Bitcoin developer @lukedashjr's wallet was hacked

[headingnorth]

it actually does not matter if its seed or legacy or multisig or segwit

if you expose any seed, wallet file, private key to a system that is hackable(online) where you probably downloaded a compromised file that contains a trojan. those coins no matter the format of the private key, becomes their

Very stupid of him to store his private keys on a computer.

The purpose of cold storage is that your keys are stored OFFLINE where it is impossible for anyone else to access but you.
When your keys are online then it is not cold storage -- it is the same thing as storing in a hot wallet. Can't believe a bitcoin dev is that dumb.

[1714309895]

1714309895

[1714309895]

1714309895

[1714309895]

1714309895

[franky1]

it actually does not matter if its seed or legacy or multisig or segwit

if you expose any seed, wallet file, private key to a system that is hackable(online) where you probably downloaded a compromised file that contains a trojan. those coins no matter the format of the private key, becomes their

Very stupid of him to store his private keys on a computer.

The purpose of cold storage is that your keys are stored OFFLINE where it is impossible for anyone else to access but you.
When your keys are online then it is not cold storage -- it is the same thing as storing in a hot wallet. Can't believe a bitcoin dev is that dumb.

first of all cold store is a term that pre exists hardware wallets and exporting keys
for airgapped stores like hardware wallets, paper wallets and offline devises. they were just called those 3 things

cold meant home node, hot meant node on a webserver with public access
..

anyways moving on
he used a wallet to spend funds like a couple months before some hacks on his server. so obviously when they trojaned into home computer the wallets were still on PC

i know some will say "need to wipe windows/linux per spend and delete everything and start again"... but who actually does that

its like telling someone to get a new debit card each time they use their debit card for the risk of someone cloning the card.. who actually does that

.
one thing i dislike about core is how you cant choose your "change" address easily.. it just uses the current seed or the random generator to create a change address to add to current wallet in core.. .
to avoid this.. you have to instead treat it as if you are spending funds fully to 2 destinations as a complete spend of all value of current wallet/seed.. where you choose the second destination as an address of separate wallet you have not put into core/your device.
(meaning a new wallet created airgapped)

that way the 2nd destination is a wallet on a completely separate airgapped device. and no funds are being returned to a wallet that is in core when spending.

but again. who bothers to do that

some say you should take an umbrella with you all the time in case it rains.. but who bothers to do that
some say you should take an an extra shirt with you in case you get lunch sauce on one while on work break. but who does that

[larry_vw_1955]

anyways moving on
he used a wallet to spend funds like a couple months before some hacks on his server. so obviously when they trojaned into home computer the wallets were still on PC

sounds like an amateurish mistake.

i know some will say "need to wipe windows/linux per spend and delete everything and start again"... but who actually does that

well if i had bitcoin private keys that added up to $2 or $3 million then i wouldn't keep them stored on a computer that was connected to the internet, franky.

its like telling someone to get a new debit card each time they use their debit card for the risk of someone cloning the card.. who actually does that

i'm not sure that's an apples to apples comparison. banks put spending limits and atm cash limits on debit cards for exactly this reason: to avoid having to reimburse a customer for amounts that would exceed what they are comfortable reimbursing.

one thing i dislike about core is how you cant choose your "change" address easily..

why should you need to choose your change address? an hd seed is meant to manage your change addresses so that all your funds remain under its control. if you prefer to use your hd seed as a paper wallet one time use type of thing then yeah, i mean, you have to do that manually.

but again. who bothers to do that

they shouldn't NEED to do that. you can use an hd wallet to do as many transactions as you want to and have good security in place too.

some say you should take an umbrella with you all the time in case it rains.. but who bothers to do that
some say you should take an an extra shirt with you in case you get lunch sauce on one while on work break. but who does that

if it can cost you $2 million then yeah, you might want to bother to do those things or anything else for that matter if it falls into a similar category.

[franky1]

its funny to say "but HD seed do XYZ"
his funds were not on HD seeds. so mute point

if funds are on hd seeds then yea skip the advice about change addresses.
but if funds are on legacy, then you have to manually spend all value to 2 addresses(1x destination for amount to want to spend and 1x yourself in a new wallet for the change) ensuring change doesnt go to same wallet thats on the online computer

meaning when its time for a legacy hoard to upgrade wallet to HD he will need to do as i just said

you cant just re invent the past and pretend he had a HD seed.. he didnt.

i dont even like luke JR for numerous reasons. but still i wont re invent the past to give more reasons to say he done things wrong because he had access to XYZ before events

at most all i can say is when he done the spend in september. he should have used that opportunity to move it(like i suggested) to a new wallet that was airgapped.

[larry_vw_1955]

his funds were not on HD seeds.

i know. they were on individual paper wallets. how many of them i am not sure exactly.

if funds are on hd seeds then yea skip the advice about change addresses.
but if funds are on legacy, then you have to manually spend all value to 2 addresses(1x destination for amount to want to spend and 1x yourself in a new wallet for the change) ensuring change doesnt go to same wallet thats on the online computer

paper wallets are not meant to receive back change. that's why.

at most all i can say is when he done the spend in september. he should have used that opportunity to move it(like i suggested) to a new wallet that was airgapped.

i mean i'm sure he's got enough grief as it is he doesn't need armchair quarterbacks but the mistake was made long before september. the mistake was made when he started storing those private keys on that computer to begin with. how many years did that go on for until someone finally hacked him? how many years did he have time to read up on how to best protect your stash? and what did he do? it doesn't seem like he did anything. 

