Bitcoin developer @lukedashjr's wallet was hacked

[franky1]

speculated scenarios based on limited stuff said:

"email notifications from kraken/coinbase"
maybe the hacker got to the coins he had on an exchange

or

he uploads binaries for his bitcoin knots node to his server from github. hacker replaced binary with compromised one. luke downloaded binary from server without checking (who actually checks their own work if you believe you were the one that uploaded it(why check the binaries twice))
and then put his keys into the compromised binary of bitcoinknots and "byebye bitcoinio"

both seem more plauible than a burglar entering his house.. again she would notice and not be questioning the how if his house was compromised

[1714958746]

1714958746

[1714958746]

1714958746

[1714958746]

1714958746

[Wind_FURY]

It appears more than $3 million in bitcoin was stolen. This is very sad to see and I reckon some people should not make fun of this similar to those imbeciles who are replying in this thread in Twitter.



PSA: My PGP key is compromised, and at least many of my bitcoins stolen. I have no idea how. Help please.

Source https://mobile.twitter.com/lukedashjr/status/1609613748364509184

Looks like some of it is coinjoined to 1YAR6opJCfDjBNdn5bV8b5Mcu84tv92fa

Source https://mobile.twitter.com/LukeDashjr/status/1609621375349555204

432ded946431a9612f09d73bd15ded045d11d1095ffdfe8d68306ea9b2e78930

c38a3210fbb758cfc41d9a64b7534b83aecca96f051231f15545e8e5c7365190

4b3cde50e2bce3d02e15b61957d2452e29f53d9a99e1ab14e83b6ec0f87fd851

50df1eab0bf2bd01999cea4fc531a65c17e1a285823c9ae4eab0feb7e21a11b6

Source https://mobile.twitter.com/LukeDashjr/status/1609657854113218560

That's a coordinated/targeted-attack, and probably his way of securing the keys were not very good enough. I believe we should learn from this, and start using different paths/strategies to secure our keys. If you have your whole savings in Bitcoin it's probably better to use different wallets and secure them differently to confuse the attacker. Use - Hardware Wallets, Encrypted Wallets, and other wallets written down and secured through lock/key vaults.

[ABCbits]

--snip--

How can a cold wallet be compromised? I thought the only way would be for the perpetrator to physically steal the cold wallet. Am I wrong?

It depends on his cold wallet setup/usage. For example, using USB storage to transfer unsigned and signed transaction could  be exploited by specifically designed malware.

Maybe some quantum computer hacked his private key but why only go for 200btc when you could go for multiplies higher.

This is my biggest fear and the worst hypothesis for this case. Hackers having technology at their disposal to break the security of blockchain. The consequences of this would be much more impactful and harmful than a single person losing 200 BTC. It could be the end of bitcoin in this case, as no one would be safe anymore. It is said by 2030 quantum computers would be able to break encryption protocols, including of bitcoin.

1. It won't be end of Bitcoin if Bitcoin switch to quantum-resistant cryptography.
2. Bitcoin don't use encryption protocol, but digital signature and hash cryptography.

[NeuroticFish]

For example, using USB storage to transfer unsigned and signed transaction could  be exploited by specifically designed malware.

Everything looks more than sloppy for a Bitcoin Developer. Surreal. Hot wallet is possible, but a dev's cold wallet... hmm...

While Peter Todd has confirmed the story, also on Twitter, I find it incredible and I still tend to think that's higher chance both Twitter accounts (Luke-Jr and Peter Todd) are compromised than all this story (including Luke calling on Twitter for FBI, come on...). Even more, no sign of this story on his Mastodon/BitcoinHackers account.

[digaran]

Well, that's just great, new year starting with this story for bitcoin, mixers are always involved in theft related to btc, they are going to mix and get away with it. Feeling sad for the guy.

[MiliMil]

--snip--

How can a cold wallet be compromised? I thought the only way would be for the perpetrator to physically steal the cold wallet. Am I wrong?

It depends on his cold wallet setup/usage. For example, using USB storage to transfer unsigned and signed transaction could  be exploited by specifically designed malware.

What would be the safest and most secure setup for a cold wallet? I am now unsure how to transfer from cold wallet to an online address without compromising security.
Would it be possible to transfer BTC from cold wallet to another cold wallet and then send from that secondary cold wallet to an online address? That way my original cold wallet isn't connecting to the internet or being directly exposed?

[NeuroticFish]

What would be the safest and most secure setup for a cold wallet? I am now unsure how to transfer from cold wallet to an online address without compromising security.
Would it be possible to transfer BTC from cold wallet to another cold wallet and then send from that secondary cold wallet to an online address? That way my original cold wallet isn't connecting to the internet or being directly exposed?

Get a hardware wallet. Or a SeedSigner device.
...Or set up both your cold storage and companion watch only hot wallet with Electrum on laptops with cameras, hence allowing you transfer those transactions (unsigned and signed) as QR code images.

