Crypto aside, quite surprising to see home invasions, kidnapping, and torture in middle class american neighborhoods.
What I'd like to know, which wasn't in the release is how did the criminals identify or decide to target these specific victims.
Yes, none of the victims, at least from the sentencing report, sound like they were vocal crypto bros. They sounded more like regular families. If they weren't public figures, I also would really like to know why they were targeted. That's scary.
From the “Dirty Comms” episode of Darknet Diaries, a SIM swapper being interviewed describes how attackers will use breach information from other crypto-related sites to credential-stuff Coinbase. That doesn’t necessarily get you very far because of MFA, but there was seemingly a brief window when Coinbase had a vulnerability for checking account balances without triggering MFA, so attackers were able to identify tons of email addresses associated with large crypto holdings. I imagine this information is available if one were to seek it out.
> DREW: I don’t even know if you’re gonna believe me whenever I tell you this, but there was an exploit in Coinbase for about one month where you could check the balance of any valid password and username. You could – no matter what. You didn’t need to have any sort of access except username and password. So, you didn’t need to SIM them to see their balance. So, people just ran millions upon millions of combos, combo list through Coinbase, and just found the millionaires of Coinbase. There’s obviously millions of those.
If those transactions associated with the account leaks, the funds can be followed. This will often means transactions flowing to off-chain wallets of KYC'd owners.
>how did the criminals identify or decide to target these specific victims.
They used SIM swapping, which is done by fooling customer service agents using stolen, partial personal information. The victims were also cryptobros, so I am guessing the answer is actually as mundane as it gets: Victims put up their names and addresses on social media and bragged/discussed about their cryptowealth.
I have no reason to presume someone holding crypto isn't a cryptobro.
Either way it's irrelevant, the criminals got a hold of their personal information somehow and the most likely cause in this day and age is the victims divulging it themselves.
One of the reasons why this happens is because repeat violent offenders get away with a surprising amount. For instance, the lead criminal in this case had been charged with attempted murder in a separate case just a couple years before starting the crypto thefts, but the charges were eventually dropped. The crypto thefts seem extremely violent as well[2]:
> An elderly North Carolina couple was held hostage in their home by armed men who threatened to "cut off (the) husband’s toes and genitalia, to shoot him, and to rape his wife," before they were robbed of more than $156,000 in cryptocurrency, federal prosecutors said.
Violent crime seems to get far too much of a pass. Not every shoplifter needs to be punished to the ground, but violent crime should be punished harshly.
Home invasion isn't exactly surprising, it's about 1 million home invasions per year in the US. And violent assault of some sort during home invasion isn't super surprising, that's like O(250k) per year.
But the kidnapping and torture, yea that's pretty rare as far as I know.
That data seems wrong, though I have seen it reported on blogs and such. FBI data on total burglaries is under 1,000,000 since 2019 (857k in 2022, the last reported year) Home invasion should be a somewhat smaller subset of that.
FBI / UCR covers only reported crimes at police agencies that forward data, and is a subset. BJS tend to be better at getting realistic numbers. (E.g. a majority of burglaries aren't reported to the police, and thus don't show up in UCR*)
Also robbery is not a superset of home invasion, due to the difference in definition from burglary. Burglary isn't actually about stealing stuff, it's just breaking in with the intent to commit some crime (which is often theft, but not always). Robbery implies theft, but doesn't require it to be in someone's abode. So there's some overlap, but there's robberies that aren't burglaries (because no breaking in is involved), and there's burglaries (even some of the <10% subset of burglaries that are violent) that aren't robberies, because a theft isn't occurring.
* For things like homicide, UCR tends to be a lot better, because the reporting rate is quite high.
Note that the majority of burglaries are unreported to the police and don't show up in the UCR. You should use the Bureau of Justice Statistics for numbers on crimes with very low reporting rates.
As someone with the same name as a somewhat well-known former Bitcoin developer, this is sort of a latent fear I have. I would expect that someone dumb enough to think a home invasion is a good idea is also dumb enough to not double-check whether they've got the right guy.
Many years ago, I went to school with someone who shared their name with someone who got in a very public spat with George Steinbrenner who was the owner of the New York Yankees at the time. They got literal death threats on their phone.
ADDED: Since then I've often thought the worst case scenario is to share a somewhat unusual name with someone who is hated/notorious in some manner given it invites crazies to do crazy things.
