Bitcoin pioneer sues phone company because someone hacked his mobile phone?

Brendan Burgess

Founder
Messages
51,906
I don't understand this.

Investor Sues AT&T For $224 Million For Cryptocurrency Loss

A fraudster convinced AT&T to switch this guy's phone number to them and as a result, he lost $28m worth of crypto.

Terpin alleged that on January 7, 2018, the tokens were stolen from him through what he alleged was a "digital identity theft" of his cellphone account while AT&T was his service provider.

This guys is not some novice. He is described as a pioneer in the crypto space, co-founded the first angel group for bitcoin investors, BitAngels, in early 2013, and the first digital currency fund, the BitAngels/Dapps Fund, in March 2014. He is a senior advisor to Alphabit Fund, one of the world’s largest digital currency hedge funds.

Could this happen to my shares? If someone convinced my phone provider to switch my phone number to them, could they transfer my shares to them? Or could they clean out my bank account?

Brendan
 
If you have an email account, your phone is likely set as one of your password recovery options. They were intercepting and responding to texts intended for the victim.
So now you could have access to both email account and phone.
Now you go to the third party site, and follow the forgot password options. This will send an email to the account that you now control and you can reset the password.

That will work for a lot of sites but I would have expected a financial site to have both a PIN and password and be unable to reset both at same time.
I think most Irish banking sites if the account is locked out you have to phone and provide personally identifiable information, although it may not be that difficult to get someone's address and date of birth from accessible information e.g. Facebook announcement of 30th birthday party...
 
But where did he store $28m of crypto that someone could access by resetting the password?

I know very little about it, but everyone seems to suggest that bitcoins should be held in wallet with a gigantic long password. And if you lose that, you lose your crypto.

Brendan
 
He must have had them in an online wallet, a trading exchange or perhaps stored in his email account. It seems bizarre that somebody as savvy in the technology as this would not be storing these tokens offline, where none of these kinds of attacks could be used. My only guess is he was actively trading them, so needed them in an exchange, or he has so many that these were just a few he had knocking around (distinctly possible as he has been in from the early days when 4-5000 coins cost very little).

SMS-based 2FA is generally seen as highly flawed by the IT security community and only suitable for very low risk use-cases. I have never seen a bitcoin exchange that uses it however, most are soft-tokens, so I suspect the purpose of compromising his SIM was to allow a reset of his email password, but who knows...
 
however, most are soft-tokens, so I suspect the purpose of compromising his SIM was to allow a reset of his email password, but who knows...

Yeah, they go after the phone number first, then once they have control of that they initiate recovery of the soft token to the phone they have transferred that number to.

The telcos are supposed to have procedures in place to verify the identity of the person requesting this, but hackers are known to be actively targeting public crypto supporters for identity theft, and their operations are very slick. This is far from the first case of crypto theft using this method.
 
Thanks for those explanations.

But are cryptocurrencies more vulnerable than other assets in this regard?

Or is it just that they know that this guy had $20m worth of Bitcoin, so it was worth targeting him.

If they thought that he had $20m in his bank account, could they have done it as easily?

Brendan
 
But are cryptocurrencies more vulnerable than other assets in this regard?

Definitely, crypto transactions are irreversible and there is no alerting or fraud monitoring built in to the system. Even if you spot the theft within seconds, it's gone, there's nothing you can do to get them back.

The banking system have robust systems in place to detect and block such transactions. Unless a bank can prove you have been negligent, they must reimburse you for losses from identity theft, so they're motivated to ensure transactions are genuine.

Or is it just that they know that this guy had $20m worth of Bitcoin, so it was worth targeting him.

There's still a time investment in gathering the level of details required to carry off an identity theft such as this one, so known early adopters who are likely holding large quantities are the priority.

If they thought that he had $20m in his bank account, could they have done it as easily?

They might, but it would be a night on impossible process to siphon the money in any great quantity out of the banking system anonymously. Even if you do manage to trace a crypto thief, many jurisdictions don't recoignise the act as theft, and in a few cases, such theft is state sponsored.
 
But are cryptocurrencies more vulnerable than other assets in this regard?
Definitely. If you consider that having cash on your person or in your home could be a vulnerability, decentralised digital cash is equally. Once someone else possesses it, it's difficult to track them down and prevent them utilising it.
It's one reason why the institutions won't get involved in crypto without there being custody services available to deal with this risk.


Or is it just that they know that this guy had $20m worth of Bitcoin, so it was worth targeting him.
That has been happening too - both in the real and virtual world. One owner of a prominent exchange in eastern europe was kidnapped - and a prominent crypto trader in england had a gang call to his door.

If they thought that he had $20m in his bank account, could they have done it as easily?
Crypto exchanges have faced a series of hacking attempts - both successful and unsuccessful. The nature of crypto means that if they get access to it, they can spirit it away.
Exchanges are getting pretty sophisticated in how they handle/store/secure crypto assets - they have to or they're toast. The same with people who hold crypto.

You can expect plenty of work to continue on dealing with the challenge as it's a difficulty for stakeholders at all levels - whether it be institutions, exchanges, speculative investors or ordinary users.

In the case of this particular example, I can only assume that he was holding funds in an online exchange.....which he may have chosen to do if he was actively trading.
The other option is to have funds in cold storage - offline. Hardware wallets can be used such as Trezor or Ledger Nano.
 
Last edited:
Back
Top