Scoutinternal

Fraud, Scam, and Unauthorized Account Reports

Fraud, Scam, and Unauthorized Account Reports

Problem

Customers contact BitGo reporting suspected fraud, scams, unauthorized account creation, account compromises (hacks/SIM swaps), or phishing emails. These reports fall into several distinct categories: (1) individuals who never created a BitGo account but received verification or login notification emails, indicating their email was used without consent to create an unauthorized account; (2) existing BitGo customers reporting their account was hacked or compromised; (3) individuals who fell victim to an investment scam conducted by a third party who directed them to use BitGo; and (4) external parties reporting potential fraud involving the BitGo name or brand. The volume of unauthorized account creation reports can spike in bursts, suggesting bulk use of harvested email lists.

Diagnostics

  • Verify whether the reporter has an existing BitGo account: Use the BitGo admin tool (bga) to look up the user by email address. If no account is found, inform the customer that no account exists under their email on the platform.
  • Check account activation state: For unauthorized account creation reports, determine whether the account was ever activated. Look for wallet creation, completed onboarding checks (identity, email, and IP verification), and any transaction history. An unverified or never-activated account is a strong signal of bulk unauthorized signup.
  • Review audit logs for compromise indicators: For existing customers reporting hacks, pull user audit logs (bga tool) and inspect for:
    • userPasswordReset, userSettingsChange, userLogin, userFailedLogin, userSignup, userSourceVerified events
    • IP addresses that do not match the customer's known location
    • Failed 2FA attempts ("failure":"incorrect 2-factor-auth") followed by successful logins
    • Any API Access Token creation (spoof the user account to check)
  • Check wallet balances and transaction history: Determine if the wallet has funds, if any transactions were initiated, and whether funds have already moved.
  • Identify enterprise association and freeze status: Check whether the user belongs to an enterprise, whether the enterprise is already frozen, and how many wallets exist.
  • Determine if this is a known bulk unauthorized signup event: If multiple tickets arrive in a short window from users who never created accounts, this likely relates to a known incident where emails from a compromised list were used to create unwanted BitGo accounts. Coordinate with the internal team via Slack.

Resolution

Scenario: fraud-someone-fraudulent-hacked#unauthorized-account-creation-bulk

Trigger: A person who never created a BitGo account contacts support after receiving an email verification or login notification from BitGo, indicating someone used their email to create an account without permission.

Signals: unauthorized account, someone used my email, did not create account, fraudulent account, verification email, scam signup, phishing, delete account, never heard of BitGo

Steps:

  1. Look up the email address in the BitGo admin tool to confirm an account exists.
  2. Freeze the account immediately as a precaution.
  3. Confirm the account was never activated — check that no wallets were created, no onboarding checks were completed, and no transactions occurred.
  4. Respond to the customer acknowledging that an account was created using their email without their permission. Inform them the account has been frozen and is under investigation. State that no action is required from them at this time.
  5. Ask the customer to reply to consent if they wish to have the account removed from the BitGo database.
  6. Upon receiving consent (or if the account was clearly unauthorized), delete the user account from the platform.
  7. Send the follow-up resolution email explaining the investigation findings.
  8. Recommend precautionary steps to the customer.

Notes: This scenario often occurs in bulk waves. BitGo's onboarding checks (identity, email, and IP verification) prevent these unauthorized accounts from being fully activated. The incident is not related to a hack or privacy breach of BitGo's servers. If the customer does not reply to the consent request, proceed with closing the account as part of the internal cleanup process.

"From our team's investigation, your email may have ended up on a list that was then used to open an unwanted BitGo account. This incident is not related to a hack or privacy breach of BitGo's servers. Your BitGo account was never activated, and we want to assure you that a wallet was not created at BitGo on your behalf. In order to activate a BitGo account, several onboarding checks are required, which include additional identity, email, and IP verification." (ticket #273227)

"We recommend that you take the following actions as a precaution: Do not click on anything in the email you received. Verify if your email may have been compromised: The website, https://haveibeenpwned.com/, is a good source to check if your email was involved in any data breach." (ticket #273260)

"The account has been successfully closed as requested. We recently discovered an issue with unauthorized email accounts being created in our database, and we apologize for any inconvenience this may have caused." (ticket #273334)

Scenario: fraud-someone-fraudulent-hacked#account-compromise-hack-sim-swap

Trigger: An existing BitGo customer reports that their account has been hacked, their email or phone was compromised (e.g., SIM swap), or they see unauthorized login activity.