For example, sure, don't store your funds on an exchange and they can't get in with a SIM swap, but when they're in your house, that doesn't help you.
You could store your funds with a multisig wallet and make sure you don't have access to enough keys at home to move the funds, but how do you make them believe you?
You can have one or more decoy wallets you can "cave" and give them access to if you think it might buy your freedom, but once you start, again, why would they believe you?
Do you just acknowledge that they won't believe you,that they are going torture you regardless? And at least make sure you or your heirs have the money if any of you survive?
Multisig wallet where you and your spouse both have to sign. In case one dies, the multisig can expire after a certain amount of time and let you access with just one key
It's becoming increasingly difficult. Data leaks, address and name leaks and chain analysis have made it easier to track who owns what. If crime agencies are able to track wallets down then criminals are too.
Only the your onramp/offramp would need to know who you are (because of KYC/AML), otherwise you can be as anonymous as you want and it really isn't hard, assuming you don't want to hide from your onramp/offramp.
Why unless? Say you have 1 ETH in Wallet A, if you transfer it to your on/offramp (the exchange) and then do Wallet B, the only link between Wallet A and B is only known by the exchange, so you'll remain private (publicly, again assuming you don't want to hide from the exchange).
You can't trust the exchange to not inadvertently leak the information. A substantial leak could include personally identifying information along with account balances and or deposit and withdrawal totals.
Somewhere along to lines, if you want USD, you need to trust someone, it's inescapable. So once you know this, you can act accordingly.
But still, the original argument was that you have to worry about chain analysis because everything is public, but obviously that isn't true, no matter if an exchange may or maybe not inadvertently leak something.
First one maybe but definitely not the second one.
Have you actually thought of it?
How would the platform know who sent what. They can't. So it's definitely not shared on the deposit side. And I doubt they'd move the money around because of fees so I doubt it's shared on the withdrawal side too.
From my experience, of course it depends on the blockchain used, but they all have static addresses per user
A friend of mine became insanely wealthy just off of Bitcoin. Immediately went off the grid a few years (back in 2017). Now owns a precious metals mining company in South America. Still holds Bitcoin, lives comfortably to a point, changed passports to evade sanctions (he was Russian), and even has a kind of his own private army, that's mostly involved in the mining business.
You wouldn't figure all of that out by simply looking at him, but strike him now and you'd have to contend against a few major governments at this point.
The decoy method doesn't even work because a smart criminal could just check your exchange withdrawals for amounts. You'd have to hope that they were ignorant enough.
That's not remotely true. I get a receipt from a specific service provider every week that I could easily recreate from memory, but the ink fades within a month.
Not to be flippant, but your head is not terribly secure either.
Coercion is a thing, and despite what you see in the movies, you'd be surprised at how fast you offer the password.
But perhaps more certainly, you will at some point die, and it's probable you will do so lacking the capacity to pass the code on to your heirs. So if you want your wife and family to jnherit, well, you may want to rethink.
And that's before we discuss thd uselessness of crypto as currency where you have to go to your safe deposit box to spend any of it.
You misunderstood. Since your keys are stored encrypted in a safety deposit box, it doesn't matter if you're forced to tell your password to some random thug - they don't have access to your keys.
You can also put your password in your will, if you're afraid of not passing it to your family.
Hmm. Maybe like the group holding your assets has a centralized check and control system? Like they could operate physical locations and have staff? A novel concept.
Perhaps these groups could be regulated and insured by an even larger entity, perhaps even one with the authority to punish individuals and organizations for wrongdoing?
With Bitcoin, you could create that third party in a trust minimized way, something impossible to do with the banking system.
For instance, if the third party refuses to authorize a legitimate transaction, you have a third key you keep offline somewhere that can be used to force a transaction through.
Great idea! Those things cost money though and users won't like paying up-front--they'll have to be sure to make up costs with obscene fees, the more obfuscated the better. To minimize pushback on the fees they should consider focusing them on the most disadvantaged users, since they're least likely to be able to do anything about it. Isn't it a great system?
I get the joke, but you could do that without the trusted third party. It is pretty easy to imagine a system where transfers have to be signalled X blocks before the actual transaction takes place if the transaction is statistically weird. The sort of problem smart contracts are there to solve.
You could custom program a canary wallet. When the wallet makes a transfer it automatically calls 911 and sends the cops to your house or your phones location.
