How one guy lost millions of dollars of bitcoin to a hacker

What’s hilarious is that those tumblers and mixers are only so good and only pseudo-anonymous. Two years ago, I was helping one of my clients review papers on the topic for his cryptography class, and it was really quite interesting to see the extent and efforts to which Bitcoiners will go to in order to launder their funds without the need for a trusted third party.

Personally, I find Bitcoin to be good for one thing and one thing only: teaching goldbug libertarians why financial regulations exist via the method of the burned hand teaching best.


They would make it more exciting by cutting to the people doing the rubber hose cryptanalysis.


Hey! How did you crack into my account?


The more I read this story, the less sense it makes.

For starters, how did the theft of his phone number (and compromise of various accounts that relied on it for two-factor authentication) lead to him being locked out of his PC? Does Windows have an SMS-based password-reset option?

Then there’s this:

Though he did have some bitcoins in online services, particularly since his businesses accept bitcoin as payment, he kept almost all his bitcoins on an encrypted hard drive. “It was essentially my never-sell-this-until-it-goes-to-a-billion-dollars nest egg,” he says. He had kept it offline for most of the past several years, but had connected that device in recent weeks to move them somewhere more secure and sell some.

Never mind the fact that it should have been connected for exactly the length of time needed for those tasks and no longer, he left an object that was literally* worth more than its weight in gold** lying round his house or office for several weeks? What if he’d been burgled? Or had a fire?

* Literally “literally”, for those who followed a recent thread.

** Many, many times its weight. If the bitcoins on it were worth $2 million (which I think we can take as a minimum, as he talks of “millions of dollars’ worth”), then the equivalent mass of gold at its price on 11 August ($1,338.37 per troy ounce) would be 1,493.8 troy ounces, or a bit less than 46.5 kg.


I love this. We have a new online currency that is fundamentally so much less secure that the existing currency that the only way to protect it is with a 19th century bank vault.


Don’t worry. Your password doesn’t show up to anyone else. It’s a new feature of discourse.
If you type in a password, discourse masks it as stars to everyone else.




For many sites, it’s not really two-factor authentication, it’s a “Reset My Password” feature with a single factor: ownership of the backup email or ownership of the phone number. It’s a huge risk.
Enabling account recovery with SMS alone is terrible, and even companies like Google allow this.

Let’s say a hacker gains access to a phone number. They don’t even know who’s phone number it is. They go to to and click “Find My Account,” they can enter a phone number directly, and then proceed with SMS-based recovery, if it’s enabled.

This means that any time an attacker gains access to a phone number, they can plug it into gmail and fish to see if they can break in to an account. And of course, once you’ve broken into email you’ve broken into everything, because you hit “Reset my account” on everything else.

And telcos have proven to be terrible at guarding the security of phone accounts. Most people can call and sweet-talk their way into resetting phone accounts with no pins, no passwords, no nothing.

That’s why I haven’t set up sms-based account recovery for gmail or anything else.

SMS can be good if it’s really used as the second factor: Vanguard will text me a code if I access my account from a new computer, but only if I’ve already put in my password.


Or, you know, covert it to an actual hard currency.

although in case of fire, you can send the remains to the US Bureau of Engraving and Printing and they will do their best to sort it out and see if they can identify any of the bills.

If you have millions you can get millions again.

If you have nothing but a mass of debt and lose 10k, yeah.

You will be much much more likely to think you might never get 10k again.

We’ll show those BANKERS.

By storing our codes in a series of bank vaults!


Because Microsoft tries really, really hard to get you to link your local account to your online accounts with them. It’s a massive security design flaw and MS seems utterly clueless, (or care-less). I’m a little surprised this guy had it linked, most IT-savvy folks don’t for this very reason.


The currency itself is quite well protected – it has to be, considering that the entirety of the blockchain is public. The cryptography used to secure bitcoins within the blockchain can’t be brute-forced by current technology, and will probably remain that way for the rest of our lives.

The cryptographic keys that unlock that security, however, are just as vulnerable as any other kind of information. Only in this case, there is ample incentive to steal those keys, making anyone known to be holding bitcoin a target.

There IS one fundamental difference between money held in a 19th-century bank vault and bitcoin keys held in a bank vault. Because of the unique properties of public key encryption, once the paper wallet is ensconced in a bank vault, one can still deposit additional bitcoins – using the public key of the key pair – into that paper wallet, without ever opening the bank vault. And there’s no limit to how much additional bitcoin can be deposited into that bank vault, without ever leaving the comfort of one’s chair.

1 Like

Q: What is “bitcoin,” anyway?
A: It’s an alternative form of currency, but instead of being minted from precious metals or backed by a government which pledges to honor its value it is a wholly digital free-market construct made out of math.
Q: And you can spend it just like real money?
A: Oh heavens no.


Q: And when you lose a millions dollars worth of bitcoin, is it really like you lost a million dollars of hard-earned cash?
A: You’re not really getting this whole “alternative currency” thing, are you?


We get to repeat all the history we went though to get to the point of institutional regulations that made things nicer.


Yeah, my first reaction to using a live account to log into windows was a big nope.


It’s more like when you put in $5000 to enter a poker tournament, get up a million dollars, and then get beat out.

Only you would still have some money from the tournament if you placed high enough.


I am gobsmacked.


Or… you know… an episode of Mr. Robot.


Dude! Like taxes and suff??? Then the man knows about your stuff!!!