
I just lost 1,400 BTC - agirgelen
https://github.com/spesmilo/electrum/issues/5072#issuecomment-683356052
======
nemothekid
As far as I can understand

1\. The user had 1,400 BTC in an old wallet using this software

2\. An old version of the software was vulnerable to phishing

3\. The user attempted to use the software, and was phished

4\. Massive payday for the scammers

Really unfortunate - and goes to show with software you manage yourself you
need to be diligent about making sure it's updated. For all the shit coinbase
gets, it's difficult to lose your coins in this manner.

~~~
brianwawok
Also, I think it's just the reason that crypto-currency will fail.

If you trick me into an ACH transfer of 16 million, there will

a) Trigger some random human based audits at my bank before the money can
leave (likely involve some phone calls)

b) Have actual recourse, like court orders to hold the funds at the other bank

c) Take some amount of time to happen, to allow for A & B

It's not perfect, and it has bugs.. but I would never store actual money of
value in crypto anything.

~~~
swyx
unless a bank wouldnt serve you, like for sizable parts of the economy.

~~~
eanzenberg
Sizable, like 2%?

~~~
eanzenberg
I looked it up. 6% of Americans don’t have a bank account. Doesn’t say whether
they could go ahead and get one, or they choose not to.

Sizable?

~~~
soco
Correct me please if I'm wrong, but I'd say most of those folks not served by
a bank wouldn't have the skills to manage bitcoins either.

------
ztratar
Many folks shit on the modern financial system, with its centralization and
Government-coupling, but things like this are actually trackable and
reversible in that ecosystem. The safeguards have evolved over centuries.

I am curious when crypto will get there. Maybe 10 years or so?

~~~
rabidrat
It is impossible by design. Adding that 'feature' takes away the core
principle of decentralized currency. Allowing government to reverse
transactions will also allow them to seize assets. Then it is just a regular
currency (for better and worse).

~~~
Scoundreller
Didn’t ethereum fork to rollback a hack they didn’t like?

~~~
nyghtly
Do you mean this?

[https://www.bitdegree.org/tutorials/ethereum-vs-ethereum-
cla...](https://www.bitdegree.org/tutorials/ethereum-vs-ethereum-classic/)

~~~
Scoundreller
This one:

[https://www.coindesk.com/ethereum-executes-blockchain-
hard-f...](https://www.coindesk.com/ethereum-executes-blockchain-hard-fork-
return-dao-investor-funds)

------
Canada
I can't believe someone would even allow a system with that balance to even
connect to the internet. It's like filling a car with gold bars, driving it
around town, and hoping nothing bad happens. He could have created another
wallet, preferably a multisig, created the transaction with the software
wallet offline, copied the signed transaction off and broadcast it from
another system.

What he did was reckless. Some people are going cry that Bitcoin is unsafe
because of this. It's not. You must handle large amounts of cash or gold or
other valuables with care.

~~~
herpderperator
Bitcoin is all online. The analogy doesn't work: your gold bars are being
driven around town all day and night in public view, already.

In this case, it's just the fact that the access was granted at the
application level when the user logged into their wallet, which is like giving
someone keys to your car by mistake.

~~~
jkepler
No. One can store keys offline. That's what hardware wallets do.

~~~
herpderperator
In order to do anything with Bitcoin, which appears to be what the author
wanted, you would have to be connected to the Internet. Keys being stored in
hardware wallet sure, but the gold bars are still in public view.

Hardware wallets aren't without their flaws. With an application-level
vulneravility in a hardware wallet, you are still screwed. Here is just one
example: [https://www.ledger.com/improving-the-ecosystem-disclosure-
of...](https://www.ledger.com/improving-the-ecosystem-disclosure-of-the-
trezor-recovery-phrase-extraction-vulnerability)

~~~
vmception
You can sign transactions offline and hand deliver the file if you felt so
inclined.

Signed transactions cant be modified.

Someone needs to make sure nodes see it that transaction and add it to the
database, eventually.

This user experience has not been refined, but is very possible. A system with
fewer nodes, like if the internet was attacked and not available, would still
work for this currency.

~~~
natcombs
> You can sign transactions offline and hand deliver the file if you felt so
> inclined.

