
Cryptocurrency YouTuber Ian Balina hacked out of $2M during a livestream - FuturisticLover
https://thenextweb.com/hardfork/2018/04/16/crypto-youtuber-hacked-out-of-2-million-during-a-livestream
======
sspiff
At the risk of sounding pedantic, can we not use the term crypto for
cryptocurrency or blockchain related stuff?

Crypto already has a well defined meaning that is in common use, which is
related to cryptography, not cryptocurrency.

Edit: Post title was changed to use the full word "cryptocurrency", great :)

~~~
marak830
As much as I agree (and I upvoted you), I do think that ship has sailed.

Same as hacker has different meanings when used here on HN and on most news
articles.

~~~
camgunz
I'm fine with it being a shibboleth for people deeply embedded in the
cryptocurrency world, whereas for people in the wider world of software
engineering (and hopefully the world at large) we stick with the original
meaning.

It's also worth saying the prefix doesn't really make sense. "crypto"-"graphy"
means hidden writing. "crypto"-"currency" means hidden currency, and nothing
about Bitcoin, Ethereum, etc. is hidden.

------
berberous
The livestream had nothing to do with it. Here's how he says he thinks he was
hacked (from the bottom of the article):

"This is how I think I got hacked. My college email was listed as a recovery
email to my Gmail. I remember getting an email about it being compromised, and
tried to follow up with my college security to get it resolved, but wasn’t
able to get it handled in fast manner and gave up on it thinking it was just
an old email.

I kept text versions of my private keys stored in my Evernote, as encrypted
text files with passwords. I think they hacked my email using my college
email, and then hacked my Evernote."

~~~
danso
The time stamps of the purported transfer took place during his livestream so
the headline ("during a livestream") is correct

~~~
berberous
Yes, understood, but it seemed to me like an irrelevant and misleading detail,
as if he accidentally revealed his passwords or some other security detail on
camera.

~~~
tjoff
It seems like a very interesting detail considering that we don't know how it
was done.

Maybe the last (seemingly innocent) clue (or just confidence of previous
clues) the hacker needed was present. Or maybe it was just the hacker wanting
a distraction (though I could think of better ones...) or doing it for fun.

------
jasonwen
I think its an exit scam. He will not be able to sell coins without upsetting
his following, because he sells and then announced it on his channels. This
will be followed a major dump and his followers will lose significant value
during this dump.

Perfect cover up to liquidate his assets while covering his ass. No person
seriously into crypto (especially with his amounts) does not keep it in a
hardware wallet.

~~~
roflchoppa
Back in my day when we made wallets on air-blocked computers, that had the
single purpose of just generating wallets.

Not sure if I would trust hardware wallets//online wallets in the same way.

The other benefit to this is if you misplace a wallet, and find it years later
it’s like finding cash in your dress pants you don’t really wear all the time.

~~~
tonyztan
> The other benefit to this is if you misplace a wallet, and find it years
> later it’s like finding cash in your dress pants you don’t really wear all
> the time.

There were also some who accidentally threw their old computers / hard drives
away.

[https://www.independent.co.uk/life-style/gadgets-and-
tech/ne...](https://www.independent.co.uk/life-style/gadgets-and-
tech/news/bitcoin-value-james-howells-newport-landfill-hard-drive-campbell-
simpson-laszlo-hanyecz-a8091371.html)

------
capoditutticapi
I thought Gmail required a phone number as well when 2FA is configured and
someone is trying to recover their account. Otherwise it would be to easy to
bypass. But maybe the dude just likes to live dangerous by keeping his
millions in a cleartext evernote file.

~~~
Crosseye_Jack
While they do make you add a phone number to the account first when enabling
2FA you can remove it afterwards though (iirc) you have to remember to not
just remove the number as an auth method but also remove it as a recovery
method.

Failing to do so opens you up to getting your phone account transferred to a
different phone/sim and using that to do the recovery process to gain access
to the account.

------
rajacombinator
Sounds like a great marketing hack / donation scam quite honestly.

~~~
curiousgal
A comment on the article also raises a valid point:

> _Could it be that he made it up to avoid taxes? Perhaps we 'll never know_

~~~
rajacombinator
Yea I ignored that one thinking the IRS would just laugh but I suppose a naive
crypto youtuber might try such a thing.

------
tomglynch
Lots of talk about this being setup and a way to get out of taxes (which are
apparently due tomorrow in the US). Any chance this could be the case?

~~~
csomar
Aren't you taxed on money you lost?

~~~
cpplinuxdude
Nope. Offsetting losses is therefor a very commonly used loophole. Hence the
speculation.

~~~
toss1
True. He'd just better be very careful to have an explanation when he starts
cashing in the 'lost' funds... or titrate them very slowly into his lifestyle.
Tax Evasion is often caught not only by transactions, but by inexplicably high
lifestyle.

------
n3dm
>I kept text versions of my private keys stored in my Evernote, as encrypted
text files with passwords. I think they hacked my email using my college
email, and then hacked my Evernote.

>Storing private keys for wallets worth $2,000,000 online...

A fool and his money are soon parted.

------
bredren
Keys kept in plaintext on Evernote.

~~~
mcjiggerlog
From the article: "I kept text versions of my private keys stored in my
Evernote, as encrypted text files with passwords."

~~~
sambull
Don't worry he encrypted them with a winzip password

~~~
trumped
I used GnuPG, is that good enough (assuming a 16 char random password)?

~~~
simias
If you have a lot of money in your cryptocurrency wallet you should at least
consider using a hardware GnuPG "smartcard" like nitrokey or yubikey. This way
even if they get your passphrase they still need access to your hardware token
(and vice-versa). There are also hardware wallets specifically meant for
cryptocurrencies which I suppose have the advantage of not requiring you to
decrypt your wallet on your drive before you make a transaction.

~~~
noir_lord
I'd embed them into QR codes, print them out on high quality acid-free paper
and put them in a fire safe.

I don't trust anything electronic to store data in the _long_ term, I do trust
that a QR code will be readable in 50 years _even if you have to decode it by
hand_ (or at least write a program to do it) (in a temperature controlled safe
with no UV I'd expect laser toner to last 50 years).

Other methods I can think of would be etching the QR code into a stable
material (glass for example).

That said I stay miles away from cryptocurrencies, I find the technology
interesting but the actual 'market' hilarious.

------
jiveturkey
not to lack compassion, but lolol

