Hacker News new | comments | show | ask | jobs | submit login
How I snatched 153k Ether after a bad Tinder date (medium.com)
183 points by nerform 5 months ago | hide | past | web | favorite | 71 comments

The "bad Tinder date" is completely irrelevant to the story, and is dispensed with after the first paragraph -- but it's oddly effective clickbait; I think this technique should be used more often:

* Apple releases iPhone X, after a bad Tinder date * Jamie Dimon Slams Bitcoin as a ‘Fraud’ after a bad Tinder date * Turkey Signs Russian Missile Deal, Pivoting From NATO after a bad Tinder date * Structure and Interpretation of Computer Programs, after a bad Tinder date

See? It works every time

Considering the fact that this was published under a pseudonym (as mentioned by another comment), I wonder if the Tinder details were a bit of misdirection.

This person purportedly stole ~41 million dollars from a number of parties. Who knows who those people were? They could be some bad people, they could owe money to some bad people, or they might be angered enough to become bad people. That's not to mention the fact that law enforcement would likely be interested in this. Or maybe some thugs might like to just beat them up until they squeal?

Assuming the author is truly the thief, I wonder how many of the details intermingled with their story are false.

Imagine you're the thief. You just stole $41MM. Now what?

You know someone is gonna wonder where their money went - likely multiple people. The blockchain is a public ledger. The victims are going to hire people with expertise just like the author claimed to have in order to try following the ETH as it is mixed and laundered. That's a lot of money to launder successfully without making a single mistake. And I'd imagine a lot of people will be watching.

However, the author surely knows all of this. So why write a blog post with so much helpful information? Assuming all of it is true, we could easily deduce:


> tinder user, went on a date w/ a creepy guy: author is likely either a straight female, or bi/gay male, single

> bastille day celebrations outside: lives in france

>has two living parents who own a house, has an older brother who does not have a car, has a sister who is going/went to college

>has loans, does not own a house


That's a lot of information, and isn't even all of it. Why just hand it out, knowing you're likely a big target on a few people's radar?

I'm fairly confident that it's a fictional retelling of what plausible might have happened with the actual attacker.

Otherwise, I'm not really sure why you'd want to brag about nabbing that much currency.

> ~41 million dollars

Please don't use this term, use the actual stolen property, 153k Ether, whose value will fluctuate daily (it gained and lost €100 in value in the past month, which would make your estimate inaccurate with about €15 million).

There's a whole subreddit ( r/savedyouaclick/ ) for these.

That subreddit is great. My favorite:

Dave Grohl Says There's "One Thing Missing" From Possible Nirvana Reunion | It's Kurt Cobain.

I love the ones that tell you how many clicks you've saved - some go up to almost a hundred.

I don't think it's completely irrelevant. It's meant to get the idea across that it is easy enough to do at night when you're bored.

Just for the record "Mitch Brenner" is the name of a character in the Alfred Hitchcock's "The Birds", and the photo in the profile is of the australain actor that played it, Rod Taylor.



Do you think there is any significance to this choice of pseudonym (unless the author's name is Mitch Brenner or Rod Taylor?) I cannot think of one, but I don't know the film well.

Under 'Reception and Interpretation', the film's wikipedia entry says

"Humanities scholar Camille Paglia wrote a monograph about the film for the BFI Film Classics series. She interprets it as an ode to the many facets of female sexuality and, by extension, nature itself. She notes that women play pivotal roles in it. Mitch is defined by his relationships with his mother, sister, and ex-lover – a careful balance which is disrupted by his attraction to the beautiful Melanie."

which isn't leading me anywhere (other than to think this analysis tells more about Ms. Paglia's interests than the movie.)


>Do you think there is any significance to this choice of pseudonym

No idea.

Though I can say that often enough critics see in a work of art (be it a book, a painting, a music or a movie) even more than what the Author actually meant.

The only thing that strikes me is that - though a classic - it is not among the most reknown ones from Hitchcock among the "new generations", most probably if you ask anyone younger than - say - forty the only Hitchcock's film he/she will remember will be probably Psycho.

So, assuming that the author of the medium post is not that age or over it (and according to the "if I can get enough money for a nice early 20s retirement out of this" it should mean that the post author is twenty something), it is a "strange" choice, contradicting - possibly on purpose - other anecdata sparsed here and there (without any apparent reason), such as the use of Tinder, the reference to Bastille Day fireworks, the notion that 253 ETH are roughly "half a year salary", and possibly a few more that I overlooked and that seem "not needed" in the context.

The image conveyed is that of a single twentysomething (if male possibly gay, since the reference of Tinder is to a "he" that turned our as a creep and later there is a "I am not a rich guy") LEO (or however belonging to a security related organization) IT specialist (specifically working on monitoring coin exchanges of dubious nature), living in France (or however a place where the 14th July is celebrated with fireworks) and with a yearly wage around 120-140K US$, with a family composed of father and mother, an older brother and a younger sister, that had a work trip on monday 17 July 2017.

