from Hacker News

Hamilton teen embroiled in FBI probe, fingered in $46M cryptocurrency theft

by x1ph0z on 11/24/21, 3:29 PM with 178 comments

• by ashconnor on 11/24/21, 3:44 PM

  https://archive.md/5oAva

• by walrus01 on 11/24/21, 9:31 PM

  This is a fine example why nobody should rely on SMS "2FA" for anything.

  SMS "2FA" is not actual 2FA

  SS7/PSTN are horribly broken. People need to stop using them entirely, whenever possible, and stick to that as a firm principle. For the same reason why scam calls and fake caller ID are epidemic. Just disregard the existence of the PSTN, even if your phone has a DID, never give it to anyone or use it for anything. I say this as someone who's worked in telecom for 20 years.

  Social engineering mobile phone operator customer service departments to execute a SIM swap attack is trivially easy if you already possess some basic personal info about the target.

  You should never rely on having something important that's only protected behind a SMS-based password reset/login authentication module.

• by ziddoap on 11/24/21, 3:48 PM

  For those without subscriptions. https://outline.com/3CRjpe

  >That post has since been taken down, but many comments included criticism for leaving such a large amount of Bitcoin accessible on a phone.

  Not to victim blame, but it really is odd to me that someone would leave any amount of BTC on their phone, let alone millions of dollars worth.

  >The Hamilton teen faces charges of theft over $5,000 and possession of property or proceeds of property obtained by crime

  I've always wondered why the line is drawn at $5,000. It's mildly interesting that stealing $46M and stealing $5,000 result in equivalent charges.

• by glofish on 11/24/21, 3:57 PM

  When random teen can easily steal $46M from a "Bitcoin pioneer" what hope is that for regular folks could make safe use of said value store?

• by jaywalk on 11/24/21, 3:55 PM

  If you're going to steal a large amount of Bitcoin, you should probably have a plan on what you're going to do with it that doesn't include buying a gaming username that can be trivially traced back to you once you use it.

• by ChrisArchitect on 11/24/21, 8:20 PM

  Is this Hamilton, Ontario, Canada?! Unclear

  Also, Josh Jones, the founder of DreamHost? wow. heh

  Edit: Sorry, because I read it on outline/archive I didn't see the glaring Hamilton Spectator logo at top and related Canada nav. Thanks

• by amatecha on 11/24/21, 8:05 PM

  "leaving such a large amount of Bitcoin accessible on a phone"

  "A SIM swap attack [...] gives the hacker access to the victim’s phone"

  Is it just me or this article massively misrepresenting what a SIM swap attack actually does? Unless there's more to the story, no one got access to Jones' phone. They intercepted 2FA SMSes so they could get access to a wallet service or whatever.

• by 323 on 11/24/21, 3:55 PM

  It's easy to steal bitcoin (for some definition of easy).

  The hard part is cashing it out. As Breaking Bad used to say, what criminals want is to pay taxes on their criminal proceeds.

• by bhouston on 11/24/21, 10:11 PM

  He should have run just a failed ICO and pocketed the funds as fees to related parties. I understand this is how Metakoven, the NFT king, got his start? https://www.reuters.com/investigates/special-report/finance-...

  Better to claim incompetence than it is to actually steal.

• by Jerrrry on 11/24/21, 3:53 PM

  another bitcoin bandit bites the dust.

  I bet he bought an xbox gamertag from the most recent exploit.

  These kids really do think the 3 letter agencies arent watching, no matter how many of their close friends get v&.

  The blockchain is forever, and the statue of limitations no longer applies.

  That verizon/att employee from 2018 will get caught, he will give up an alias, and the feds are interested, now that the coins have value.

  and assuming the feds arent dirty (they are), you have 5 years to run. If the fed assigned to your case decides he wants the coin personally, you have 5 monthes.

• by jrootabega on 11/24/21, 4:16 PM

  If you own a lot of crypto and it's still protected by SMS auth, you need to disable that (edit: in favor of OTP). If you can't, you need to buy a dozen prepaid sim cards and use them randomly. Or pay someone to do it for you. Very cheap in comparison to a theft.

• by misiti3780 on 11/24/21, 5:03 PM

  Honest question:

  We are all the bitcoin multi-millionaires storing their coins? It seems like in an ideal world, you would use https://trezor.io and put that in a safety deposit box, or maybe use Coinbase Vault, but I am generally curious what is the current consensus on the safest ways to store these piles of digital money.

• by vmoore on 11/24/21, 4:13 PM

  So some exchanges use TOTP 2FA (which is more secure than SMS). And some people like to copy their 2FA 'seed' which is usually a QR code that they store somewhere securely. Amazing how a simple QR code (or even a recovery code) can be worth so much.

• by DeathArrow on 11/25/21, 7:04 AM

  >U.S. investigators discovered that some of the stolen cryptocurrency was used to buy a unique online gaming name.

  Can bitcoins be tracked?

• by hsnewman on 11/24/21, 4:22 PM

  This, along with the energy requirements of crypto is why I don't/won't put any money in it.

• by WFHRenaissance on 11/24/21, 10:53 PM

  Does his name happen to be Freddy?

• by thefounder on 11/25/21, 11:31 AM

  Just use webauthn...why is so hard to get that sms and otp is flawed?

• by hazza_n_dazza on 11/27/21, 8:58 AM

  its funny to think that if bitcoin crashed tomorrow all this could be for $2.84c

• by DeathArrow on 11/25/21, 7:20 AM

  I hope Elon Musk keeps his bitcoins safe. :D

• by NicoJuicy on 11/24/21, 6:41 PM

  > "Just the fact that everyone on earth thinks that Bitcoin is crazy, and no one is telling me why, doesn’t matter,”

  Says the biggest known victim of a crypto heist in a private person.

  Ain't this ironic.

  I guess I should spell out that centralization is a feature?