[davidscoville]

The code I read to them was a Google account recovery code. That’s how they accessed my Google account. I, mistakenly, believed they needed to confirm I was still alive and the rightful owner of the account.

Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac.

[ajross]

But... that's an email that would be sent to a non-gmail address, the one on file that you originally registered your account with. And while I don't have copies of the transactions in front of me, these things are not unclear as to their purpose or intent. They tell you straight up that they're resetting the authentication for the account and to be sure you are doing it intentionally. They're also accompanied by warnings that would be simultaneously sent to your active gmail address and to the Authenticator app.

I really think you're reaching here trying to ascribe blame. You... just got phished.