This is a major felony involving anonymous holders of a cryptocurrency, many of whom probably aren’t reporting their holdings to the IRS, on a wallet that itself probably isn’t reporting holdings nor earnings to the IRS nor complying with the simplest of money-transmission KYC laws. I struggle to imagine why this would be a priority for the public to pursue. Live by the sword, die by the sword.
There's an awful lot of "probably"s in your comment.
A wallet doesn't need to report anything because it's a wallet. Requiring a wallet to report "holdings and earnings" would be like requiring a safe to report the same information. And many users do report holdings to the IRS or any other agency as needed.
But even if they didn't, this should still be pursued. A lot of criminals use cars, does that mean the police shouldn't look into car thefts?
>Why should my tax dollars go to find your money that you aren't paying taxes on?
Because you have no proof that taxes aren't being paid. You (and others) have just decided that some of these people are doing something wrong without any kind of trial or even investigation and are saying that the government should ignore everyone impacted because of those you assume are doing bad things?
At the same time, I don't believe the government should just tell you "tough shit" if you've also done something illegal at some point.
Are the biggest exchanges reporting earnings to the IRS? No, coinbase only reported the top earners and are actively refusing to give all data.
There’s a reason why regulations were created and Bitcoin skirts around them. Don’t expect those same regulations to protect you if you don’t follow them. It’s the Wild West for crypto right now and some people are going to make it big but the majority are going to lose.
But I and many others are following them, to the fullest extent.
"Bitcoin" doesn't skirt these regulations, people do. I agree that it's a problem that some exchanges don't follow KYC laws, but it's not a law that they must report every person's earnings to the IRS. Coinbase is following all the required laws, and asking them to go above and beyond what is needed "or else" you won't get help is mafia level tactics. And I'd love for you to give me a list of exchanges that take USD and don't follow KYC laws (I'll save you some time, there aren't any with any significant amount of users, because they all get shut down).
And none of this has anything to do with Bitcoin, it has to do with Stellar. A cryptocurrency that is ironically very KYC friendly as you don't use multiple addresses, and all transactions are public. It's magnitudes easier to track Stellar than it ever would be cash. (Or do you feel the same way that someone that had cash robbed from their house shouldn't bother contacting police because they were skirting the law?)
Not to mention that tons of criminals use the internet, and there are a nearly unlimited number of illegal websites and "companies" which are doing bad things online.
Does that mean we shouldn't expect any kind of law to protect us on the internet?
Many car drivers routinely break traffic laws whole driving, does that mean that we shouldn't expect any kind of police help for car drivers?
You are assuming that some of the people here are breaking the law because unrelated companies aren't going above and beyond the required laws, then saying that none of the affected people should receive help because of it.
Rough rule of thumb: if you handle and hold others’ money for them, you have to know your customers [1]. Wallet services have KYC obligations.
> A lot of criminals use cars, does that mean the police shouldn't look into car thefts?
This is closer to Al Capone’s money laundering operation being burgled. Note that my response isn’t general to cryptos. Coinbase being hacked would better merit official investigation.
>Rough rule of thumb: if you handle and hold others’ money for them, you have to know your customers [1]. Wallet services have KYC obligations.
Cryptocurrency wallets don't hold others' money unless they are custodial wallets, which blackwallet wasn't. Blackwallet was just like a personal safe, which has no KYC obligations.
>This is closer to Al Capone’s money laundering operation being burgled.
And yet the basic idea behind your sentiment is that you think the government shouldn't investigate these incidents because you believe a portion of the users are doing something else illegal without any concrete proof or trial?
> Blackwallet was just like a personal safe, which has no KYC obligations
If I open a service which advertises personal safes held on my property that hold other peoples’ cash, I have a KYC obligation. If Blackwallet simply made available open-source wallet code, you might be correct. As I understand it, people logged into Blackwallet through Blackwallet’s website on Blackwallet’s domain to view and mainipulate their wallets’ contents.
> you think the government shouldn't investigate
If some files a report with the police and sends that to their Attorney General, and then the government doesn’t follow up, I would say that is wrong. (It would be comically stupid to file a report about stolen property you evaded taxes on.)