How big is that signature/file? Can it be encoded in a QR code or something
simpler to bridge the airgap?

~~~
Canada
The specific transaction this post refers to was 1813 bytes. It had 12 inputs
that had to be signed for making it larger than average. For $10M I'd be
willing to manually type out the 3626 hex digits, or if feeling lazy splurge
on a $10 USB stick. Only 3 inputs account for almost all of the balance, so
really it could have been moved for under 1000 bytes, which I happily write
longhand on paper with a quill in triplicate before I'd even consider exposing
the secret key to the internet.

------
addcninblue
This looks like the relevant transaction:
[https://www.blockchain.com/btc/tx/ef600c380a239d9b929c6c964d...](https://www.blockchain.com/btc/tx/ef600c380a239d9b929c6c964deaf7060e309750950a516cee65576232b0c53c)

------
Xcelerate
If I had that much in an old wallet, no way would I touch that myself or allow
it anywhere near the internet. I would hire a team of experts and get the
transaction over to my bank insured.

~~~
herpderperator
Do any big banks offer a BTC account?

------
vmception
Its kind of crazy that the phishing attack people are still operating those
servers for all these years! But since they pay for themselves no reason to
turn them off.

The knowledge gulf is so wide in cryptocurrency that schemes are resurrectable
every bull market

Like, some people will use this to reinforce their juvenile binary argument
about why “crypto bad”, and then they enter next bull market after someone
they respect shows them something they didn't consider. But then they are
still a decade late in knowledge while chasing every new shiny thing. If
people want to learn its there, permissionless, lucrative.

------
willemlabu
Here [1] is the explanation:

    
    
        I had 1,400 BTC in a wallet that I had not accessed since 2017. I foolishly installed the old version of the electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds.
        
        I installed the update which immediately triggered the transfer of my entire balance to a scammers address.
    

[1]
[https://github.com/spesmilo/electrum/issues/5072#issuecommen...](https://github.com/spesmilo/electrum/issues/5072#issuecomment-683374289)

------
pkrefta
With big money comes big responsibility. Storing $16M should be taken very
seriously and probably most people have no clue about that.

~~~
bpodgursky
I think the point is that you can store $16M in a bank and take need to take
no precautions against casual theft (and often can recover the money via
person-to-person interactions, if theft does occur).

~~~
thebean11
I completely disagree, only the first $250k is insured. I would never store
$16M cash in a bank. You aren't protected against the bank becoming insolvent.

~~~
smabie
Okay... where would you store 16m?

~~~
tootie
In an investment account with a reputable brokerage.

~~~
herpderperator
What's the difference between that and a bank?

~~~
tialaramex
Well the fun part is that the way it's different is that there would be a bank
account with your money in it, that the brokerage isn't allowed to touch. So,
you're protected from the brokerage going bankrupt - your money is still yours
if that happens.

But it's still in a bank account, so if the bank goes under you're screwed.
See my other comment in this thread though...

~~~
herpderperator
SIPC isn't unlimited, though:

The Securities Investor Protection Corporation (SIPC) was created to protect
against the loss of customer assets at brokerage firms. SIPC offers protection
of up to $500,000, including a $250,000 limit for cash, if a brokerage firm
fails, and covers most types of securities, such as stocks, bonds, and mutual
funds. [0]

[0]
[https://www.schwab.com/public/file/P-3042070/Asset_Protectio...](https://www.schwab.com/public/file/P-3042070/Asset_Protection_Brochure_MKT45080-09.pdf)

------
notRobot
Stuff like this is why you shouldn't use a lightweight wallet and should use
the official wallet, or at least host a full node.

Read more here:

Full nodes:
[https://en.bitcoin.it/wiki/Full_node](https://en.bitcoin.it/wiki/Full_node)

Lightweight nodes:
[https://en.bitcoin.it/wiki/Lightweight_node](https://en.bitcoin.it/wiki/Lightweight_node)

~~~
qwertox
What about an hardware wallet like Ledger?

~~~
notRobot
I would simply recommend hosting a full node and using the latest release of
the official Bitcoin Core wallet.

Hardware wallets are relatively new and uncommon, so not much is known about
their security risks. That said, there are no glaring, obvious issues and you
_could_ use one if you want.

Read:
[https://en.bitcoin.it/wiki/Hardware_wallet#Security_risks](https://en.bitcoin.it/wiki/Hardware_wallet#Security_risks)

As always, do not take advice from strangers on the internet about storing
your crypto without doing extensive research on your own. The Bitcoin wiki is
a great starting point: [https://en.bitcoin.it/](https://en.bitcoin.it/)

~~~
mianos
The popular Trezor wallet has a hardware vulnerability, where, if you
physically have the hardware it can be exploited. Hardware wallets are a vast
improvement but not without issues. Large scale fraud, where the money goes
missing is much more common so far.

