1. The user had 1,400 BTC in an old wallet using this software
2. An old version of the software was vulnerable to phishing
3. The user attempted to use the software, and was phished
4. Massive payday for the scammers
Really unfortunate - and goes to show with software you manage yourself you need to be diligent about making sure it's updated. For all the shit coinbase gets, it's difficult to lose your coins in this manner.
It was my understanding that the user had installed a version of the Electrum wallet that was not from the official source at electrum.org. (But agree - it was really difficult to identify the core issue from this string of GitHub comments.)
> For all the shit coinbase gets, it's difficult to lose your coins in this manner.
Aside from U2F, Coinbase offers TOTP and SMS-based 2FA, both of which are vulnerable to phishing. So no, Coinbase is not immune to losing coins in this manner. If Coinbase wanted to prevent being vulnerable to phishing they would i) only allow U2F 2FA, and ii) make U2F mandatory for all accounts.
How do we confirm this actually happened? Perhaps I am being cynical, but people have been know to embellish and lie on the internet before? Shouldn't we be able to follow these funds on the ledger?
Ah I remember when my bank app had a bug and someone stole $15 million dollars from me then when I asked for help they said not your keys not your dollars. Such is life!
Many folks shit on the modern financial system, with its centralization and Government-coupling, but things like this are actually trackable and reversible in that ecosystem. The safeguards have evolved over centuries.
I am curious when crypto will get there. Maybe 10 years or so?
98% of HN except for a vocal, small minority ever says anything positive about crypto or blockchain. The vast majority appreciate the benefits of the state apparatus being the conduit for financial services. So you posting this is not a surprising nor unique idea, you are representing 98% of HN commenters.
> but things like this are actually trackable and reversible in that ecosystem
I do not know about US, but in EU bank transfers are generally not reversible (except forced by courts). If you send money to wrong bank number, you cannot cancel the transaction in bank, you need to ask the owner of that account to send them back.
Compared to BTC, there are two differences - it is possible to identify an account holder and justice system can effectively force bank transfers.
It is impossible by design. Adding that 'feature' takes away the core principle of decentralized currency. Allowing government to reverse transactions will also allow them to seize assets. Then it is just a regular currency (for better and worse).
I can't believe someone would even allow a system with that balance to even connect to the internet. It's like filling a car with gold bars, driving it around town, and hoping nothing bad happens. He could have created another wallet, preferably a multisig, created the transaction with the software wallet offline, copied the signed transaction off and broadcast it from another system.
What he did was reckless. Some people are going cry that Bitcoin is unsafe because of this. It's not. You must handle large amounts of cash or gold or other valuables with care.
Bitcoin is all online. The analogy doesn't work: your gold bars are being driven around town all day and night in public view, already.
In this case, it's just the fact that the access was granted at the application level when the user logged into their wallet, which is like giving someone keys to your car by mistake.
If I had that much in an old wallet, no way would I touch that myself or allow it anywhere near the internet. I would hire a team of experts and get the transaction over to my bank insured.
Its kind of crazy that the phishing attack people are still operating those servers for all these years! But since they pay for themselves no reason to turn them off.
The knowledge gulf is so wide in cryptocurrency that schemes are resurrectable every bull market
Like, some people will use this to reinforce their juvenile binary argument about why “crypto bad”, and then they enter next bull market after someone they respect shows them something they didn't consider. But then they are still a decade late in knowledge while chasing every new shiny thing. If people want to learn its there, permissionless, lucrative.
I had 1,400 BTC in a wallet that I had not accessed since 2017. I foolishly installed the old version of the electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds.
I installed the update which immediately triggered the transfer of my entire balance to a scammers address.
I think the point is that you can store $16M in a bank and take need to take no precautions against casual theft (and often can recover the money via person-to-person interactions, if theft does occur).
I'm not an expert in BTC storage, but as far as I understand such an attack could have been prevented if the owner invested in a hardware wallet for $100-200. As the final step in a transaction would be to sign it on your ledger/trezor device, and would be much harder to phish.
This was my first thought too. Hardware wallets show transactions on their own screen so the amount and destination address can be confirmed on-device before the device signs the transaction, which seems like a great tool to avoid this kind of issue. Anyone that owns more cryptocurrency than a hardware wallet costs really needs to have a hardware wallet.
Would it have been possible to exchange that much BTC for US dollars? Ignoring taxes for a few seconds. Would it have actually been possible to get real fiat money for the 1,400 BTC?
I’ve always heard of complete incompetence trying to get an account set up on any exchange. Getting verified, etc.
