Bitcoin developer @lukedashjr's wallet was hacked

[Ucy]

Part of the issue is irreversible transaction.
It would be safer to build a decentralized platform on top of Bitcoin where Bitcoin transactions can be reversed if unauthorized people gain access to users coins

You don't know what you're talking about. This would mean that anybody could reverse his transactions for no good reason. The merchants would have no reason at all to use Bitcoin, actually, it would be the opposite: they would avoid it.

One of the ways to do this:
A decentralized platform could offer a reversible transaction service for funds that can only be sent to a multisig address before reaching its final destination. This should enable people with huge amount of Bitcoin to only send their coins to such addresses controlled by them and co-signers. Once a multi-sig address receives such fund the owner is immediately alerted and he can then authorize the transaction and the fund automatically sent to the final recipient. If the owner reject the transaction the coins is sent back to his address

some people thought you were trying to promote a CSW protocol breaking money steal/refund option.. breaking bitcoins immutability

however the multisig option you now describe is how some have done things in the past.. its called escrow

however escrow refunds only work when you want to spend but unsure if the other party will release goods.. they only work when/because you enter a cooperative multisig. to cooperate and agree with the other party on payment/refund terms..

it doesnt work when someone is hoarding and not expecting a hacker to steal funds from hoarded funded addresses

I'm talking about developing a Bitcoin address with corresponding private keys specifically meant for this purpose —sending fund to multisig address before it's automatically transferred to the recipient.

Escrow would be a contract address between the sender and receiver but this has nothing to do with escrow or contract. It's simply a reversible solution for people who could have their keys stolen.

[pixie85]

I wonder if it will be possible to cash those BTC in. There is a digital footprint now and every crypto exchange will be watching for this closely.

I wouldn't be so sure.

You assume that every exchange is in the same league, playing the good game.

Some exchanges in the past were known to be money launderers like the once popular BTCe. There are exchanges that tried some shady things in the past and don't care much about their reputation like Yobit. Many exchanges situated in poor countries will agree to exchange stolen for you for a fee.

[Woodie]

Before anything, is his Twitter account still in his possession as this might turnout to be a hacker seeking public sympathy to get donations using his reputation and the alike.

He should track and contact the exchanges asking them to freeze the funds incase the hacker tries to deposit in any of the top ones to convert the coins into stables.

That is good. CZ from Binance has already replied to his tweet:

Trying to exchange 3mil won't be so easy, any sight of these coins on a Cex and these coins will certainly get frozen.... Btw can a mixer freeze such coins knowing that they are tagged stolen in the event they try to clean them

[franky1]

I'm talking about developing a Bitcoin address with corresponding private keys specifically meant for this purpose —sending fund to multisig address before it's automatically transferred to the recipient.

Escrow would be a contract address between the sender and receiver but this has nothing to do with escrow or contract. It's simply a reversible solution for people who could have their keys stolen.

if you are sending funds to a multisig where you own the keys.. then you are just (in practice) sending funds to yourself.. thus no point needing to call it a refund.. its just you sending funds to yourself.. as a wasted transaction before sending it to someone else
becasue you own the keys you dont need to send it "back" thus no point using it forward before giving it to a recipient..

a multisig is meant for having 2 people combine to control decisions. .. which is escrow

so which are you trying to explain.. wastefully sending funds to yourself in a new address.. pointlessly to want to send it back you YOURSELF if you change your mind/accidentally moved/funds moved via theft.  .. its wasteful because you dont need to "send back" because you own the keys for the multisig.. which means a hacker would too!! so you or they can just do with as they please from the address. so its the same as just hoarding from a base utxo address

or .. send coins to a multisig where there is the recipient or a middleman having the other key to co-sign funds forward or back when conditions are met

either way.. those proposals wont help fund thefts of a hoard where there was no situation of wanting funds to move as a spend. but where an invader found the keys..

..
i know you are trying to suggest a CPFP
where a parent address pays a child address.. and the child then pays it forward or back where it moves the coins faster back or forward rather then just paying direct to a recipient.
but again. there ends up no point.. because a hacker will have whatever keys you have so wherever the child funds are the hacker also has.. just like you.

(EG imagine you exposed keys to the internet/hacker via a spend in september 2021, in whatever scheme you make. where you end up needing to use the child keys in your scheme in september. then the hacker has them too because the child keys got exposed too)

............
if you are talking about needing two devices to finalise a payment to a recipient (one device for parent tx to child and second device for child to recipient) well you can do that anyway without needing any special sub layer network or change in protocol. however a hacker wont care because they will just take the parents key. and just send funds direct to hacker address without doing the send to child thing

[Wimex]

It is a worrying situation, it seems to me very necessary to look for new forms of security to be able to deal with this type of inconvenience that constantly attacks users. This type of case is not something new, so you have to take drastic measures and be increasingly careful, hackers will constantly try to breach security and get something in return, it is good to be aware of this and take the necessary measures to reduce the risks of losing everything.