If you're adding a secondary cold storage:
* you're doing it wrong
* you've misunderstood something and need to read more

However, this is off topic, if you have more questions please make a new topic with them.

[Lucius]

Everything looks more than sloppy for a Bitcoin Developer. Surreal. Hot wallet is possible, but a dev's cold wallet... hmm...

To me, this story is incredible, that a man who should understand all the risks and secure his funds better than most is hacked in this way? If by any chance it was an online/hot wallet, everything would still make sense, but a cold wallet should be immune to all online attacks, even though @ETFbitcoin mentions a possible way to compromise such storage.

It would be nice if everything was actually a consequence of Twitter's still poor security and that someone was playing a little with hacked profiles...

[dkbit98]

What would be the safest and most secure setup for a cold wallet? I am now unsure how to transfer from cold wallet to an online address without compromising security.
Would it be possible to transfer BTC from cold wallet to another cold wallet and then send from that secondary cold wallet to an online address? That way my original cold wallet isn't connecting to the internet or being directly exposed?

You should be just fine if you keep Bitcoin in hardware wallet (Trezor, Passport, Bitbox, Keystone...) and keep seed phrase in secure way offline, but best protection is certainly using multisig setup.
I am surprised that Luke didn't use Multisig, that is must have for anyone that is dealing with larger amount of Bitcoin, like in his case with over 200.
Using dedicated computer for anything related with Bitcoin is also good, but I think Luke was targeted for some time and they just waited for the right moment to attack.

That is good. CZ from Binance has already replied to his tweet:

This is not good at all.
We don't want Binance freezing coins all the time, and we already know that CZ would love to control Bitcoin blockchain and reverse transactions whenever he wants.

[MiliMil]

Get a hardware wallet. Or a SeedSigner device.
...Or set up both your cold storage and companion watch only hot wallet with Electrum on laptops with cameras, hence allowing you transfer those transactions (unsigned and signed) as QR code images.

If you're adding a secondary cold storage:
* you're doing it wrong
* you've misunderstood something and need to read more

However, this is off topic, if you have more questions please make a new topic with them.

The QR code idea is genius. No need to be connected to the internet and therefore much more secure.
I'll be binge reading a lot of articles and information in the next few days.
Thanks.

[BitcoinPanther]

He should track and contact the exchanges asking them to freeze the funds incase the hacker tries to deposit in any of the top ones to convert the coins into stables.

That is good. CZ from Binance has already replied to his tweet:




Anyway, if it were a prank, why would anyone hack his Twitter account, and post a BTC address containing 200+ BTC received recently with no transactions ever sent?

Speaking of CZ now this incident support his claim about self-custody being more risky.  The follow up article after the initial report on the hack talks about the reaction of the community with regards to the incident of hacking.  And now the reaction is negative because the issue of self-custody is being highlighted and many worry that even the core developer who should be knowledgeable on security has been hacked, what more their grandma's wallet.

Other community members echoed the sentiment and highlighted that if it could happen to Dashjr, there would be “no nope” for their grandma. A Twitter user also brought mass adoption to the conversation. They believe that if a top Bitcoin developer cannot keep his wallet secure, mass adoption is a “pipe dream.”

Other assumption thinks that the incident of is just a boating incident to avoid paying taxes[1].

Meanwhile, a few others appear to suggest it may not have been a hack at all, suggesting that someone had stumbled across the seed phrase somehow, or it was part of an unfortunate “boating accident” ahead of tax season.

A boating accident in this context is in reference to a running joke and meme originally used by gun enthusiasts, but since repurposed by the crypto community about people trying to avoid paying taxes by claiming they lost all their BTC in a “tragic boating accident.

[1] https://cointelegraph.com/news/bitcoin-core-developer-claims-to-have-lost-200-btc-in-hack

[MiliMil]

You should be just fine if you keep Bitcoin in hardware wallet (Trezor, Passport, Bitbox, Keystone...) and keep seed phrase in secure way offline, but best protection is certainly using multisig setup.
I am surprised that Luke didn't use Multisig, that is must have for anyone that is dealing with larger amount of Bitcoin, like in his case with over 200.
Using dedicated computer for anything related with Bitcoin is also good, but I think Luke was targeted for some time and they just waited for the right moment to attack.

Thanks for the tip. Will definitely look into it.
Let's assume Luke is being truthful and did get hacked. How hard is it going to be for the hacker to turn those BTC into cash? I saw a tweet where CZ said if they are moved to Binance they will be frozen. I'm assuming other major crypto reserves will do the same since an online footprint has been left behind?

[NotATether]

You should be just fine if you keep Bitcoin in hardware wallet (Trezor, Passport, Bitbox, Keystone...) and keep seed phrase in secure way offline, but best protection is certainly using multisig setup.
I am surprised that Luke didn't use Multisig, that is must have for anyone that is dealing with larger amount of Bitcoin, like in his case with over 200.
Using dedicated computer for anything related with Bitcoin is also good, but I think Luke was targeted for some time and they just waited for the right moment to attack.