>As I understand it, people logged into Blackwallet through Blackwallet’s website on Blackwallet’s domain to view and mainipulate their funds.
Blackwallet was a web wallet. They hosted javascript code that the users "unlocked" a key held in localstorage on their own PC, signed transactions on their own PC, and sent the signed transactions on the stellar network from their own PC.
This hack was a malicious actor including javascript which would then steal the private keys and send them to a hacker controlled server so they could steal the funds using them.
Pre-hack, the private key never was in control of "blackwallet" off the user's PC at any time, therefore they did not have a KYC obligation. Blackwallet's servers were simply serving up the static software which was used entirely locally.
Things get a little strange when cryptocurrencies are involved, but the closest analogy I can come up with is a personal piggy bank.
The manufacturing company of the piggy bank has no KYC obligation because at no point does the manufacturing company ever have "control" or deal with other people's money.
Now i'm not a lawyer, but this is how I understand the laws here. And I just can't fathom a way in which a piggy bank in my own home doesn't need to follow KYC laws, but a software wallet running on my own personal PC needs to.
>It would be comically stupid to file a report about stolen property you evaded taxes on.
I completely agree, but I pay my taxes, and if I were impacted in this, I would be filing reports, and I would be very upset if my reports were ignored because other don't file taxes...
> I just can't fathom a way in which a piggy bank in my own home doesn't need to follow KYC laws, but a software wallet running on my own personal PC needs to
Your relationship with the piggy bank manufacturer ends at the point of sale. That Blackwallet users routed through a Blackwallet domain to transmit money through the Stellar network (a) made this hack possible and (b) creates a KYC liability.
> if I were impacted in this, I would be filing reports
And I would fully support you. I just don’t think authorities have an obligation to proactively investigate cryptocurrency crimes.
>That Blackwallet users routed through a Blackwallet domain to transmit money through the Stellar network (a) made this hack possible and (b) creates a KYC liability.
No, it didn't. For starters, again nothing went "through" blackwallet servers. It's a one way communication of javascript from blackwallet to the user, then the user holds the data and signs transactions and sends it directly to the stellar network. I don't know the internals on how that last step happened, but even if it went back to blackwallet servers, they would be acting as nothing more than a proxy to enable broadcasting this transaction to the network from JavaScript. And if that makes you require KYC laws then verizon is about to have a really bad time because my encrypted credit card transaction went through their servers.
Just like how your relationship with the piggy bank manufacturer ends at point of sale, your relationship with blackwallet ends once you downloaded the JS. They do not hold any currency, they do not have access to any currency, they do not route any currency, they do not have any KYC obligations.
The article is a bit sparse on details of the actual attack; Was the original site not over https? Or was the attacked site storing session cookies in insecure cookies?
It looks like the hacker was able to log into the website's hosting provider account. The hacker then changed the DNS to point to a different server that had an exact copy of the blackwallet.co website but with a small injection of some javascript to siphon off the master keys that people were entering.
The hijacked server isn’t even displaying a security certificate. Why would anyone conduct a financial transaction without this present (I’m assuming cryptocurrency holders are relatively sophiscated).
Also can browsers do anything to warn users "the last time you visited this URL there was a valid certificate, but there is no longer any, shall we proceed?"
>Also can browsers do anything to warn users "the last time you visited this URL there was a valid certificate, but there is no longer any, shall we proceed?"
so... HSTS? afaik (at least with firefox), it doesn't even let you override the warning.
So, I have accounts on several DNS providers and notice that the security is barebones, mostly username and password. Now, I've got a few domains but exactly $0 in revenue or other people's stuff to worry about.
With all the obsession over painful security everywhere: stupidly complicated passwords that require password managers, 2FA with SMS or Google Authenticator, and that new terrible system where I have to click on pictures of cars or roadsigns for 5 minutes like I'm being tested for cognitive decline -- all that stuff, and some of the biggest DNS providers have miserably simple security.