You can have timed transactions with Bitcoin. That is the transaction will only be valid after xxxx date. You do, however, need to keep creating transactions to keep pushing the date further.
This was a large consideration in me offloading the vast majority of my cryptocurrency during the peak run up. The financial and digital hacking risk I was okay with, the physical risk to my family was too much. Even if I kept it off-site and in a safe deposit box somewhere no criminal would actually know that. Decoy systems and complicated multisig setups are all vulnerable to the ball peen hammer attack.
Had I known Bitcoin would turn into what it had I would have done far more to create a pseudonymous persona when participating in the early scene vs. my well known and easily linked handle to my real identity.
It was a fun ride, but the risk just got to be too much.
I mean, the premise is more or less the same as that of keeping your money in gold bars under your bed, except without the physical labor. So yeah, seems like a bad idea.
When I was in high school, the computing teacher remarked that some people still don't believe that computers have benefited society. His answer to this was that they have nearly eliminated armed robbery, because when people were paid in cash, the payroll was an enormous target. Such heists used to be a commonplace risk, but a couple of generations have grown up without them.
Hmm, it's years since I properly thought about this anecdote
Yes, in theory you could have done everything with checks. It didn't completely happen though, until after computerisation. In the UK, it turns out that employees had the right to receive pay in cash as late as 1986! And taking it away was controversial.So it may be that you are right that computerisation wasn't essential, but most likely the reduction in cost of banking spread it to enough people that armed robbery became less of a risk.
Bitcoin is not anonymous. Should one be able to link a wallet to a real name (like, for example, phil21), they can then follow each transaction that wallet makes, and where every coin ends up.
Once you know phil21's wallet is empty, those looking to heist anything would look through which wallets the coins ended up in, and start linking identities to those wallets.
If a criminal knows to look, they see the risk no longer matches the reward. If they don't know to look, odds are they weren't involved enough to have followed phil21's coins and wallet back to a street address in the first place.
Sure, the risk isn't zero, like you're implying, but it's dramatically lower.
I find it doubtful that the majority of these heists follow anything like the pattern you've described. I think much more likely is just something simple along the lines of "xyz was active in Bitcoin in 2011, they're still using exchanges as of 2020 because we have a leaked email database, they probably have either nothing or a metric ton of coins, let's give it a go".
If anything I think that someone shouting loudly "I have definitely sold it all, I promise" is a sign that they probably haven't.
Fiat money is harder to steal because you can't just transfer hundreds of thousands or millions about from mainstream banks without questions being asked.
For the most part I don't think that the GP has the story straight.
You can't really have it both ways - either Bitcoin is desirable to criminals because it's untraceable enough to get away with it etc, or it's not. I think that they're overstating the ease of finding a person's complete holdings.
Having said that, amusingly, if I had to think of the best way to force someone with a million dollars in a bank account to give me it... the first thing that comes to mind would be to hold them hostage and say to them, get KYC'd on a crypto exchange and send me the crypto. I think that the biggest barrier would be that with no prior history their bank and the exchange would throw a big fat WTF and probably lock everything down for weeks.
I'd say it's really a mix here: It's traceable enough to make Phil uncomfortable, but not every criminal will know it's traceable (especially by government agencies).
Your point is the big one though - one cannot suddenly, unexpectedly, and without a history of doing so, transfer six-figure sums without traditional financial institutions looking at said transaction fairly closely. Bitcoin doesn't have this drawback
There’s more friction involved in withdrawing money from a bank. You can do stuff like cancel transfers within a time window, something that’s not usually possible with cryptocurrency
Isn't this a risk that everyone with a nice, expensive house lives with? I fail to see how it's specific to bitcoin or cryptocurrency. Neighborhoods full of mansions are bound to have lots of expensive jewelry inside. Maybe you could say the novelty and hype around bitcoin attract pests, but generally speaking the more you have to lose the more you need to spend securing what's yours.
A great many people who live in nice houses are extremely illiquid, they may even have a negative net worth, and their visible property all saddled with debt.
Also how much are you really going to get from jewelry in a typical ritzy house after fencing overheads? Maybe a few grand?
Of course, people do break into ritzy houses too... though they generally do it when no one is home. Jewellery doesn't tend to have passwords.