Thanks for the tip. Will definitely look into it.
Let's assume Luke is being truthful and did get hacked. How hard is it going to be for the hacker to turn those BTC into cash? I saw a tweet where CZ said if they are moved to Binance they will be frozen. I'm assuming other major crypto reserves will do the same since an online footprint has been left behind?

Considering this is a Bitcoin developer we are dealing with, they are going to take this matter very seriously. It's not like he's going to get stonewalled by endless layers of customer support bots & human reps like us ordinary plebs do...


I admit that I haven't fully grokked all the details about this so I'll be investigating more about this event.

[MiliMil]

Considering this is a Bitcoin developer we are dealing with, they are going to take this matter very seriously. It's not like he's going to get stonewalled by endless layers of customer support bots & human reps like us ordinary plebs do...


I admit that I haven't fully grokked all the details about this so I'll be investigating more about this event.

lol you are right though, the only reason Luke is getting so much assistance and help (which I am happy about) is because he is a high profile individual. I've seen countless threads online where similar things have happened albeit with much less BTC and it is not taken seriously.

[fillippone]

Well this is a bad story.

200 BTC are huge money for most of us, but Luke Himself said it' a "large" part, not "all" of his Bitcoins.

Two consequences:
1.A  lot of bad FUD will come out of this story. "if even an OG bitcoin- core developer" cannot take his Bitcoin safe, who on Earth will be able to do so?"
2.Many of us will review practices to become more responsible managing satoshi. A long overdue review of all the processes involving UTXO manipulation will be carried out by most of us, following this new. And this is a good thing.

[2double0]

A question arose on the point of security and how secure can we keep our keys and Bitcoins safe, if it's not even safe at our home. If a core dev like Luke can lose his btc stored since a long time, then anybody here will panic and will try to find the best possible way to store their coins so not to become a victim of such a consequence.

I'm feeling extremely sad on Luke's part but as we have never held 200 btc (most of us) till date, I don't think we are capable of knowing how he must be thinking atm.

[franky1]

I am surprised that Luke didn't use Multisig, that is must have for anyone that is dealing with larger amount of Bitcoin, like in his case with over 200.

like myself. i have hoards from earlier years. that have not been moved. so due to lack of multisig in early years it wouldnt have been put on multisig when first received. and (even i havnt) bothered to move coins from old stash

if using multisig when its just you using all the keys. multisig ais a little pointles because you have to bring the keys together into one computer to compute address and also to make spends. thus pointless using becasue the keys would be just as compromised

multisog is only useful for multiple parties to sign separately in separate locations and then only need to append signature to a raw tx
...

coins were not on a hardware wallet. as that also requires moving coins from old addresses

he said he had alot of old legacy keypairs, some on a hot wallet and some backed up in physical form(paper wallet, usb stick) stored in a physical house-safe

he said he doesnt have a hardware wallet or airgapped pc.

[fillippone]

like myself. i have hoards from earlier years. that have not been moved. so due to lack of multisig in early years it wouldnt have been put on multisig when first received. and (even i havnt) bothered to move coins from old stash

As I said, this story will have te positive fallout of making us reconsider why we "didn't bother" to do something.

Not stating that multisig is the right choice, but the "didn't bother to..." is the wrong one.
Every action, or every non action, means there is a need of an assessment of risks.

[Lucius]

A question arose on the point of security and how secure can we keep our keys and Bitcoins safe, if it's not even safe at our home. If a core dev like Luke can lose his btc stored since a long time, then anybody here will panic and will try to find the best possible way to store their coins so not to become a victim of such a consequence.

I don't understand why anyone would panic and feel insecure at this moment, because no one hacked Bitcoin, but one man obviously made a wrong step somewhere and now he paid the price for it. The fact is that such a thing shouldn't have happened to a person like him, but it shouldn't have happened to the computer scientist whose HDD ended up in the trash, or to the engineer who forgot the device password and now only has a few attempts before the device resets.

People have always been and will remain the weakest link in any setup, no matter how secure it may seem at some point.

[fillippone]

Looks like some of it is coinjoined to 1YAR6opJCfDjBNdn5bV8b5Mcu84tv92fa

Source https://mobile.twitter.com/LukeDashjr/status/1609621375349555204

432ded946431a9612f09d73bd15ded045d11d1095ffdfe8d68306ea9b2e78930

c38a3210fbb758cfc41d9a64b7534b83aecca96f051231f15545e8e5c7365190

4b3cde50e2bce3d02e15b61957d2452e29f53d9a99e1ab14e83b6ec0f87fd851

50df1eab0bf2bd01999cea4fc531a65c17e1a285823c9ae4eab0feb7e21a11b6

Source https://mobile.twitter.com/LukeDashjr/status/1609657854113218560

The transaction weren't conjoined. If there were a conjoin he wouldn't possibly be traced to a final address.
He might mean that PART of the input in those transactions are his original UTXO?

1YAR.. is not an address under his control, so the heuristic claiming all the funds are from this hack has to be proven.
For sure, he is not adding clarity to this story.