Andrew Schober was almost all-in on cryptocurrency. In 2018, 95 percent of his net wealth was invested in the digital tokens, which he hoped he could sell later to buy a home and support his family.
But then disaster struck. Schober had downloaded an app called “Electrum Atom” after clicking a link on Reddit, mistakenly thinking it was a bitcoin wallet. Instead, it was malware that allowed hackers to steal 16.4552 bitcoin when he tried moving some of his tokens. At the time, they were worth nearly $200,000. Today, they would be worth over $750,000.
Distressed, Schober didn’t eat or sleep for days. He vowed to track down the culprits. After years of private investigations costing more than $10,000, Schober thinks he has found the thieves, and he’s suing their parents to get his bitcoin back. Krebs on Security first reported on the lawsuit.
The lawsuit alleges that two men in the UK—both minors at the time, now attending university for computer science—used the supposed wallet app to deliver malware that inserted itself into a computer’s Java libraries. The malware then proceeded to monitor Schober’s activity, waiting for him to copy a bitcoin address. When Schober went to paste it, the malware swapped the copied address for another that was stored in the code. Schober was intending to transfer bitcoin from one of his addresses to another, but instead the malware sent the cryptocurrency to the hackers’ own address—a classic man-in-the-middle attack.
The clever twist is that when Schober went to paste an address, the malware would swap it out for one that looked similar—there were 195,000 addresses embedded in its code.
Tracing transactions
In the wake of the hack, Schober hired experts to trace the flow of cryptocurrency from his addresses to accounts controlled by the hackers.
The blockchain analysis presented in the lawsuit suggests that the hackers tried to launder the bitcoin into Monero, a privacy-focused cryptocurrency. But to do that, they needed the private key that went along with the public key for the address used by the malware. Around the time of the theft, one of the young men, using an account apparently under his name, posted a question to GitHub about how to obtain said private key. That account also contained GitHub repositories for the malware along with code for a program that allowed for algorithmic trading at the Bitfinex exchange, where two deposits involving Schober’s bitcoin were traced to. Together, it led Schober to the alleged thieves.
At the time of the theft, the alleged perpetrators were both minors, so as Schober learned their identities, he sent their parents notes informing them of what he knew. “It seems your son has been using malware to steal money from people online,” he wrote. Schober appealed to the parents, asking them to “make this right, without involving law enforcement.” He said he would drop the matter if the stolen bitcoin was returned in full, and he listed an address and gave them a deadline. He sent one note in 2018 and another in 2019. He never heard back from either of the young men’s parents.
That silence led him earlier this year to file a lawsuit against the young men and their parents, claiming that the adults “knew or should have known” that their children were engaged in “illegal computer abuse(s) and/or cryptocurrency theft(s).”
One of the defendants, Hazel D. Wells, mother of one of the young men, filed a motion to dismiss the case, saying that the statute of limitations on three of the four claims had expired (conversion, trespass to chattel, and a violation of the Computer Fraud and Abuse Act). Defendants did not reply to the fourth, civil conspiracy. Schober’s attorney replied that the clock didn’t begin when the bitcoin was stolen, but rather when he learned of the identities of the alleged hackers.
At issue in this case is the fact that cryptocurrency transactions are hard to trace and are irreversible, unlike those that happen within the traditional banking system. Tracking down thieves requires investing significant sums of money, as Schober did, and even then, getting back the stolen tokens is a long shot.
Lucrative operations
Cryptocurrency theft is big business. Last year alone, nearly $2 billion in cryptocurrencies was involved in theft, hacks, or fraud. That number seems to be down this year, but only because theft of decentralized finance investments is on the rise.
Many of the thefts involve SIM swaps, where criminals convince employees at mobile carriers to transfer a phone number to a different SIM card, giving imposters access to various accounts that allow them to perpetrate thefts. In one, a prominent crypto investor had $24 million stolen from him after a SIM swap allowed the hackers access to his Skype account, which they used to trick a client into sending payments to them rather than the investor. The investor sued AT&T for the full amount plus damages. In another case, a California man lost $1.8 million after “prolific SIM swappers” who worked for AT&T profited from his misfortune. That man also sued AT&T.
Though significant, those cases are small potatoes compared with the Poly Network breach that happened earlier this month. The hacker managed to exploit a vulnerability in the way the company handled smart contracts to steal $600 million “for fun” before returning the stolen coins and netting a $500,000 bug bounty.