I didn't see details of HOW DNS was hijacked in that article above but that's just one of my guesses.
Watch, soon you'll need to click on pictures of storefronts when logging in.
I can only encourage people to vote with their wallets on this. I moved my domain registry to AWS over a similar situation, after evaluating several alternative registrars and not finding MFA. I would certainly do so with DNS.
Much like Microsoft's security push around Windows XP SP1 - security will become important to these companies when it impacts revenue.
27 comments
[ 3.0 ms ] story [ 70.8 ms ] threadWhy are they talking to their ISP to get details instead of involving the authorities for an actual investigation?
Where is the police report? Who is investigating this?
This is a major felony involving anonymous holders of a cryptocurrency, many of whom probably aren’t reporting their holdings to the IRS, on a wallet that itself probably isn’t reporting holdings nor earnings to the IRS nor complying with the simplest of money-transmission KYC laws. I struggle to imagine why this would be a priority for the public to pursue. Live by the sword, die by the sword.
A wallet doesn't need to report anything because it's a wallet. Requiring a wallet to report "holdings and earnings" would be like requiring a safe to report the same information. And many users do report holdings to the IRS or any other agency as needed.
But even if they didn't, this should still be pursued. A lot of criminals use cars, does that mean the police shouldn't look into car thefts?
Why should my tax dollars go to find your money that you aren't paying taxes on?
Because you have no proof that taxes aren't being paid. You (and others) have just decided that some of these people are doing something wrong without any kind of trial or even investigation and are saying that the government should ignore everyone impacted because of those you assume are doing bad things?
At the same time, I don't believe the government should just tell you "tough shit" if you've also done something illegal at some point.
There’s a reason why regulations were created and Bitcoin skirts around them. Don’t expect those same regulations to protect you if you don’t follow them. It’s the Wild West for crypto right now and some people are going to make it big but the majority are going to lose.
"Bitcoin" doesn't skirt these regulations, people do. I agree that it's a problem that some exchanges don't follow KYC laws, but it's not a law that they must report every person's earnings to the IRS. Coinbase is following all the required laws, and asking them to go above and beyond what is needed "or else" you won't get help is mafia level tactics. And I'd love for you to give me a list of exchanges that take USD and don't follow KYC laws (I'll save you some time, there aren't any with any significant amount of users, because they all get shut down).
And none of this has anything to do with Bitcoin, it has to do with Stellar. A cryptocurrency that is ironically very KYC friendly as you don't use multiple addresses, and all transactions are public. It's magnitudes easier to track Stellar than it ever would be cash. (Or do you feel the same way that someone that had cash robbed from their house shouldn't bother contacting police because they were skirting the law?)
Not to mention that tons of criminals use the internet, and there are a nearly unlimited number of illegal websites and "companies" which are doing bad things online.
Does that mean we shouldn't expect any kind of law to protect us on the internet?
Many car drivers routinely break traffic laws whole driving, does that mean that we shouldn't expect any kind of police help for car drivers?
You are assuming that some of the people here are breaking the law because unrelated companies aren't going above and beyond the required laws, then saying that none of the affected people should receive help because of it.
Rough rule of thumb: if you handle and hold others’ money for them, you have to know your customers [1]. Wallet services have KYC obligations.
> A lot of criminals use cars, does that mean the police shouldn't look into car thefts?
This is closer to Al Capone’s money laundering operation being burgled. Note that my response isn’t general to cryptos. Coinbase being hacked would better merit official investigation.
[1] https://www.ecfr.gov/cgi-bin/text-idx?SID=e97d41c6dd62f6e86d...
Disclaimer: I am not a lawyer. This is not legal advice.
Cryptocurrency wallets don't hold others' money unless they are custodial wallets, which blackwallet wasn't. Blackwallet was just like a personal safe, which has no KYC obligations.
>This is closer to Al Capone’s money laundering operation being burgled.
And yet the basic idea behind your sentiment is that you think the government shouldn't investigate these incidents because you believe a portion of the users are doing something else illegal without any concrete proof or trial?