Signals: hacked, account compromised, SIM swap, unauthorized login, password reset not by me, suspicious IP, unauthorized transaction, freeze account

Steps:

  1. Immediately freeze the user account and all associated enterprise accounts using the admin tool (bga ent freeze <duration_in_seconds>).
  2. Pull user audit logs and identify:
    • IP addresses used for login, password resets, and settings changes.
    • Timeline of userPasswordReset, userSettingsChange, userLogin, userFailedLogin, and userSourceVerified events.
    • Whether any API Access Token was created under the account.
  3. Check wallet balances and recent transactions. Document any outbound transactions that may be unauthorized.
  4. Provide the customer with the IP address(es) and timestamps of suspicious activity from the audit logs so they can include this in law enforcement reports.
  5. Advise the customer to reset their BitGo login password via the Forgot Password prompt on the BitGo login page.
  6. Advise the customer to report the incident to local law enforcement and, if in the United States, file a complaint with the FBI Internet Crime Complaint Center at https://www.ic3.gov/.
  7. If the customer requests to unfreeze the account after securing it, schedule a video verification call using the Calendly link: https://calendly.com/bitgo-client-delivery/videoid. The customer must present a government-issued photo ID during the call.
  8. Escalate to the Compliance team and, if unauthorized transactions occurred, to the Fraud Analyst team. Do not respond further to the customer until the investigation team provides guidance.
  9. Inform the customer that while the enterprise freeze prevents transactions via the BitGo platform, if the attacker has access to the keycard (private keys), they could potentially recover funds outside of BitGo, and the freeze cannot prevent this.

Notes: BitGo does not support email address changes on accounts. If the customer's registered email was compromised, they must regain access to that email independently. BitGo can block the account but cannot process requests from an unregistered email address. For accounts with funds, coordinate with the Compliance/Fraud team before unfreezing. The customer can also self-freeze their enterprise via Enterprise Settings > Freeze Enterprise.

"We have frozen your enterprise account as a precaution. We would recommend you reset the login password of your BitGo account as well." (ticket #225404)

"Your Enterprise and Wallets were frozen immediately upon news of the hack. For things like this, we look to act before management needs to become involved. Security of our customer's funds is the utmost priority." (ticket #228790)

"Sorry to hear about the account compromise. For now, I have freezed your user account and BitGo Trust / enterprise account." (ticket #254080)

Scenario: fraud-someone-fraudulent-hacked#victim-of-external-scam

Trigger: A person contacts BitGo claiming they were victimized by an investment scam or fraud conducted by a third party, and their funds may have been sent to or through BitGo. The person may or may not have an actual BitGo account.

Signals: scam, victim of fraud, stolen funds, someone told me to invest, can't withdraw, romance scam, pig butchering, trading tutor, need help urgently

Steps:

  1. Look up the reporter's email address in the admin tool to determine whether they have a BitGo account.
  2. If no account is found, inform the customer: "We are unable to locate your user account on our platform." Ask them to confirm the URL where they are logging in. BitGo's only login URL is https://app.bitgo.com/web/auth/login. If they are logging in elsewhere, they are not accessing the BitGo platform and are likely using a fraudulent site impersonating BitGo.
  3. If the person is a scam victim, advise them to file a criminal complaint with federal or local law enforcement agencies. Direct them to the FBI Internet Crime Complaint Center at https://www.ic3.gov/.
  4. State that BitGo will gladly comply with law enforcement agencies to provide information that can help further investigations into criminal activity.
  5. Remind the customer: "A member of BitGo will not contact you outside of the BitGo domain."
  6. Refer the inquiry to the Compliance team for review and inform the customer that they have been notified.
  7. BitGo cannot reverse blockchain transactions or release funds held on a third-party platform impersonating BitGo. Set this expectation clearly.

Notes: Common scam patterns include romance/pig-butchering scams where the victim is instructed to deposit funds into a fake platform using BitGo's branding. The reporter often provides a "nickname" or "ID" that does not correspond to any BitGo system. If the customer mentions being unable to withdraw due to a "trade requirement," this is a hallmark of a scam platform — BitGo does not impose minimum trade counts before withdrawal. Phone calls or voicemails from individuals claiming to be "from BitGo" and providing a callback number are not legitimate BitGo communications.