[redsun114]

I don't know what seems the be the method or reason how he was hacked but the reality is that we shouldn't really trust our own wallets neither if he got hacked. I mean think about it, dude is a bitcoin developer, he probably knows more about how safety works let alone just being safe, so he had all the knowledge and tools and items he needs to be safe and he still got hacked and all his money was stolen.

This shows that we can't be safe if we do not know what we are doing. The best thing we could do right now would be making sure that its on a place that is secure which is cold wallets and offline, that would be a lot better for sure.

[larry_vw_1955]

I mean think about it, dude is a bitcoin developer, he probably knows more about how safety works let alone just being safe, so he had all the knowledge and tools and items he needs to be safe and he still got hacked and all his money was stolen.

knowing the information and implementing it are two different things. you can know all the information about best practices but if you don't actually follow them then it doesn't help!

This shows that we can't be safe if we do not know what we are doing. The best thing we could do right now would be making sure that its on a place that is secure which is cold wallets and offline, that would be a lot better for sure.

yeah if he would have done that then he would still have his 209 bitcoin or whatever it is he supposedly lost.

[stomachgrowls]

I don't know what seems the be the method or reason how he was hacked but the reality is that we shouldn't really trust our own wallets neither if he got hacked. I mean think about it, dude is a bitcoin developer, he probably knows more about how safety works let alone just being safe, so he had all the knowledge and tools and items he needs to be safe and he still got hacked and all his money was stolen.

This shows that we can't be safe if we do not know what we are doing. The best thing we could do right now would be making sure that its on a place that is secure which is cold wallets and offline, that would be a lot better for sure.

This is what boggles most people on here which it would really be that understandable that a certain Bitcoin dev does know much more than us when it comes to safety protocols on how to store up your coins.

It wasnt cleared out on where he did make out those lapses which it did result into such breach if this would be blamed out technically stolen which does means that Bitcoin does have its flaws? Possibly but close
to impossible.
This is a human error obviously and not on the system itself,it cant just be clarified on where he did go wrong.

[pooya87]

Btw can a mixer freeze such coins knowing that they are tagged stolen in the event they try to clean them

They won't and should not because to do so requires working with blockchain analysis companies which exist to invade people's privacy and to deanonymize bitcoin transactions, this goes against the very reason the mixer exists.

[daweller1]

Hi Guys...
just a quick question...
if this guy had a 25th seed phrase enabled, would that have prevented the hack?

Thanks

[franky1]

Hi Guys...
just a quick question...
if this guy had a 25th seed phrase enabled, would that have prevented the hack?

Thanks

doesnt matter if its a long string of characters or a bunch of words. if its has been typed into a compromised PC that a hacker can see files of.. the hacker can get it

even a latest hardware wallet. a hacker can simply set up a phished/emulating GUI display to show "error with device. to reset device please re enter your seed" or whatever their error pages look like to get people to type it in.

[daweller1]

Hi Guys...
just a quick question...
if this guy had a 25th seed phrase enabled, would that have prevented the hack?

Thanks

doesnt matter if its a long string of characters or a bunch of words. if its has been typed into a compromised PC that a hacker can see files of.. the hacker can get it

even a latest hardware wallet. a hacker can simply set up a phished/emulating GUI display to show "error with device. to reset device please re enter your seed" or whatever their error pages look like to get people to type it in.

Thanks 

[Rikafip]

even a latest hardware wallet. a hacker can simply set up a phished/emulating GUI display to show "error with device. to reset device please re enter your seed" or whatever their error pages look like to get people to type it in.

Are there any hardware wallets that actually ask you to do something like that in any circumstances? If yes, then that's a very dangerous thing to have. So far I've been using only Ledger and the only way to enter seed phrase was directly using the device and not via Ledger Live app so if any message like that pop up, Ledger users should know that it is a fake. Not that it would stop some people entering seed anyway.

This shows that we can't be safe if we do not know what we are doing.

This shows that you aren't 100% safe even if you know what you are doing (its safe to assume that person in question knew considering his experience). Since this guy wasn't anonymous, I don't think that this was just some random attack and instead he was targeted which is a different thing than just clicking on some malware link and losing your bitcoin that way. Then again, smart people can do stupid things so maybe this was a brainfart.

[franky1]

even a latest hardware wallet. a hacker can simply set up a phished/emulating GUI display to show "error with device. to reset device please re enter your seed" or whatever their error pages look like to get people to type it in.