If I open a service which advertises personal safes held on my property that hold other peoples’ cash, I have a KYC obligation. If Blackwallet simply made available open-source wallet code, you might be correct. As I understand it, people logged into Blackwallet through Blackwallet’s website on Blackwallet’s domain to view and mainipulate their wallets’ contents.
> you think the government shouldn't investigate
If some files a report with the police and sends that to their Attorney General, and then the government doesn’t follow up, I would say that is wrong. (It would be comically stupid to file a report about stolen property you evaded taxes on.)
Blackwallet was a web wallet. They hosted javascript code that the users "unlocked" a key held in localstorage on their own PC, signed transactions on their own PC, and sent the signed transactions on the stellar network from their own PC.
This hack was a malicious actor including javascript which would then steal the private keys and send them to a hacker controlled server so they could steal the funds using them.
Pre-hack, the private key never was in control of "blackwallet" off the user's PC at any time, therefore they did not have a KYC obligation. Blackwallet's servers were simply serving up the static software which was used entirely locally.
Things get a little strange when cryptocurrencies are involved, but the closest analogy I can come up with is a personal piggy bank.
The manufacturing company of the piggy bank has no KYC obligation because at no point does the manufacturing company ever have "control" or deal with other people's money.
Now i'm not a lawyer, but this is how I understand the laws here. And I just can't fathom a way in which a piggy bank in my own home doesn't need to follow KYC laws, but a software wallet running on my own personal PC needs to.
>It would be comically stupid to file a report about stolen property you evaded taxes on.
I completely agree, but I pay my taxes, and if I were impacted in this, I would be filing reports, and I would be very upset if my reports were ignored because other don't file taxes...
Your relationship with the piggy bank manufacturer ends at the point of sale. That Blackwallet users routed through a Blackwallet domain to transmit money through the Stellar network (a) made this hack possible and (b) creates a KYC liability.
> if I were impacted in this, I would be filing reports
And I would fully support you. I just don’t think authorities have an obligation to proactively investigate cryptocurrency crimes.
No, it didn't. For starters, again nothing went "through" blackwallet servers. It's a one way communication of javascript from blackwallet to the user, then the user holds the data and signs transactions and sends it directly to the stellar network. I don't know the internals on how that last step happened, but even if it went back to blackwallet servers, they would be acting as nothing more than a proxy to enable broadcasting this transaction to the network from JavaScript. And if that makes you require KYC laws then verizon is about to have a really bad time because my encrypted credit card transaction went through their servers.
Just like how your relationship with the piggy bank manufacturer ends at point of sale, your relationship with blackwallet ends once you downloaded the JS. They do not hold any currency, they do not have access to any currency, they do not route any currency, they do not have any KYC obligations.
Is it? Another interpretation would be that this is just someone winning a video game.
I'm being slightly flippant, but these sorts of things do routinely demonstrate how patently unserious this whole concept is so far.
Probably a combination of the DNS hijack + no HSTS
Alternatively, let's encrypt (and probably others) has DNS based verification.
It looks like the hacker was able to log into the website's hosting provider account. The hacker then changed the DNS to point to a different server that had an exact copy of the blackwallet.co website but with a small injection of some javascript to siphon off the master keys that people were entering.
Also can browsers do anything to warn users "the last time you visited this URL there was a valid certificate, but there is no longer any, shall we proceed?"
Based on my Facebook feed of people celebrating their first crypto currency purchase, this is no longer true
so... HSTS? afaik (at least with firefox), it doesn't even let you override the warning.
With all the obsession over painful security everywhere: stupidly complicated passwords that require password managers, 2FA with SMS or Google Authenticator, and that new terrible system where I have to click on pictures of cars or roadsigns for 5 minutes like I'm being tested for cognitive decline -- all that stuff, and some of the biggest DNS providers have miserably simple security.
I didn't see details of HOW DNS was hijacked in that article above but that's just one of my guesses.
Watch, soon you'll need to click on pictures of storefronts when logging in.
Much like Microsoft's security push around Windows XP SP1 - security will become important to these companies when it impacts revenue.