"What is the URL where you are logging in to BitGo? We only have one URL to login - https://app.bitgo.com/web/auth/login. If you are logging in elsewhere, you are not accessing our platform." (ticket #267722)

"If you feel that you have become a victim of theft or fraud, we encourage you to file a criminal complaint with federal or local law enforcement agencies. The FBI Internet Crime Complaint Center can be found at https://www.ic3.gov/ -- this site links to a form where you can file a complaint. BitGo will gladly comply with law enforcement agencies to provide any information that we can to help further investigations into criminal activity. A member of BitGo will not contact you outside of the BitGO domain." (ticket #214827)

"Please note that no member of BitGo will contact you outside of the BitGo domain." (ticket #233795)

Scenario: fraud-someone-fraudulent-hacked#proactive-security-freeze-request

Trigger: An existing BitGo customer proactively requests their account be frozen or secured due to an external data breach (e.g., their bank or another service was compromised), even though no unauthorized BitGo activity has occurred.

Signals: security update, data breach, personal data compromised, suspend withdrawals, freeze enterprise, precautionary freeze, not planning withdrawals

Steps:

  1. Acknowledge the customer's request and confirm that no actions will be initiated from BitGo's end until identity is verified via a video call.
  2. Inform the customer they can self-freeze their enterprise account via the BitGo UI: navigate to Enterprise Settings > Click on Freeze Enterprise. This prevents all members from taking any actions in the enterprise for the specified duration or until the customer contacts BitGo and completes video ID verification to unfreeze.
  3. Recommend the customer reset their password via https://app.bitgo.com/web/auth/forgot-password/recover-password and then log in via https://app.bitgo.com/web/auth/login.
  4. Notify the internal security team via Slack for awareness.
  5. To unfreeze, schedule a video verification call using https://calendly.com/bitgo-client-delivery/videoid. The customer must present a government-issued photo ID.

Notes: The self-service enterprise freeze is the fastest way for a customer to protect their account. The freeze duration is configurable by the customer. BitGo does not support email changes, so if the customer's email was compromised elsewhere, they should secure it independently.

"Additionally, please be informed that you also have the option to freeze your enterprise and that will prevent all members from taking any actions in the enterprise for a specified duration or until you contact BitGo and complete video ID verification to unfreeze. In order to freeze your account you may go to Enterprise Setting>Click on Freeze Enterprise" (ticket #283752)

Scenario: fraud-someone-fraudulent-hacked#brand-impersonation-external-report

Trigger: An external party (not a BitGo customer) contacts BitGo to report that someone is using the BitGo name or brand fraudulently, such as attempting to acquire infrastructure or impersonating BitGo in business dealings.

Signals: potential fraud, BitGo name used, impersonation, brand fraud, acquire infrastructure, authenticate inquiry

Steps:

  1. Acknowledge the report and thank the reporter for bringing it to BitGo's attention.
  2. Forward the inquiry to the BitGo Security team (security@bitgo.com) for investigation.
  3. If the reporter requests confirmation of a specific BitGo activity (e.g., office setup, business dealing), coordinate with the appropriate internal team (e.g., the relevant BitGo office or executive) to verify legitimacy.
  4. Follow up with the reporter once the internal team has provided guidance.

Notes: These reports may come from vendors, landlords, ISPs, or other businesses. They should be treated seriously and routed to the Security team promptly.

Scenario: fraud-someone-fraudulent-hacked#ftx-retail-legacy-fraud-reports

Trigger: The ticket relates to an FTX retail creditor reporting fraud, scam concerns, or 2FA issues, and the underlying issue has already been resolved as part of the FTX settlement process.

Signals: FTX, 2FA blocked, FTX retail, GoAccount, pwc, scam, disclamer

Steps:

  1. Confirm with the FTX settlement coordination lead (internal) that the issue is already resolved.
  2. Close the ticket with a note indicating the FTX retail issue has been addressed.
  3. If the customer has further questions about FTX claims, direct them to the BitGo FTX FAQ page.

Notes: These tickets were part of a batch closure of FTX Retail tickets. If the customer reopens with a new, unrelated issue, treat it as a fresh ticket.

Related

  • security-call-outs — Guidance on phishing scams, malware prevention, and safe practices for accessing BitGo
  • keycards-and-private-keys — Relevant when a compromised account has keycards that could allow off-platform fund recovery
  • managing-wallet-users — Helpful for reviewing wallet membership and removing unauthorized users after an account compromise