Are there any hardware wallets that actually ask you to do something like that in any circumstances? If yes, then that's a very dangerous thing to have. So far I've been using only Ledger and the only way to enter seed phrase was directly using the device and not via Ledger Live app so if any message like that pop up, Ledger users should know that it is a fake. Not that it would stop some people entering seed anyway.

ledger USB device has its own keyboard?? .. show me

[Rikafip]

ledger USB device has its own keyboard?? .. show me

You don't need a keyboard to enter seed phrase in Ledger, few buttons on the device are enough for that. Its clunky and not most convenient, but I'll take that over entering seed in some app which is way more dangerous (fake apps, keyloggers etc). Here is the video how its done https://www.youtube.com/watch?v=XRzGix11T18

By the way, how are you doing it on your hardware wallet, if you have one?

[NeuroticFish]

I see that franky1 has given you good answers, so I won't get there too.
All I can add is a recommendation to make a new (spin-off) topic about this if you want to continue this debate, since here it's off-topic.

ledger USB device has its own keyboard?? .. show me

It has 2 buttons. A bit unnatural to call it keyboard, but it can be seen so without being awfully wrong, since the Nano S (plus) doesn't need more than that.

[TalkativeCoin]

Hi Guys...
just a quick question...
if this guy had a 25th seed phrase enabled, would that have prevented the hack?

Thanks

doesnt matter if its a long string of characters or a bunch of words. if its has been typed into a compromised PC that a hacker can see files of.. the hacker can get it

even a latest hardware wallet. a hacker can simply set up a phished/emulating GUI display to show "error with device. to reset device please re enter your seed" or whatever their error pages look like to get people to type it in.

Thanks 

And this is basically how 90% of it gets done, purely social engineering hacking and not brute forcing.

[buwaytress]

even a latest hardware wallet. a hacker can simply set up a phished/emulating GUI display to show "error with device. to reset device please re enter your seed" or whatever their error pages look like to get people to type it in.

Are there any hardware wallets that actually ask you to do something like that in any circumstances? If yes, then that's a very dangerous thing to have. So far I've been using only Ledger and the only way to enter seed phrase was directly using the device and not via Ledger Live app so if any message like that pop up, Ledger users should know that it is a fake. Not that it would stop some people entering seed anyway.

Yeah if I saw a message like that pop up on any damned device, I'd know I was hacked and immediately wash off.

Problem is, and I'm sure I'm not exaggerating, most people, not some, would enter their seed phrase if they saw a message requesting it.

Now that actually reminds me that I've rarely seen warning messages about never ever responding to seed phrase requests...

[franky1]

Now that actually reminds me that I've rarely seen warning messages about never ever responding to seed phrase requests...

years back first generation hardware wallets were just USB devices that when plugged in, opened a webbrowser with the interface being a webpage(facepalm) . so soo soo many flaws back then

but yes these days and those days dont trust anything requesting your seed phrase on a pc's screen unless you have a way to prove its a genuine thing asking for it. and good to see new ledgers allow key inputs via devices(i havnt bothered looking into hardware wallets for years.)

[Inwestour]

It's definitely a sign that none of the cryptos at just a singular place is safe, no matter if it is in your ledger or on your pc or anything else. Singular place is always terrible.

Many people claim that "not your keys not your coins" because of exchange hackings, but at the same time if you end up putting it on binance, do you really think that binance will be hacked so big that they will fail to pay the customers? They have so much money that you could empty all of their hot wallets today, and their cold wallets would still cover everyone's funds. That is why I highly believe that they are going to be the best case if you want to safely secure your coins.

This is a very big misconception, there are much more risks here, the first and simplest - Binance can simply freeze your coins, simply block your account. There are such cases, so they cannot be ruled out. If you give an example of hacking an exchange, then in this case the withdrawal will also be closed to all users until the circumstances are clarified, and believe me, no one will compensate for this from their coins.

You should never trust your money to exchanges, FTX is an example that should have made everyone think about it seriously, but I see that this is not clear to everyone.

This is truly an unprecedented event!  From such an experienced developer in the field of blockchain, hackers managed to steal a large sum of money in Bitcoins....

At the same time, Bitcoin Core developers themselves give recommendations on the safe storage of the first cryptocurrency on their website.  Most Bitcoin users are guided by these recommendations when choosing one or another wallet to store their coins. 

In my opinion, this means acknowledging the fact that there is no completely secure way to store Bitcoins.  It is necessary to use all available methods to minimize the existing risks of losing cryptocurrency.

This is a warning sign, not many people can understand better than these people in the safe storage of bitcoin, but as we can see, no one can be sure that their coins are safe.

How then to proceed in this case, is it worth separating our coins into different cold wallets, part per ledger, etc., or what? In fact, this is a very serious issue that should not be put off.