How that GCash Hack Attempt Could Have Been Made

Related Stories:

• GCash disables Bank Transfers after Account Deduction Incident 44
• GCash disables Biometric Login feature 21
• GCash Official Statement on Account Deduction and Alleged Hacking 35

Dax Lucas of the Inquirer 11 shared insider information about the attempted hack on GCash users that amounted to about Php37 million.

Based on the actions, media advisories, and TV interviews made by GCash, the story seemed plausible. Here’s our theory on how the attempt could have transpired.

1) The culprit (could be a group) has planned this for some time. They already have two bank accounts (East West Bank and Asia United Bank) on standby to receive the funds from multiple GCash transfers. Reports from TV Patrol totaled more than 300 complaints by 11am this morning.

2) Perpetrators routinely collect login information from random and unsuspecting GCash users using several phishing vectors — could be via email, SMS or social media. This usually happens when someone is fooled into clicking a link to manage their bank account, or in this case GCash.

The original deadline for the SIM Registration last April 26, 2023 could have added to the urgency and confusion, making people click on links that pertain to their SIM or to their GCash account. There were rounds of multiple posts on Facebook urging people to cash out their GCash funds or else they will not be able to access it after the deadline of the SIM Registration.

3) Instead of accessing and transferring compromised GCash accounts individually as they go, the culprits had the patience to simply collect all the accounts and wait for the right time to do everything all at once.

This coincides with the Php37 million figure that Inquirer pointed out.

If they did the transfers as they gained access to each GCash account, their continuous operations would have been detected eventually but the amount would have been smaller. Doing a sweep of hundreds or thousands of accounts in one single night is a much better approach. They know they will be detected and shut down (just like the many previous GCash hacks done by others) but the goal was to get as much money in as shortest time possible and hopefully get away with it.

4) Bypassing GCash security is the next obstacle. Either go by the MPIN + OTP route or the biometrics. Based on GCash’s response of disabling the biometrics login, that is the most likely route that was taken.

There are also claims circulating about an exploit on the GCash system that traces back as early as 2 months ago:

We don’t know the veracity of this claim, but it is being linked to the possibility of bypassing the security.

5) The bank transfers to East West Bank (ending 5239) and AUB (ending 3008) are probably dummy accounts or compromised accounts as well. They could just be pooling the funds here and then transfer it elsewhere where the money can no longer be traced or recovered.

This is the reason why GCash has, until the time of writing this story, suspended the Bank Transfer feature of the app 59.

6) GCash has publicly stated that all the funds are intact and will be returned to the owners. This coincides with Inquirer’s story. Meaning, GCash was able to immediately coordinate with East West Bank and AUB and freeze the two suspected accounts.

This is just a theory and how things could have transpired with the GCash incident. GCash has not made any definitive statement to address this except to reassure its customers that GCash is safe.

Author’s Note: While the term “hack” may not be the most accurate word to use, it is by far the simplest word that a common GCash victim understands.