IMHO (and as other people already noticed) "too good to be true" or "too many data points" for someone that wishes to remain anonymous.

This is a retelling of the Parity Multi-Sig Wallet hack, from the hackers perspective:


We're talking about 40mn USD here so I doubt that this account was written by the original hacker.

I think the key to understanding this article is this:

> But Mitch, isn’t this wrong? No.

Let's suppose the hacker really did feel no remorse for stealing 153k Ether then it seems they might not feel it necessary to keep their identity hidden. They might also feel proud enough that they feel it is worth the risk to publicly disclose their actions. Given that, it seems that perhaps some of what the author wrote might actually be true.

Despite that it seems that there is more than enough information here to identify them. There is only one country that celebrates Bastille day, they are apparently interested in men so either a gay/bi male or a straight female, they work for a security research company, they have excellent command of English, they are in their early 20s, they apparently have a fast and loose attitude. It seems those criteria would narrow down to only a handful of people.

Presumably whoever did it is a clever person. If I were in that position, I think it would be a fairly obvious step to season the article with subtle misdirections that send people on a wild goose chase. In fact it would be quite fun to do. So I wouldn't take the "information" in the article at face value at all.

I don't think being clever with code necessarily equates to having common sense. If he had common sense, he would have went on his merry way without bragging on the internet...

You possibly vastly underestimate how important it is for people commiting "perfect" crimes to tell the world it was them. There's a lot of stories about forgers including subtle clues in their forgeries to be able to claim their "art" and prove they duped people.

This. This is also essentially the premise for (the original) Death Note (except a God complex rather than proving they pulled a fast one).

Chances are that misdirection is exactly why it started with the Tinder date and mentions the Bastille Day.

I thought the whole point was you don't need ethics or any of that old boring stuff, the contracts payout once they are filled. Or I guess, when computers have been sufficiently convinced the contracts were filled.

I think people need to decide- do you really want that? Do you really want the decentralized, machine-consensus-based decision making or do you want courts and banks? If the former, you had better make sure those computers will do what you expect them to. Because the computers just do what they're told. They can't read minds.

It really depends; cryptocurrency is so much in flux right now that governments don't know what to do with it yet, and those are the ones that determine whether something is a crime or not.

If they declare that stealing cryptocurrency is a crime, then they also need to start controlling it. Enforce auditing on smart contracts, crypto codebases, and exchanges. Which goes directly against what the whole crypto-anarchists are aiming for.

But, that's what they wanted. You win freedom, you lose security (and a lot of money).

In the article he mentions he "is not a rich guy."

so maybe a rich woman?

Based on the first paragraph I assumed the author is a woman.

but could be a homosexual person too, right?

Or a straight man or gay woman. The unnecessary identifying information is very likely meant to throw people off.

Or maybe like others have suggested here, it is fiction.

This isn't a real story, it's sensationalized fiction loosely based on reality. I wish they would put it in huge letters at the top of the story so you know that going in.

Then I would like a spoiler alert before that statement.

how do you know?

Are you really untraceable if you switch from ETH to BTC and then to dollars or euros? I don't really know how Ethereum works, but if every transaction is recorded, whichever exchange he used would have the origin ETH and destination BTC wallets and whichever bank account it's going to, wouldn't it? I would appreciate some insight on that.

You're totally traceable. Always assume third party records are public.

We're working on a guide for people to invest anonymously with us. It's not so simple. Monero is great, but their current defaults are too low to guarantee the privacy they say they have, and changing the defaults makes your transactions stick out.

What you have to do is:

1. Exchange into Monero.

2. Churn with Monero. This means you'll send your XMR from your wallet to your wallet, over and over again. Probably once every 3-6 hours, randomly. The destination address is private in Monero, so sending to your own wallet is fine.

3. After some time (1-3 days) send to another exchange to get Bitcoin/Ether/etc. Need to look at trade volumes to make sure you don't stick out. And probably not send out the same amount you put in. Keep half or some chunk and slowly leak it back to Bitcoin.

4. Optionally one could stack on a couple of Bitcoin mixers, on the idea that you won't have the bad luck to hit two compromised mixers. But each one will take ~2% so it adds up.

At that point you have coins reasonably unrelated to your earlier identity. Getting them into cash is a whole other guide.

if you switch between networks you suddenly no longer have a transparent transaction. Mind you, the details of the transaction (i.e. which account BTC the ETH was converted into) can be retrieved, but not without some effort and paperwork from authorities.

If you say, split up the ETH and tumble it into a number of smaller wallets, transfer it to BTC with a bunch of seperate accounts and/or exchanges, and then tumble it again on the BTC side, then it no longer is as simple as requesting one transaction from one account.

