GreenAddress blacklisted my wallet, and now holds custodial control of it

[RHavar]

Sorry for the overly sensationalist title, but it's basically true.

The sequence of events are:

a) I created a green address wallet (Oct 2014), and backed up the pin and mnemoic

b) GreenAddress mandated the use of 2FA, where one of the options was 2fa with google authenticator. I used this.  Please note that in Oct 2014 the green-address 2fa system was quite different to how it is now, and effectively a design flaw they have since identified and fixed.

c) I sent 0.1 BTC to my wallet (txid 953152310ec8ca69b4582d5e3fc859bcf8823514fb66e8aad68ddba85512185a )

d) Google authenticator offers no option of exporting data

e) I lost access to my phone and thus my 2fa and by 15 Oct 2016 had been in contact with greenaddress about it

f)  Later communication with green told me they have never reset a 2fa

g) With no other options, I took maters into my own hands and wrote a bot that very gently tried to brute force the 2fa code (e.g. something like every 5 minutes) as each 2fa guess has something like 1 in a million of being correct by accident

h) greenaddress decided to blacklist my wallet because of my constant guessing. This meant even with the correct 2fa code, my funds would be inaccessible

i) Sept 15 2017, greenaddress still refused to help me and my wallet had been blacklisted. Out of frustration I released my private mnemonic: "girl wheat quantum ski myself enter buyer dress police they unfair tape timber summer either jump fuel woman stage pet acoustic tool flame magnet"   (although I never released my pin, just incase I needed to prove I was the original owner).

j) Because I publicly released the mnemonic, I put greenaddress in the position where they have custodial control of my blacklisted funds (they are the sole party who knows 2-of-2 keys) and out of spite, hopefully have to waste a lot of time with social-engineering


k) In private, I talked with Adam Back that I would be happy to agree to donate my funds to a list of charities and relinquish my claim to the fund. He agreed in principle that it seemed like a reasonable resolution, but then I never heard back.


l)  It is now late 2020, and greenaddress is still sitting on my funds. I fully admit my rash decisions (brute forcing, releasing privatekey) were silly and spiteful and had I not done it, I probably would have been given access to my funds by now. But  I do not see why they shouldn't simply send it back to me at this point, I can't imagine it'd take more than 5 minutes and I've offered them a 1 BTC surety deposit that no one can make a competing claim (e.g. has the totp secret and pin).

[1714608033]

1714608033

[1714608033]

1714608033

[1714608033]

1714608033

[StackGambler]

Ha, I spent a solid two hours trying to guess the 2FA a year or two ago after seeing the mnemonic on Reddit. Good times.

Fuck GreenAddress, hopefully people see this and stop using them. Hopefully Adam Back aka Satoshi follows through...

[RHavar]

Ha, I spent a solid two hours trying to guess the 2FA a year or two ago after seeing the mnemonic on Reddit. Good times.

lol yeah, that was fun and just me being a dick. I figured since they had blacklisted my wallet, giving out the mnemonic on reddit would be a PITA for them. It'd be hard for them to justify blacklisting my wallet to people trying to social-engineer them, and I figured it'd force them to waste time developing a more advanced solution than a blacklist (e.g. like what Amazon does, and requires you to enter two 2fa codes in a row) so it's no longer brute forcable

[gmaxwell]

Did they never make good on these plans?

[RHavar]

Did they never make good on these plans?

I guess so. This was announced after I created a bit of drama by releasing my mnemonic publicly and encouraging people to annoy them. I assume they added this clause for me:

If your mnemonic has been made public, or someone else has access to it and disputes the recovery process, then the reset procedure cannot be carried out and you will need to contact support.

however they have never actually returned my money, even when I'm willing to offer x10 the amount of money in question as a surety bond. I'd even settle for a timelocked transaction from that output that pays me in a couple years or something. And my offer I made to Adam Back to donate the money to charity still stands.

[Steamtyme]

Sorry to hear, that's pretty F'd up they still aren't willing to sort this out.

Even though your "tactics" were troublesome well say, it shouldn't change the fact that they can and should make you whole. I use them as my "spend" wallet for most things or to load up when I travelled in case the opportunity presented itself to spend some BTC.

I guess I'm not to worried about winding up in the same situation, as I've avoided Google 2fa like the plague, and shouldn't really run into a situation where I can't recover access to my 2fa option. It is still shitty to see that they are not providing consistent support to sort this with you.

EdIt:

If neither of the above options are viable for you, and you still possess your mnemonic, you can reset your lost Two-Factor Authentication.

Resetting your lost Two-Factor Authentication requires a minimum of 12 months. You can read more about Two-Factor Authentication reset here

Just looking over there FAQ's as it's been a while, shouldn't this allow them to reset your 2fa... or anyone who had copied it down off reddit in reality.

[LoyceV]

I never released my pin, just incase I needed to prove I was the original owner).

I've never used GreenAddress (because it doesn't give me full access), but would they know your pin? Isn't that something solely inside your own wallet, so it doesn't prove a thing?

h) greenaddress decided to blacklist my wallet because of my constant guessing. This meant even with the correct 2fa code, my funds would be inaccessible

This sounds like such a non-Bitcoin thing to do. It would be really nice if someone from them would join this topic.

Do you still have access to the funding address? A signed message from 1JCshu52NeJow77g6kwyxqc4JoRrKLiWCL might help prove ownership.

[The Sceptical Chymist]

Fuck GreenAddress, hopefully people see this and stop using them. Hopefully Adam Back aka Satoshi follows through...

