A company recently had a major security problem where someone stole cryptocurrency worth over $100,000. They got in touch to ask for our help.
After looking into it, it turned out the theft wasn’t due to blockchain vulnerabilities. Instead, the thief was able to obtain the private key from an ex-employee. The private key had been stored in the ex-employee’s Google account. This private key belonged to an old address and had simply been forgotten.
The person who created the wallet told us what had happened the day before the theft. For privacy reasons, we won’t mention any names. To keep things simple, let’s just call him Jay.
The Initial Contact via a Verified X Account
Jay received a message from a verified X account belonging to a well-known influencer. The influencer asked him to appear on their podcast. The account was real. A time was set.
Jay received a StreamYard link. StreamYard is a tool that can be used to create professional broadcasts, interview guests remotely and stream to multiple platforms simultaneously. It’s a platform he was already familiar with and had used before. Nothing felt unusual. Jay clicked the link, a page opened, showing the host and their team already waiting. But the connection didn’t work properly.
The team suggested some fixes: using a different browser, checking the VPN connection and trying to start the video again.
The fact that others also seemed to be experiencing technical problems made it feel normal. Jay didn’t feel targeted. To him, it felt like bad luck. Eventually, they agreed to try again later. They said they would make some technical changes.
How the Fake StreamYard Link Worked
Jay suggested holding the call on Zoom or Google Meet, but they declined. That’s when Jay started to see a red flag. At this time, the fraudsters gained Jay’s confidence and the video call seemed promising. In the afternoon, Jay received another link, and this time he was prompted to log in with his Google account. There was a familiar ‘Sign in with Google’ button. Everything looked legitimate. Jay entered his login credentials.
And then the notifications started. Someone was attempting to log in to Jay’s Google account. The password was changed, the two-factor authentication settings were modified and a hardware security key was added. Within minutes, Jay was completely locked out of his own account.
Why Storing Private Keys in Email Is Dangerous
And just like that, the fraudsters had access to everything in the Google account, including personal emails, pictures and documents, as well as a private key. Jay didn’t even remember saving it there. In many cases, users don’t. A quick photo, a note or an email draft saved years earlier can stay tucked away in a cloud account long after it’s been forgotten.
This allowed the scammers to steal the cryptocurrency, leaving the victim out of pocket by more than $100,000. This was a painful lesson: storing sensitive information such as private keys in email accounts can put your assets at risk.
Google Account Takeover Explained
What appeared to be a failed podcast recording was, in fact, a targeted social engineering attack. The initial StreamYard link redirected to a fake login page designed to capture Jay’s Google credentials. Armed with this password, the attacker gained full access to the account, including the ability to change the 2FA settings and add a hardware security key.
This incident did not rely on malware or technical exploits. It worked because the initial contact came from a verified, trusted account.
According to the FBI, over 5,100 cases of account takeover were reported between January and November 2025, with reported losses exceeding $262 million.
In this case, the X account had been compromised months earlier. The StreamYard platform appeared legitimate and familiar, and the fraudsters created a distraction while communicating with Jay in an apparently normal manner. It felt authentic. The attack exploited trust, context and timing.
How to Protect Yourself Against Phishing Attacks
So next time, be cautious when you receive a link from someone on X or Telegram, even if you think you know them. Before clicking, always check the authenticity of the link.
In the case of the StreamYard platform, a legitimate guest invitation link will usually follow this format: https://streamyard.com/invite/xxx. The link will always start with ‘https://’, where the ‘s’ stands for ‘secure’.
Scammers often use domains that look similar, such as streamyard.org or streamyard-support.com. After the ‘/invite/’ part comes a unique combination of letters and numbers, typically between 10 and 15 characters long.
After clicking a legitimate StreamYard link, you should be taken directly to a browser-based studio where you can enter your name and adjust your camera settings. The platform will never ask you to download software, so do not install anything unexpected. If you are ever in any doubt, open streamyard.com directly in your browser.
It’s also important to say that this kind of abuse isn’t just happening with StreamYard. Phishing attempts can happen on pretty much any online platform.
When it comes to your Google account, syncing Google Authenticator can be tricky. If it is synced, fraudsters who take over your Google account will also be able to access all the other one-time codes on Google Authenticator. So it’s better to use the authenticator without an account. If you do decide to do that, make sure you have a printed copy of the one-time backup codes and stash them somewhere safe.
What to Do After a Google Account Is Compromised
If you have given your credentials and then realized that it was a scam, you need to react really quickly. Go directly to accounts.google.com from a trusted browser and change your password to a strong, unique one. If it is not already active, enable 2FA and review your security settings to log out of all unknown sessions.
Make sure your recovery email address and phone number haven’t been changed, as attackers often do this to get access and lock you out. Actually, it’s probably better to keep the recovery options to a minimum, as having more methods can give scammers another way to reset your password and take over your account.
If your email address gets hacked, it might be used to reset passwords for other accounts. So, you should also update the passwords for any important services linked to it. Finally, keep an eye on your account activity and let your contacts know if you spot any dodgy messages sent out from your inbox.
If your social media accounts, like X, LinkedIn or Facebook, are compromised, your contacts could be at risk too. Attackers can take advantage of trusted connections to launch convincing phishing attempts, spread malware, and trick others into sharing sensitive information. So, please inform your contacts that they may be targeted by scammers as well.
Understanding how these attacks work is essential to protecting yourself from phishing and scams. However, fraudsters are very imaginative and are always coming up with new ways to trick people.
If you suspect an account compromise or unauthorized activity, contact our digital forensics team. Tracelon can assist in identifying those responsible and supporting efforts to trace and freeze stolen funds.
FAQ
What is a Google account takeover?
A Google account takeover occurs when a fraudster gains unauthorized access to your account through stolen credentials or security vulnerabilities. This could be because the fraudster has obtained your Google credentials, or has accessed the other recovery methods you have added to your account, such as an alternative email address or telephone number.
How do phishing attacks steal crypto?
A scammer can steal crypto by tricking victims into revealing login credentials or private keys through fake websites or messages. Once a scammer has gained access to an email account, they look for a private key so that they can control your wallet and transfer funds to their own addresses.
Is StreamYard safe to use?
For the sake of clarity, we’re not saying that it is unsafe to use StreamYard. However, you should always check any link you receive before clicking on it, and avoid entering your Google credentials or downloading any software, especially if the request is urgent.
