Best Practices after a hack

[mphidalgo]

What are considered best practices after a hack of a multi-sig Electrum wallet and stolen funds?  Let's assume the funds are unrecoverable.

One path would be reporting the crime.  There is regular law enforcement but also crypto companies like chainalysis who seem worthwhile to help isolate wallets if possible.

Another path is some kind of internal audit of multi-sigs, their process, and systems.

Any suggestions for what else there is to do and who to engage as part of the retro is appreciated.

[o_e_l_e_o]

Chalk up the funds as lost and examine how you were hacked to make sure it doesn't happen again.

Sure, file a police report, but unfortunately 99% of crypto thefts go unsolved. You could try tracing the funds to an exchange or service yourself if the thief has been stupid enough to not obfuscate their blockchain trail, or use a blockchain analysis company (although this will be expensive).

I'm not sure what you mean by auditing the multi-sig. It's simply a piece of code. What was the multi-sig scheme? 2-of-3? How did you create these keys? How did you store them? How did you back them up? A thief doesn't accidentally stumble across multiple keys. At some point you had to both make yourself a target by advertising the fact you had funds worth stealing, and give away enough details about your multi-sig set up for it to be exploited. This is your biggest issue right now - how have you been so lax with your security? Do you have a key logger or other malware? Are your communications being intercepted? Did you store all the keys in the same place? Address this before it happens again.

[mphidalgo]

Thanks o_e_l_e_o. 

It certainly is a head scratcher.  It seems inconceivable that someone would get 2 of 4 keys, but like you said, there must have been a breakdown in the process somewhere.

[o_e_l_e_o]

Did you generate all the keys on the same device/computer/phone? If so, that is the most probable weak link. What software did you use to generate the keys? Are you sure it wasn't malicious or compromised? How did you back up and store the keys? Where did you store them? Who else, if anybody, knew about them?

There are a lot of places the process could have broken down.

[HCP]

Who had access to one/some/all of the keys? Just you or were other parties involved in this multi-sig setup? What devices were these keys stored on? Are they all clean? Have they been audited? What other activities are these device(s) used for? What OS(es) are being used? What security protocols are in place to secure the devices?

[Pmalek]

It seems inconceivable that someone would get 2 of 4 keys, but like you said, there must have been a breakdown in the process somewhere.

Not just two of the four private keys or seeds, they would also need the master public keys of the other cosigners unless are private keys/seeds were in the same place.

Were you the sole owner off all these keys or were they shared among multiple people as part of a company setup or among friends/relatives, etc.?
In a 2/4 setup, two of the cosigners could go rogue and steal the coins assuming they also have the required xpubs. Do you absolutely trust that the other people who were part of the setup wouldn't steal the coins themselves?   

[hugeblack]

It certainly is a head scratcher.  It seems inconceivable that someone would get 2 of 4 keys, but like you said, there must have been a breakdown in the process somewhere.

The process of tracking coins is one thing and recovering them is another thing, you need to be lucky to succeed in tracking those coins and then recover them because the only way to recover them is to deposit those coins in central platforms or a third party that can be controlled.

2 out of 4 will make a bug in your security model because if the scammer's access to any two of the four keys means that you will lose your money.
3 out of 5 would be a good choice, or more.

Now you have to move all the coins to another place, check all the things that led to the hack and then think about how to recover those coins

[o_e_l_e_o]

OP has been inactive for a year, guys.