Hmm.  They were one of the first segwit-compatible (or however you phrase that) wallets out there if I remember correctly, and I had one of their wallets too.  I'd no idea that they were basically web-based, which is what OP is describing though not exactly.  But if a wallet-maker can blacklist you from trying to hack into your wallet, there's something wrong with that.

Thanks for the heads up on that, OP.

I've never used GreenAddress (because it doesn't give me full access), but would they know your pin?

Man, I thought not when I used them (but that was a long time ago).  Guess I was completely wrong.

[Stedsm]

I had been using Greenaddress wallet since they released a new version in 2020 itself where they've also allowed mobile phone verification (via call) for 2fa in order to send a transaction. I never knew that their support is this bad and it may take years for a solution to happen - it's looking like a case that we file in India, then wait years for the resolution to come.

[RHavar]

Do you still have access to the funding address? A signed message from 1JCshu52NeJow77g6kwyxqc4JoRrKLiWCL might help prove ownership.

I don't remember how I funded the wallet, but it's pretty unlikely. I try to aggressive purge any data I don't need, as in my position its far more of liability than an asset.


Anyway, I think it's pretty clear that greenaddress knows that it's my money. If I wasn't the real owner, and the real owner (even if he had 2FA access) would be totally screwed. The wallet is (or at least: was) blacklisted, and customer support ignores all the people trying to claim the wallet (I know, thanks to all the people I've encouraged to try claim it).

If greenaddress had the slightest doubt, they would remove the blacklist and replace it with "Please enter 3 consecutive codes" to unlock the money (that way it couldn't be brute-forced, yet the real owner could still claim it).

  
So no matter how you view it, greenaddress is screwing the real owner of the wallet 
  

[LoyceV]

The wallet is (or at least: was) blacklisted, and customer support ignores all the people trying to claim the wallet (I know, thanks to all the people I've encouraged to try claim it).

Challenge accepted! Do I have your permission to try to claim the wallet?

[RHavar]

Challenge accepted! Do I have your permission to try to claim the wallet?

Please do! 

[LoyceMobile]

I'd like to see them explain the logic behind locking the wallet. It makes sense to stop a brute force attacker, but it doesn't make sense to take away access from the real owner entirely.
So they either know you're the owner, and should give it, or they don't know you're the owner and shouldn't lock you out.

[LoyceV]

At the risk of making 2 posts in a row: I've installed the wallet, entered the mnemonic, and it's asking for a PIN. I'd expect to set a new pin, but it keeps asking for one. Does that mean the PIN you were talking about isn't only for the local wallet, but verified by GreenAddress?

I've sent them an email:

Subject: The curious case of 0.1 BTC in a blacklisted wallet - requesting your side of the story

Howdy GreenAddress,

I'd like to ask your input on this topic: https://bitcointalk.org/index.php?topic=5299347.0
Very short summary: Bitcointalk user RHavar has 0.1 BTC stuck in a multisig wallet, he lost 2FA years ago, tried to "guess" it, and you blacklisted his wallet.
I haven't seen any reason ever not to trust RHavar, so this Scam Accusation topic makes your wallet look bad. Would you care to reply in that topic? Or if you don't have or want a Bitcointalk account: if you reply to me by email I can post your response on your behalf.

I'm mainly curious about two things: I don't understand the logic behind locking the wallet. It makes sense to stop a brute force attacker, but it doesn't make sense to take away access from the real owner entirely.
So you either know RHavar is the owner, and should give it, or you don't know he's the owner and shouldn't lock the wallet beyond recovery.

Thank you very much for your time,
Loyce Valenzuela, Bitcointalk user.

PS
I'm also posting this email in the topic. To prevent fake replies, please quote this random text in your response:
***************

[aioc]

Interesting read I'm a long time user of Greenwallet address I do my transaction verification using my email not a 2fa it's surprising to know that you cannot access your coins even if you have the mnemonic, I remember transfering my wallet to another computer and I can set up a new pin, something is not right here, it should be whoever own the mnemonic or private key he should have control of the coin, I'd like to see them explain this.

[RHavar]

At the risk of making 2 posts in a row: I've installed the wallet, entered the mnemonic, and it's asking for a PIN. I'd expect to set a new pin, but it keeps asking for one. Does that mean the PIN you were talking about isn't only for the local wallet, but verified by GreenAddress?

To be honest, I'm not sure. It is my understanding that he pin is a shared secret, however it previously was not required to initiate a transfer, so I very well could be wrong. Before when they blacklisted the wallet, they allowed the option to enter a pin -- so something has obviously changed. I have backed up the pin and never shared it, so assuming it's a shared secret it could be pretty useful in establishing that I am in fact the real owner.  But then again, if they are now prompting for a pin it's quite likely that people could have brute forced it, the key space is extremely small.


I just tried, and I was able to login and using the correct pin. However it's impossible to even attempt to use the 2fa:



So like I said, no matter how they spin it -- they are screwing the real owner of the wallet.



Edit: I was able to login using the incorrect pin. So I assume the pin is not in fact a shared secret, and just used for local encryption. They probably can't use the pin to verify me

[StackGambler]

So, GreenAddress has blocked Ryan's 0.1 BTC. Ryan has stated that he is happy for it to be donated to charity and has sufficiently proven ownership. At this point, GreenAddress is indirectly killing children in Africa. Good going! (That's 1.13 kids dead, BTW, assuming it could have been donated to a malaria foundation.)

[LoyceV]

I've sent them an email:

I got no response