targeted due to being prominent (and assumed wealthy) poker pros.

But how did it happen? Could be in a variety of ways, which I'll list from most likely to least likely:

1) Phishing attack: Often scammers will send fake e-mails from PayPal or Venmo, with a link to "login" to resolve a phony problem. Then the victims enter their login info, which is promptly stolen by the criminals. Then they are given some kind of non-threatening screen stating that the problem has been resolved (or something else making them forget that anything notable happened), and the thieves go to town.

2) Stolen password from previous hack: Negreanu and Seidel perhaps used the same e-mail/password combo on Venmo as they have on other sites which were previously hacked, thus allowing those same hackers (or ones who viewed a data dump of those hacks) to get this info.

3) Social engineering attack: Venmo customer support was convinced by the criminals to allow access to Negreanu and Seidel's accounts (in separate phone calls or e-mails).

4) Email compromise: Their e-mail was accessed in some way by the criminals (usually by phishing, but sometimes other ways), and this allowed their password to be reset (and the notification of it being reset deleted).

5) Keylogger attack: These guys used a computer at some point -- perhaps their own, perhaps someone else's -- which logged their key presses, and the criminals obtained their Venmo password this way.

6) Insider attack: Someone at Venmo enabled access to these accounts by criminal friends.

7) Exploit/hacking of Venmo: Someone has a way to exploit Venmo itself to break into accounts.



Here are my tips to prevent yourself from becoming a victim:

1) You gotta keep 'em separated! Always use separate passwords for different sites, even if they vary by only a little.

2) Don't click links. Never click on links from payment services in e-mail. Always go to the URL directly.

3) Don't hold a balance on Venmo or PayPal. Always cash it out. This is protection against both hacking and unfair confiscation. Any money stolen through your bank can be recovered fairly easily. Any money stolen directly out of your Venmo/PayPal balance can be very difficult to recover, and you have zero power in the situation.

4) Use a different e-mail for these services than you normally use for regular correspondences with people.

5) Lock 'em up! Set up maximum security, such as two-layer verification before payments are allowed.

[Jayjami]

1) You gotta keep 'em separated!

“You’re under 18 you won’t be doing any time” might be the best line ever.

[Dan Druff]

They got Vanessa Selbst, too. They also hacked her wife.

Apparently this is either an inside job, or someone found an exploit in Venmo. All three victims are reporting that Venmo Support is virtually ignoring them, so you really should get your entire balance off Venmo NOW.

Vanessa actually provided the first view into the process the hacker is using.

Embedded Tweet

https://twitter.com/RealKidPoker/status/1331703745848098817

Embedded Tweet

https://twitter.com/VanessaSelbst/status/1331705520118501384

Embedded Tweet

https://twitter.com/VanessaSelbst/status/1331779209258274817

Embedded Tweet

https://twitter.com/VanessaSelbst/status/1331781546722942976

Embedded Tweet

https://twitter.com/VanessaSelbst/status/1331789456446255105


So it appears that the hackings occur by sending a request for money to someone, which then opens up some kind of security vulnerability. It also looks like they can target anyone they want. Once they got access to Vanessa's account, they noticed she sent her balance to her wife, so the hackers then grabbed her wife's account.

This looks like it's probably impossible to stop. While I believed that perhaps Seidel and Negreanu were tricked by a phishing trick, it's hard to believe that Vanessa's wife was nailed by phishing right after Vanessa's account got compromised. You'd think Vanessa would be too suspicious at that point to allow this to happen.

She did make a mistake by transferring the money to her wife, instead of initiating a cashout. She might have been worried that the cashout would be too slow, and might be able to be cancelled. But if you're that worried hackers are going to get into your account, then sending the money to your wife isn't going to help, since the hackers will see where the money went, and get it anyway (and that's exactly what happened).

What a mess.

In the 2000s, "Steve Da Pimp", a former NWP user, had some way to take over AOL e-mail accounts at will. Using this method, he hijacked lots of high profile online poker accounts. He also tricked people into BS money transfers between sites once he had access to these e-mails (and poker accounts). For example, he'd be on Full Tilt as John Juanda (one of his victims) and ask someone else, "Hey, can you send me $20k on Stars for $20k here", and people would send, believing it to actually be Juanda.

Steve was never caught for this. I actually had the FBI investigating him, but it ultimately didn't go anywhere. Steve ended up in prison for awhile for an unrelated crime.

[Dan Druff]

Also, for the moment, it is wise to unlink all bank accounts and credit cards from Venmo (unless you're in the process of cashing out).

Then you're untouchable.

[Cerveza Fria]

Also, for the moment, it is wise to unlink all bank accounts and credit cards from Venmo (unless you're in the process of cashing out).

Then you're untouchable.

Unless someone inside your bank (an employee) that knows the history and usual activity of the accounts transfers money out of your account into another. It's happened to me..twice.

[Dan Druff]

BUMP

Embedded Tweet

https://twitter.com/JustinBonomo/status/1362797243263111169

Embedded Tweet

https://twitter.com/JustinBonomo/status/1362797244609564674

Embedded Tweet

https://twitter.com/JustinBonomo/status/1362808233866391552

Embedded Tweet

https://twitter.com/oerockets/status/1365506126951841792

Embedded Tweet

https://twitter.com/oerockets/status/1365605885570031617

[sevencard2003]

an Uber ride? wonder if he is smart enough to realize that it would be very easy to report him to the police. u would have all the evidence of 2 known locations of where he was, in which case video might be available of who he is. why hasnt Todd suggested this yet? maybe im the only one capable of realizing it, since he isnt autistic like me.

[Dan Druff]

an Uber ride? wonder if he is smart enough to realize that it would be very easy to report him to the police. u would have all the evidence of 2 known locations of where he was, in which case video might be available of who he is. why hasnt Todd suggested this yet? maybe im the only one capable of realizing it, since he isnt autistic like me.

People already suggested this on Twitter. It's not clear what Daniel did with this information.

[Dan Druff]

A Twitter user reported to me that they got a warning from Chrome that their "saved passwords" to caesars.com and one other Caesars site was "compromised due to a data breach", and advised changing them.

I wonder if the passwords used on caesars.com by Daniel, Erik, and Vanessa were the same as their Venmo passwords. But how would that explain Vanessa's wife? And why would that weird request for money always need to precede the hacking? Probably unrelated, but still worth noting.

[Shizzmoney]

LOL @ leaving 15K in your venmo account

[Dan Druff]

Add Mr. Matusow to the list:

Embedded Tweet

https://twitter.com/themouthmatusow/status/1343811898903384066

[Sludge]

1) Phishing attack

2) Stolen password from previous hack

3) Social engineering attack

4) Email compromise

5) Keylogger attack

6) Insider attack

7) Exploit/hacking of Venmo

Your phone carrier can be a problem area, also. A sympathetic representative might give a thief your password, and use this to exploit information on your SIM card.