That's a good point, to get someone's jewelry you just need to get in their house, to get someone's bitcoin you need to get your hands on them. I suppose that makes it more dangerous, but instead of jewelry, you know someone in a really nice house is probably very valuable to someone else, ransoming them is basically the same thing.
Many leaks have happened over the years. While a leaked email address isn't always an identifiable target, correlating various leaks along with the various other identity resources out there isn't very challenging.
102 comments
[ 2.9 ms ] story [ 181 ms ] thread> DREW: I don’t even know if you’re gonna believe me whenever I tell you this, but there was an exploit in Coinbase for about one month where you could check the balance of any valid password and username. You could – no matter what. You didn’t need to have any sort of access except username and password. So, you didn’t need to SIM them to see their balance. So, people just ran millions upon millions of combos, combo list through Coinbase, and just found the millionaires of Coinbase. There’s obviously millions of those.
https://darknetdiaries.com/transcript/112/
They used SIM swapping, which is done by fooling customer service agents using stolen, partial personal information. The victims were also cryptobros, so I am guessing the answer is actually as mundane as it gets: Victims put up their names and addresses on social media and bragged/discussed about their cryptowealth.
Either way it's irrelevant, the criminals got a hold of their personal information somehow and the most likely cause in this day and age is the victims divulging it themselves.
> An elderly North Carolina couple was held hostage in their home by armed men who threatened to "cut off (the) husband’s toes and genitalia, to shoot him, and to rape his wife," before they were robbed of more than $156,000 in cryptocurrency, federal prosecutors said.
[1] https://www.palmbeachpost.com/story/news/crime/2018/08/22/up... [2] https://www.nbcnews.com/news/crime-courts/elderly-nc-couple-...
But the kidnapping and torture, yea that's pretty rare as far as I know.
https://cde.ucr.cjis.gov/LATEST/webapp/#/pages/explorer/crim...
https://cde.ucr.cjis.gov/LATEST/webapp/#/pages/explorer/crim...
That includes all robberies, and home invasion would similarly be a subset of that, so the OP is off at least of by a factor of 10.
I'm using Bureau of Justice Statistics data, not FBI. E.g. https://bjs.ojp.gov/library/publications/victimization-durin...
FBI / UCR covers only reported crimes at police agencies that forward data, and is a subset. BJS tend to be better at getting realistic numbers. (E.g. a majority of burglaries aren't reported to the police, and thus don't show up in UCR*)
Also robbery is not a superset of home invasion, due to the difference in definition from burglary. Burglary isn't actually about stealing stuff, it's just breaking in with the intent to commit some crime (which is often theft, but not always). Robbery implies theft, but doesn't require it to be in someone's abode. So there's some overlap, but there's robberies that aren't burglaries (because no breaking in is involved), and there's burglaries (even some of the <10% subset of burglaries that are violent) that aren't robberies, because a theft isn't occurring.
* For things like homicide, UCR tends to be a lot better, because the reporting rate is quite high.
1. You break into someone's house and steal their crypto with no violence: burglary, not robbery.
1a. If they're present in the house, it's technically a home invasion even if there's no violence.
2. You break into someone's house and steal their crypto by physical violence: burglary and robbery
3. You break into someone's house and take a dump on their pillow: burglary (even though no theft), not robbery
4. You steal someone's crypto via violence on the street: robbery, not burglary
5. You steal someone's crypto by pickpocketing them on the street: not burglary, also not robbery
https://www.nytimes.com/2011/09/30/us/bay-area-thieves-seeki...
ADDED: Since then I've often thought the worst case scenario is to share a somewhat unusual name with someone who is hated/notorious in some manner given it invites crazies to do crazy things.
For example, sure, don't store your funds on an exchange and they can't get in with a SIM swap, but when they're in your house, that doesn't help you.
You could store your funds with a multisig wallet and make sure you don't have access to enough keys at home to move the funds, but how do you make them believe you?
You can have one or more decoy wallets you can "cave" and give them access to if you think it might buy your freedom, but once you start, again, why would they believe you?
Do you just acknowledge that they won't believe you,that they are going torture you regardless? And at least make sure you or your heirs have the money if any of you survive?
There really isn't a good way out of this.
Of course this assumes you have a spouse
Now the intruder has a gun pointed at both of you.
The answer is to live anonymously. Don’t flash the cash.
But still, the original argument was that you have to worry about chain analysis because everything is public, but obviously that isn't true, no matter if an exchange may or maybe not inadvertently leak something.
Or, they have wallets that acts as combined input/output for all/groups of users.
I don't know a single big exchange that generates exactly one wallet per user and uses that one always for the same user.
When you think about it, it makes a lot of sense they do it like that.
A friend of mine became insanely wealthy just off of Bitcoin. Immediately went off the grid a few years (back in 2017). Now owns a precious metals mining company in South America. Still holds Bitcoin, lives comfortably to a point, changed passports to evade sanctions (he was Russian), and even has a kind of his own private army, that's mostly involved in the mining business.
You wouldn't figure all of that out by simply looking at him, but strike him now and you'd have to contend against a few major governments at this point.
But yeah, he basically lives like a dead man.
Reputable private security?
It doesn't seem to be uncommon for wealthy people to need private security. It seems like some of the crypto-types are learning why the hard way.
Is that going to cramp their style? Well sure, that's part of the consequences of their choices.
Use 2 or 3 safety deposit boxes, they are very cheap.
Coercion is a thing, and despite what you see in the movies, you'd be surprised at how fast you offer the password.
But perhaps more certainly, you will at some point die, and it's probable you will do so lacking the capacity to pass the code on to your heirs. So if you want your wife and family to jnherit, well, you may want to rethink.
And that's before we discuss thd uselessness of crypto as currency where you have to go to your safe deposit box to spend any of it.
You can also put your password in your will, if you're afraid of not passing it to your family.
For instance, if the third party refuses to authorize a legitimate transaction, you have a third key you keep offline somewhere that can be used to force a transaction through.
Had I known Bitcoin would turn into what it had I would have done far more to create a pseudonymous persona when participating in the early scene vs. my well known and easily linked handle to my real identity.
It was a fun ride, but the risk just got to be too much.
Yes, in theory you could have done everything with checks. It didn't completely happen though, until after computerisation. In the UK, it turns out that employees had the right to receive pay in cash as late as 1986! And taking it away was controversial.So it may be that you are right that computerisation wasn't essential, but most likely the reduction in cost of banking spread it to enough people that armed robbery became less of a risk.
Once you know phil21's wallet is empty, those looking to heist anything would look through which wallets the coins ended up in, and start linking identities to those wallets.
If a criminal knows to look, they see the risk no longer matches the reward. If they don't know to look, odds are they weren't involved enough to have followed phil21's coins and wallet back to a street address in the first place.
Sure, the risk isn't zero, like you're implying, but it's dramatically lower.
I find it doubtful that the majority of these heists follow anything like the pattern you've described. I think much more likely is just something simple along the lines of "xyz was active in Bitcoin in 2011, they're still using exchanges as of 2020 because we have a leaked email database, they probably have either nothing or a metric ton of coins, let's give it a go".
If anything I think that someone shouting loudly "I have definitely sold it all, I promise" is a sign that they probably haven't.
For the most part I don't think that the GP has the story straight.
You can't really have it both ways - either Bitcoin is desirable to criminals because it's untraceable enough to get away with it etc, or it's not. I think that they're overstating the ease of finding a person's complete holdings.
Having said that, amusingly, if I had to think of the best way to force someone with a million dollars in a bank account to give me it... the first thing that comes to mind would be to hold them hostage and say to them, get KYC'd on a crypto exchange and send me the crypto. I think that the biggest barrier would be that with no prior history their bank and the exchange would throw a big fat WTF and probably lock everything down for weeks.
Your point is the big one though - one cannot suddenly, unexpectedly, and without a history of doing so, transfer six-figure sums without traditional financial institutions looking at said transaction fairly closely. Bitcoin doesn't have this drawback
Also how much are you really going to get from jewelry in a typical ritzy house after fencing overheads? Maybe a few grand?
Of course, people do break into ritzy houses too... though they generally do it when no one is home. Jewellery doesn't tend to have passwords.
Very few people will be their own bank.
I guess the lesson here is to never brag and keep the lowest possible profile.
Were names of Mt. Gox claimants published?
“A list of known attacks against Bitcoin / crypto asset owning entities that occurred in meatspace.”
https://github.com/jlopp/physical-bitcoin-attacks
The man who got 40 years was arrested in 2018 for shooting at a high school student.
https://www.palmbeachpost.com/story/news/crime/2018/08/22/up...