If he acquired them legal of course he can sell them an get fiat withdrawn to his bank, assuming hes not in a place where bitcoin is illegal. Doing this all at once without informing your bank will probably instantly freeze the funds and trigger some kind of investigation. That doesn't mean you eventually get access to it. Also there are exchanges withdraw limits so its not on your bank account in 1-2 working days. If you want to sell all at once and withdraw you would have to register on different exchanges to circumvent daily limits and do the KCY which that can take days to get verified.
Yeah this is what blows my mind. I would be paranoid if I had 14 BTC, let alone 1400. When I had (as much as) 19 BTC some while ago I stored them on a Trezor, with the seed on a paper (three copies in different places) in a form that no one would realize it actually was a seed.
Even a single hardware wallet would have been risky - loss or damage, or theft. For high values, set up multi signature hardware wallets, at least a 2 of 3 scheme, each stored in different geographic locations.
There is no mandate in Bitcoin to 'be your own bank' - its just an option. It is a feature and a very good one for people who are afraid of government intrusion into how they use their money. If you don't care about this "feature" you can turn it off by putting your crypto in Coinbase or other exchanges where it will be insured.
There's a reason why any site dealing with crypto has a dozen labels begging people to double-check addresses, divulge no information to strangers, don't trust anyone, etc. However, warning labels come on any product and people still manage to misuse them. No matter how many labels you plaster about being more careful with bitcoin, people will keep losing it to things like this.
Yeah agreed. If everyone was a developer and a security expert, Bitcoin is great, but instead its a massive hobby that has serious risk like what happened to this poor guy.
The virtues people often use for crypto (trustless, irreversible, untraceable) are almost always user-hostile.
Banks aren’t great, but at least it’s harder to phish $16million.
If you can't hold it in your hot little hand, it does not exist. This also applies to your money and other valuables held by third parties such as Banks or Trusts, or wealth stored as numbers in a computer.
Unless you hold and control it personally, it's not yours at all.
While it's definitely convenient in good times for your wealth storage to be in the hands of others, you're completely dependent on the goodwill of those others. In bad or difficult times, you're not going to keep that wealth for very long.
Pointing out that you don't technically own the money in your conventional bank's chequing account is a mere distraction from the fact that in the real world, it's easier to permanently lose access to your cryptocurrency than it is to permanently lose access to your bank account.
Honestly , while I found BlockChain & Immutable Ledger disruptive technology , I have zero trust in cryptos.
The amount of scam in this industry is just obscene, unlike banking , there is no such thing as insurance for your wallet or legal recourse to get back your assets, your pretty much on your own and I'm fairly convinced he won't get back his 1.5M$ Bitcoin .
I feel bad for him , but there is very little surprise playing with unregulated stuff.
It's not crypto-currencies and it's not crypto currencies. It's simply cryptocurrencies. At least learn to spell the word correctly before giving your absolutely ignorant opinion on it.
[+] [-] nemothekid|5 years ago|reply
1. The user had 1,400 BTC in an old wallet using this software
2. An old version of the software was vulnerable to phishing
3. The user attempted to use the software, and was phished
4. Massive payday for the scammers
Really unfortunate - and goes to show with software you manage yourself you need to be diligent about making sure it's updated. For all the shit coinbase gets, it's difficult to lose your coins in this manner.
[+] [-] brianwawok|5 years ago|reply
If you trick me into an ACH transfer of 16 million, there will
a) Trigger some random human based audits at my bank before the money can leave (likely involve some phone calls)
b) Have actual recourse, like court orders to hold the funds at the other bank
c) Take some amount of time to happen, to allow for A & B
It's not perfect, and it has bugs.. but I would never store actual money of value in crypto anything.
[+] [-] eastbayjake|5 years ago|reply
[+] [-] Ansil849|5 years ago|reply
Aside from U2F, Coinbase offers TOTP and SMS-based 2FA, both of which are vulnerable to phishing. So no, Coinbase is not immune to losing coins in this manner. If Coinbase wanted to prevent being vulnerable to phishing they would i) only allow U2F 2FA, and ii) make U2F mandatory for all accounts.
[+] [-] nodesocket|5 years ago|reply
[+] [-] arcticbull|5 years ago|reply
[+] [-] ztratar|5 years ago|reply
I am curious when crypto will get there. Maybe 10 years or so?