Now you have to trace the currency through the tumbler, request information on n number of accounts while providing details indicating that all n accounts are tied to some crime, and then trace all of said currency through another tumbler.

At this point, if it all ends up into one BTC wallet, you could find them. However if it ends up in a number of smaller BTC wallets, you also have to now prove that those wallets are all owned by the same person and not just a bunch of wallets owned by seperate people who happened to have a total of x amount of BTC adding up to roughly the equivalent value in ETH minus transaction fees.

It goes from one step with some paperwork into months worth of work by a team of skilled people, a tonne of paperwork, and a high probability of ending up with a dead end after all of this.

>if it ends up in a number of smaller BTC wallets, you also have to now prove that those wallets are all owned by the same person and not just a bunch of wallets owned by seperate people who happened to have a total of x amount of BTC adding up to roughly the equivalent value in ETH minus transaction fees.

This could be considered handling stolen goods, and could be prosectuable. Anyone who has access to the private keys that have been involved could potentially be considered an accessory (provided they have spent them and not reported the transaction).

It could, but the point I was making is that you have to make the case that they are intentionally holding the stolen currency and not just having been paid said currency for a service of some kind.

I'm not sure that holds, it's like getting paid for a service with marked currency. At best you would have the currency taken off you, and investigated/forced to disclose details of all your transactions, at worst you would be considered for handling stolen goods.

If you look at purely their respective transaction logs, then probably not. However, you need an exchange to do the transfer. You could do this offline, sit with a guy who is willing to transfer the funds outside of one of the known exchanges - I don't know if there's anyone offering this yet, I can imagine in certain circles this does happen, but it requires a lot of trust.

A lot of the online exchanges are government-regulated nowadays though, and require photo ID for you to be able to do things. Mind you, it should be fairly trivial to forge or use stolen IDs. I think Coinbase asks for a second ID at one point, probably for larger transactions. But either way, those will have a transaction log, so they can see the path from wallet > fiat > bank account, and from there the banks, also regulated, can point to you (and they do / should check your ID with a bit more scrutiny).

TL;DR it's only untraceable if you can do the exchanges between cryptocurrencies and to fiat in real life with shady characters.

>You could do this offline, sit with a guy who is willing to transfer the funds outside of one of the known exchanges - I don't know if there's anyone offering this yet,

Has been a thing for a few years now - https://localbitcoins.com/

And also what happen when your dollar or euro bank account takes +30 millions in few days ? Do banks have alerts when someone's account activity is unsual compare to historic usage ?

Your account will almost certainly be frozen until you show up and convince the bank you're not a money launderer. Given the complexity of AML laws, you probably actually are at that point. And therefore the conversation with the bank might not go in your favor.

Instead, you just pull a few thousand a week for a few years, pay taxes, and leave the rest in BTC, using that to pay for as much stuff as you can/want.

The "right" way to launder cryptocurrencies is normally to use it to buy a whole bunch of Monero (or some other cryptocurrency with stronger claims of anonymity), then bounce that around a bit before using it to buy Bitcoin (which is then sold for fiat or used directly).

The real kicker here is the tip jar at the end of the article.

So, is this an admission? Or a theoretical? Or only part of the story?

Is the writer using a pseudonym?

he is claiming to be the multi-sig exploit hacker:


he is probably role playing because i doubt whoever did this would put themselves at risk by claiming they did it publicly

I agree this reads like fiction, and it would be idiotic to admit it.

If real, the people he stole from may be even less ethical than he is (and they must have noticed the ETH were gone, and at what time). This could paint him as a murder target, a position I wouldn't want to be in...

They must be very angry and powerful to do that, because the common criminal rule is that you pay all debts of the person you killed. Otherwise it would be too easy to take money from the debitor/thief at the right moment and then send someone bury him in the basement without any consequence.

except it is possibly a grey area, the contracts are written such that extracting the money is only possible if you fulfill the contract, if you find a loophole and fullfill the contract and take the money did you really steal it?

With the usual caveats (IANAL, this may vary per country/jurisdiction) laws and contracts are usually about intent, not pure semantics. And you'd probably have a hard time to argue that this way of 'fulfilling' the contract was the intended way.

I understand that contracts are usually written this way but an ethereum smart contract is a different kettle of fish. It is written to be a program so if you can get the program to respond to your inputs then you have fulfilled the requirements of the smart contract as it was written. Of course it may be that it was poorly worded but that is an issue for the contract writer.

Because whoever invented them called them "smart contracts" doesn't mean they're considered as such in the jurisdiction where people using the said "smart contract" are living. Matt Levine has written extensively about the subject.

It's unlikely that someone motivated enough to hire an assassin on darknet cares about the technical legality of the exploit.

It's very easy to piss people off within the confines of a system's rules. The general advice is not to do so.