------
kutorio
I'm not an expert in BTC storage, but as far as I understand such an attack
could have been prevented if the owner invested in a hardware wallet for
$100-200. As the final step in a transaction would be to sign it on your
ledger/trezor device, and would be much harder to phish.

~~~
AgentME
This was my first thought too. Hardware wallets show transactions on their own
screen so the amount and destination address can be confirmed on-device before
the device signs the transaction, which seems like a great tool to avoid this
kind of issue. Anyone that owns more cryptocurrency than a hardware wallet
costs really needs to have a hardware wallet.

------
btilly
Reading these threads I always have to wonder.

Is the report of being scammed a scammer trying to make extra money on a sale?
How would anyone know?

~~~
GaryNumanVevo
Bitcoin being a public ledger, it's fairly easy to see if 1,400 BTC was moved
recently:
[https://www.blockchain.com/btc/tx/ef600c380a239d9b929c6c964d...](https://www.blockchain.com/btc/tx/ef600c380a239d9b929c6c964deaf7060e309750950a516cee65576232b0c53c)

I mean they definitely could have seen that transaction and just acted like it
was their stolen money.

------
iJohnDoe
Serious question. Not trolling.

Would it have been possible to exchange that much BTC for US dollars? Ignoring
taxes for a few seconds. Would it have actually been possible to get real fiat
money for the 1,400 BTC?

I’ve always heard of complete incompetence trying to get an account set up on
any exchange. Getting verified, etc.

~~~
noxer
If he acquired them legal of course he can sell them an get fiat withdrawn to
his bank, assuming hes not in a place where bitcoin is illegal. Doing this all
at once without informing your bank will probably instantly freeze the funds
and trigger some kind of investigation. That doesn't mean you eventually get
access to it. Also there are exchanges withdraw limits so its not on your bank
account in 1-2 working days. If you want to sell all at once and withdraw you
would have to register on different exchanges to circumvent daily limits and
do the KCY which that can take days to get verified.

------
phedboi
Why would someone holding 1400 BTC use a software wallet instead of an offline
hardware wallet? SMH

~~~
spurgu
Yeah this is what blows my mind. I would be paranoid if I had 14 BTC, let
alone 1400. When I had (as much as) 19 BTC some while ago I stored them on a
Trezor, with the seed on a paper (three copies in different places) in a form
that no one would realize it actually was a seed.

~~~
herpderperator
Be careful... sometimes we end up making things so complicated that we forget
how it works. Think why comments are so crucial after looking at your own code
from a year ago and having no clue what you meant. :-)

------
gota
I've said this time and time again: 'be your own bank' is a terrible design
error, not a feature, for 99.99% of users.

This guy is most likely somewhat technically literate, and this happened to
him.

~~~
rjkennedy98
There is no mandate in Bitcoin to 'be your own bank' \- its just an option. It
is a feature and a very good one for people who are afraid of government
intrusion into how they use their money. If you don't care about this
"feature" you can turn it off by putting your crypto in Coinbase or other
exchanges where it will be insured.

~~~
nyghtly
> Satoshi Nakamoto stated in his white paper that: "The root problem with
> conventional currencies is all the trust that's required to make it work.
> The central bank must be trusted not to debase the currency, but the history
> of fiat currencies is full of breaches of that trust."

[https://en.wikipedia.org/wiki/Bitcoin](https://en.wikipedia.org/wiki/Bitcoin)

It's clear that the purpose of Bitcoin is to replace existing banking
institutions by providing a trust-less alternative. This means that using an
exchange to store Bitcoin is essentially useless. If your purpose is to
protect your money by handing it over to a trusted institution, then you're
better off putting it into a bank that's FDIC insured.

Of course, the real reason that people store their Bitcoin on Coinbase is so
that they can easily profit from speculation by exchanging their coin for USD.