[+] [-] seibelj|5 years ago|reply
[+] [-] zajio1am|5 years ago|reply
I do not know about US, but in EU bank transfers are generally not reversible (except forced by courts). If you send money to wrong bank number, you cannot cancel the transaction in bank, you need to ask the owner of that account to send them back.
Compared to BTC, there are two differences - it is possible to identify an account holder and justice system can effectively force bank transfers.
[+] [-] rabidrat|5 years ago|reply
[+] [-] Canada|5 years ago|reply
What he did was reckless. Some people are going cry that Bitcoin is unsafe because of this. It's not. You must handle large amounts of cash or gold or other valuables with care.
[+] [-] herpderperator|5 years ago|reply
In this case, it's just the fact that the access was granted at the application level when the user logged into their wallet, which is like giving someone keys to your car by mistake.
[+] [-] coronadisaster|5 years ago|reply
[+] [-] captn3m0|5 years ago|reply
[+] [-] addcninblue|5 years ago|reply
[+] [-] Xcelerate|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] herpderperator|5 years ago|reply
[+] [-] vmception|5 years ago|reply
The knowledge gulf is so wide in cryptocurrency that schemes are resurrectable every bull market
Like, some people will use this to reinforce their juvenile binary argument about why “crypto bad”, and then they enter next bull market after someone they respect shows them something they didn't consider. But then they are still a decade late in knowledge while chasing every new shiny thing. If people want to learn its there, permissionless, lucrative.
[+] [-] willemlabu|5 years ago|reply
[+] [-] pkrefta|5 years ago|reply
[+] [-] bpodgursky|5 years ago|reply
[+] [-] notRobot|5 years ago|reply
Read more here:
Full nodes: https://en.bitcoin.it/wiki/Full_node
Lightweight nodes: https://en.bitcoin.it/wiki/Lightweight_node
[+] [-] qwertox|5 years ago|reply
[+] [-] kutorio|5 years ago|reply
[+] [-] AgentME|5 years ago|reply
[+] [-] btilly|5 years ago|reply
Is the report of being scammed a scammer trying to make extra money on a sale? How would anyone know?
[+] [-] GaryNumanVevo|5 years ago|reply
I mean they definitely could have seen that transaction and just acted like it was their stolen money.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] iJohnDoe|5 years ago|reply
Would it have been possible to exchange that much BTC for US dollars? Ignoring taxes for a few seconds. Would it have actually been possible to get real fiat money for the 1,400 BTC?
I’ve always heard of complete incompetence trying to get an account set up on any exchange. Getting verified, etc.
[+] [-] noxer|5 years ago|reply
[+] [-] phedboi|5 years ago|reply
[+] [-] spurgu|5 years ago|reply
[+] [-] jkepler|5 years ago|reply
[+] [-] gota|5 years ago|reply
This guy is most likely somewhat technically literate, and this happened to him.
[+] [-] rjkennedy98|5 years ago|reply
[+] [-] seotut2|5 years ago|reply
But doesn't know what IRC or freenode is, as illustrated by a comment in that thread.
[+] [-] ConsiderCrying|5 years ago|reply
[+] [-] ykevinator|5 years ago|reply
[+] [-] ed25519FUUU|5 years ago|reply
[+] [-] simonblack|5 years ago|reply
Unless you hold and control it personally, it's not yours at all.
While it's definitely convenient in good times for your wealth storage to be in the hands of others, you're completely dependent on the goodwill of those others. In bad or difficult times, you're not going to keep that wealth for very long.
[+] [-] EForEndeavour|5 years ago|reply
[+] [-] echopom|5 years ago|reply
Honestly , while I found BlockChain & Immutable Ledger disruptive technology , I have zero trust in cryptos.
The amount of scam in this industry is just obscene, unlike banking , there is no such thing as insurance for your wallet or legal recourse to get back your assets, your pretty much on your own and I'm fairly convinced he won't get back his 1.5M$ Bitcoin .
I feel bad for him , but there is very little surprise playing with unregulated stuff.
[+] [-] vmception|5 years ago|reply
The user experience where you personally still have your money might be something you like.
Also it was $16m bitcoin
[+] [-] ur-whale|5 years ago|reply
http://trilema.com/2013/the-story-of-pointless-and-witless/
[+] [-] kobasa|5 years ago|reply
[+] [-] CameronBanga|5 years ago|reply
So the author may have lost 1.4 BTC, or ~16k. Still a loss, but not 16m.
[+] [-] spurgu|5 years ago|reply
Address mentioned here: https://github.com/spesmilo/electrum/issues/5072#issuecommen...
[+] [-] unknown|5 years ago|reply
[deleted]