I have a hunch that this is a parody of the DAO token theft.

Don't have the technical knowledge, nor do I care to put in the hours to figure it all out.

It certainly seems to have elements of parody, though if it were about the DAO specifically, I would think he might have said something about hard forks.

I'm curious why the attacker converted his ETH into BTC. Why not Monero first? Once the money is converted into Monero, it should be untraceable, right?

Liquidity. There's enough demand for ETH-BTC that you can convert $30m worth pretty fast; for ETH straight to Monero, you would be in for a much longer wait.

Monero is also not quite untraceable with the defaults. It requires understanding Monero a bit, and spending days churning your coins. The idea that Monero is so unlinkable is horrible marketing and is going to get someone busted.

lol at this guy putting a tip jar at the bottom of the post

it's a ropsten (testnet) address

William Gibson was doing this in the 80's.

Out of curiosity...is this a man or a woman?

EDIT: What's with the oversensitivity here? Is there anything wrong in asking a person's sex? What if it's for studying inclination towards certain decision making criteria? Geez folks, not every question is sinister. If you don't want to answer it, just move on. No one is being attacked here.

> EDIT: What's with the oversensitivity here?

It's not oversenstivity, there's literally no reason to care about the sex of the person who wrote this. It's completely offtopic and irrelevant.

What does "studying inclination towards certain decision making criteria" mean anyway? Reading between the lines it sounds like you think women behave one way and men the other way (which is fine if you think that btw), but wanting to "study" that using this article is just dumb.

"Literally no reason" in this case meaning...?

If you went through 7 books of "Harri Potter" carefully written to never reveal the gender of the main character, would you care?

It's human nature to be curious. And particularly about a dark shady character pulling of crazy crypto heists.

Ambiguity over the identity of the narrator is part of the hook. Of course it's reflex to start drawing a picture of this character in your mind as you read. When the gender is unknown or not clear, and particularly when you throw in mixed messages that this might not be the stereotypical male basement dweller, it's interesting.

Note that the question was phrased as "Out of curiosity...". This is essentially a disclaimer that it is an off-topic and irrelevant question. From the way I see it, your comment is even less reasonable in this context.

You mean like if I used the same disclaimer and asked you this:

"Out of curiousity, are you male?"

Can you not see what that implies?

> What if it's for studying inclination towards certain decision making criteria?

A study based on one person doesn't sound very interesting.

Did you click the link at all? The author has a name and a picture.

From jaclaz comment higher up:

> Just for the record "Mitch Brenner" is the name of a character in the Alfred Hitchcock's "The Birds", and the photo in the profile is of the australain actor that played it, Rod Taylor.



I happened to be doing some bug/feature chasing in Firefox a couple days ago (Firefox doesn't support Shadow DOM yet!! >.<), and found myself reading https://bugzilla.mozilla.org/show_bug.cgi?id=1205323.

The reporter (who I am not calling out - it's the reply I want to focus on) happened to say "hey guys" as a salutatory address of the whole group. The very much unexpected comment reply that came next briefly digressed from the bug report to point out that small sentence and reference this URL: https://notapattern.net/2014/10/14/ways-men-in-tech-are-unin...

Tossing gender aside for a short moment, when I saw that link (and the multi-paragraph followup comment following the author's mild rebuff of the callout and URL as irrelevant), I'd say I was mildly irritated and maybe even fractionally offended (in the sense of "a tiny bit fed up", but not unreasonably/irrationally so) by it. This was mostly because calling this out seemed so out of place, and really, for what end?

Heheh. Then I read the article. It's well-written, grounded, and the links in the page point to similarly high-quality content (I may have link-chained for a couple hours...). I consider this page pretty much required reading; Mozilla found a good URL to reference for this.

I can understand your standpoint; I had it myself. Had. I'm grateful to say I'm comfortable how I was born. I also happen to like the opposite gender :P. So I'm pretty much a stereotype. But, as a stereotype, there was a ton I learned from that article, and I see everybody differently now.

To answer your question in good faith (no offense intended) - the site displays a small avatar photo of the author at the bottom.

It is an interesting question since they are obviously either making it totally up or creating a fake persona to throw people off the scent (knowing full well it's obvious).

Lets go with "throwing people off the scent"

So pop-psyc to act gay but not be gay would rule out many cultures, genders and age groups.

So I'd go with they are a hetrosexual man, late 20's to early 30's. Western upbringing in an English speaking country.

They chose Tider over Grinder, because that's part of the story, the surprise. But they could have just said date, hence I think they are reasonable mature. It's a little clever.

Given they chose a Australia actor, I'd guess they are a New Zealander.

> Now, I’m not a rich guy, so 253 ETH is a nice amount of money, which is about half a year salary

This seems to imply the author is male.

why do you even care

I was in a bad mood before I read this. Great read! Thanks.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact