The theft of an undisclosed amount of bitcoins (BTC) from a cold wallet of the manufacturer Ledger, dismays the ecosystem, as it has not yet been discovered how this attack was executed.
Carlos Santiso, investment manager at the Spanish firm Icaria Capital, sent a tweet on January 26, 2021, where he reported the theft and doubted the role of Bitcoin as a substitute for gold.
The investor explained that he had been buying BTC instead of playing the lottery and one day when he wanted to check his wallet balance, he saw two unauthorized transactions and his fund balance almost at 0. The surprising thing is that there has been no indication of the modus operandi with which the attacker managed to steal the BTC.
This same week, Santiso shared his story on the Lunaticoin podcast, a renowned space for disseminating Bitcoin in Spanish.
The podcast moderator, who has considerable experience using Bitcoin, interceded for Ledger, noting that they have been well behaved in addressing this case and that, in his opinion, it is one of the most secure hardware wallets on the market.
As no errors were detected on the part of the user in taking care of their coins, everything indicated that the device was tampered with before it was shipped. This occasionally happens with equipment purchased outside of official stores, that is, in stores such as Amazon and eBay.
Ledger assured Lunaticoin that these devices are sometimes returned to the factory. Once received by Ledger, equipment is destroyed, not resold, reported the popularizer. Santiso commented that the Ledger Nano S, the wallet from which the coins were purchased, received it directly from its manufacturer.
Regarding security measures, Santiso explained that he had his 24 very secure seed words, written on a piece of paper, as well as the device’s 4-digit PIN, kept in a secret compartment on his desk. Thus, Lunaticoin confirmed that the secret phrase never left Santiso’s house.
Something remarkable about the theft is that Santiso had never signed transactions from that wallet. That is to say, never sent bitcoins from the device. The theft transactions are the only ones recorded in the Ledger Live software. Also, the authenticity signatures of this software were verified by the victim of this strange attack.
The characteristics of the attack, and the security measures that were taken, seem to leave no clues as to what happened. The only situation that Santiso thinks could be the vulnerable point was that when writing down the words on paper, some monitors with cameras (webcam) pointed at him.
The hacker had my keys from the first moment and was waiting a reasonable time to see if I deposited more bitcoins and thus be able to steal more. That is why nothing of the moment of the robbery fits me, because I had no access for a while and I was not working on the computer that weekend. It was the only explanation I found for all this (the webcam theory).
Carlos Santiso, investment manager.
Does KYC work to track the destination of bitcoins?
The investigation found that the attacker may have exchanged BTC for ethers (ETH) on the HitBTC exchange, established in Hong-Kong.
Arkad, a Bitcoin security specialist and guest on the podcast, commented that HitBTC’s Know Your Customer (KYC) policies could be flexible or permissive.
He also indicated that the hacker could have changed the currencies through other non-KYC services, which could even use the HitBTC service, in an intermediary way. One of these services that do not request personal information to exchange cryptocurrencies is Changelly.
Likewise, Arkad pointed out that some security consultants could have contact with exchange houses (exchanges) to intercept these stolen funds. It is even possible that legal measures of international scope can be taken, if they know how to properly raise them by lawyers and prosecutors from Spain.
The security specialist referred to the technique of obfuscation of peeling chain transactions, “like someone who removes slices of a fruit”, to leave parts of the funds in different places far from each other, as they seek to consolidate them in a future transaction. In total, 11 payments have been made, increasingly difficult to track, added Lunaticoin.
The analysis was carried out with OXT, the Bitcoin blockchain explorer provided by the Samourai wallet, allowing us to see the trail that the hacker left when carrying out various transactions.
One of the aspects that Lunaticoin highlighted from this analysis was that the hacker deposited the BTC in the Russian darknet market, Hydra. According to Chainalisys, a blockchain surveillance company, the largest bitcoin markets in Eastern Europe would be related to criminal activities on the dark web, CriptoNoticias reported in the middle of last year.
Simple pattern of obfuscation of transactions by the attacker. Bitcoins were sold on HitBTC and on the darknet market, Hydra. Source: seedbtc / twitter.com
Further, the attacker also has teams of mining where it receives frequent rewards from recognized Bitcoin mining pools or groups, Lunaticoin commented, as detected by the SemillaBTC researchers.
In this way it is clear that, although the attacker does not follow the best privacy practices, he moves transactions through the Bitcoin blockchain without being detected by the authorities. “Doesn’t bother to make CoinJoins” or other cryptocurrency mixing techniques.
The theft was not a case of phishing
Recently it was reported in CriptoNoticias how the data of almost 300,000 Ledger clients was leaked to the dark web. The company is offering up to 10 BTC for valuable information and relevant that leads to the arrest of the cyber hackers responsible for this massive theft of information.
Although it is not feasible for a seed phrase to be hosted in this database, the telephone number, geographical address and identity of the user, as well as their email address, are found. The data leak brought the cloning of SIM cards for some, which allows other services in which the user participates to be violated. The security recommendation is to use 2FA (Two Factor Authentication).
Carlos Santiso, the victim of this unusual theft of bitcoins from a cold wallet, said that due to his profession, he receives phishing emails all the time, so he does not believe he has fallen into this type of attack.
Anyway, he assured that it will take time to re-engage Bitcoin and its technology, given the bad taste that this unpleasant experience has left him, a crime that seems to have been perpetrated by experts.