~~~
fluffything
Bitcoin does not provide a trust-less alternative, at best, it requires you to
trust yourself.

The internet is full of people that have lost their wallets due to hardware
failures and no backups, scams, phishing, ...

------
simonblack
If you can't hold it in your hot little hand, it does not exist. This also
applies to your money and other valuables held by third parties such as Banks
or Trusts, or wealth stored as numbers in a computer.

 _Unless you hold and control it personally, it 's not yours at all._

While it's definitely convenient in good times for your wealth storage to be
in the hands of others, you're completely dependent on the goodwill of those
others. In bad or difficult times, you're not going to keep that wealth for
very long.

~~~
EForEndeavour
Pointing out that you don't technically own the money in your conventional
bank's chequing account is a mere distraction from the fact that in the real
world, it's easier to permanently lose access to your cryptocurrency than it
is to permanently lose access to your bank account.

------
echopom
This is fascinating.

Honestly , while I found BlockChain & Immutable Ledger disruptive technology ,
I have zero trust in cryptos.

The amount of scam in this industry is just obscene, unlike banking , there is
no such thing as insurance for your wallet or legal recourse to get back your
assets, your pretty much on your own and I'm fairly convinced he won't get
back his 1.5M$ Bitcoin .

I feel bad for him , but there is very little surprise playing with
unregulated stuff.

~~~
vmception
There is a lot more scamming in those legal recourse systems, they have the
benefit of not being masqueraded as international news every time!

The user experience where you personally still have your money might be
something you like.

Also it was $16m bitcoin

------
ur-whale
Reading this, I feel compelled to repost this old but still largely relevant
blogpost:

[http://trilema.com/2013/the-story-of-pointless-and-
witless/](http://trilema.com/2013/the-story-of-pointless-and-witless/)

------
kobasa
It's not crypto-currencies and it's not crypto currencies. It's simply
cryptocurrencies. At least learn to spell the word correctly before giving
your absolutely ignorant opinion on it.

------
CameronBanga
Given that the first post in tracker mentions "0,09", I think the comment here
may actually be using a Euro standard decimal notation.

So the author may have lost 1.4 BTC, or ~16k. Still a loss, but not 16m.

~~~
spurgu
Nope:
[https://www.blockchain.com/btc/address/bc1qcygs9dl4pqw6atc4y...](https://www.blockchain.com/btc/address/bc1qcygs9dl4pqw6atc4yqudrzd76p3r9cp6xp2kny)

Address mentioned here:
[https://github.com/spesmilo/electrum/issues/5072#issuecommen...](https://github.com/spesmilo/electrum/issues/5072#issuecomment-683356120)

------
asdz
That's why getting a hardware wallet is important!!! The guy have 17 million
USD and don't even bother to heighten up the security.

------
xwdv
Fools and their bitcoin are easily parted. Perhaps this man has lost his only
chance at possessing millions. What an expensive lesson.

------
rtx
This is why we need, order > Community > Society > Government > Banks

We are at the community stage with crypto.

~~~
gchamonlive
This structure is just one form of security implementation and not flawless at
that, and I would dare say biased towards the richer parties.

Scams, in and outside of banks happen really frequently, so turning to
traditional structures of control just because new ones failed at some point
is defeatist. We can have nice things, but they need time to evolve properly.

~~~
rtx
Don't disagree, always happy to see the alternative. Another one that we had
earlier in India was Rta (natural order) > Rna (debt on non conformist) >
Karma > Gods.

But as we understood the world better, this one went out of fashion

------
reportgunner
This story is kinda like:

"I got pickpocketed once and lost all my cash. This means that cash is
inherently unsafe and should not be used by anyone ever."

~~~
knorker
No, more like "I got pickpocketed of all my life savings, therefore maybe I
shouldn't walk around with my life savings in my back pocket".

------
illgenr
The negative comments on HN about crypto give me confidence RE: it's eventual
success in dethroning fiat currency.

------
ncmncm
And somebody gained 1400 BTC.

------
krapp
Caveat fucking emptor.