[franky1]

no what you are not reading is ..
he had over 200btc on DIFFERENT keys before september. but moved coin in september to new address thus exposing that wallet in september..
(its not a stash since 2011 that has been lingering on a computer for a decade or exposed a decade or less ago)


they were exposed september 2022+
because he spent some coin in september and got change in september but didnt send the change to a different wallet(such as a HD seed associated key made on an airgapped wallet)

instead the funds in september went back to a change address in a node of standard change address creation within the node

[BlackHatCoiner]

i know some will say "need to wipe windows/linux per spend and delete everything and start again"... but who actually does that

Lol. Every reasonable person with a shitload amount of money, maybe?

its like telling someone to get a new debit card each time they use their debit card for the risk of someone cloning the card.. who actually does that

What the actual fuck? What kind of analogy is this? First things first, you don't store a million dollars worth of bitcoin in a hot wallet. That should be a principle, period. Secondly, using a hot wallet more than once doesn't introduce any additional risk. If you have a computer that's connected to the internet, with a Bitcoin wallet installed, and you use it only to make transactions, using it once or a million times doesn't make a difference security-wise. Thirdly, debit card transactions are reversible.

[LoyceV]

i know some will say "need to wipe windows/linux per spend and delete everything and start again"... but who actually does that

Using a Linux Live DVD is quite easy nowadays. Copy an unsigned transaction from a watch-only hot wallet, sign it from a Live Linux OS without any storage or internet, copy it back, broadcast it, and all you have to wipe is the RAM.

[franky1]

i know some will say "need to wipe windows/linux per spend and delete everything and start again"... but who actually does that

Lol. Every reasonable person with a shitload amount of money, maybe?

its like telling someone to get a new debit card each time they use their debit card for the risk of someone cloning the card.. who actually does that

What the actual fuck? What kind of analogy is this? First things first, you don't store a million dollars worth of bitcoin in a hot wallet. That should be a principle, period. Secondly, using a hot wallet more than once doesn't introduce any additional risk. If you have a computer that's connected to the internet, with a Bitcoin wallet installed, and you use it only to make transactions, using it once or a million times doesn't make a difference security-wise. Thirdly, debit card transactions are reversible.

im laughing

firstly exchanges use hotwallets containing more then 200btc all the time..(they have 'at-risk' 0.0x-1000btc) hotwallets on server
just the CEO's have their non-server(not the exchange) nodes with the cold wallets(1000-700,000btc) keys not on a server

but ..
lets get to the whole actual detail of what lukes tweets have actually revealed so far

he didnt have keys on his server(thus not a hot wallet by OG standards(ignoring the newbie redefiner, re-jargonisers))
though he did spend coin in september on his home pc(not the server), which would mean his keys of the utxo 'change' were in same wallet(standard key addition to wallet.dat of core) so it was exposed to that system because he didnt set the change address (manually needed) to go to an airgapped separate wallet

analogy when spending some debit card balance he didnt send the rest of the entire balance to a new debit card.. but then who does normally.. no one
(legacy core doesnt do this either, it puts rest of balance into a key OF THE SAME WALLET.DAT)

to avoid this. like i have said a few times now. people have to manually set a second destination for remaining balance to go to a destination you own(airgapped) of an address thats not been exposed to the spending PC

try to read before letting your brain bot shout "must find reason to be opposite to franky"

[BlackHatCoiner]

Using a Linux Live DVD is quite easy nowadays. Copy an unsigned transaction from a watch-only hot wallet, sign it from a Live Linux OS without any storage or internet, copy it back, broadcast it, and all you have to wipe is the RAM.

Or just buy yourself a signing device, if you're about to do this regularly. If not, Linux Live OS does fine for long-term cold storage.

firstly exchanges use hotwallets containing more then 200btc all the time..(they have 'at-risk' 0.0x-1000btc) hotwallets on server

And exchanges get hacked all the time. Your point?

he didnt have keys on his server(thus not a hot wallet by OG standards(ignoring the newbie redefiner, re-jargonisers))

There is no newbie redefinering. A hot wallet is a piece of wallet software installed in a machine that is or was reachable by a network of computers.

analogy when spending some debit card balance he didnt send the rest of the entire balance to a new debit card.. but then who does normally.. no one

You don't leave a million dollars on a debit card, unless you already have a billion in cash. That's my response.

[franky1]

oh blackhat your responses dont help anyone..  you are a social drama queen poking just to be oppositional

you have been caught out before trying to re-define OG terminology (such as the pruned=full node crap you and buddies infer.. yet, pruned was not even a thing when "full node" term was used.. having an option to switch off options and peer services = not full node when options are set to not offer fullpeer services)

YOU said no one puts 200btc+ value on hotwallets.. so i responded that exchanges do.. (instant debunk)
i guess you forgot your point in the previous post, to then not realise i was correcting your point
amnesia is not an excuse to pretend your point didnt get debunked.. now just move on. dont reply just to be oppositional.. actually read the context of stuff and stop using amnesia as a reason to not know stuff

even your response to loyce was that someone should use a signing device, negating his point about people (actual events) that dont have a signing device yet and (actual events) exposed keys(actually happened) should wipe their computer or use a live CD operating system to remove said exposure(that actually happened)

stick to actual events and not try to re-write history to pretend he must have had xyz in the past and should have used xyz

sticking to what luke had. (and what he could do with what he had), then sets the conversation of this topic about what happened and how he in this topics specific situation could have mitigated it with what he actually had/admits/reveals to have had.
not shouldisms of what he should have bought created via needing different equipment devices and a time machine .. to then have your particular list of devices HE DIDNT HAVE at the event

oh
and you think there are no people out their with a platinum/black debit card.. pfft
and you think there are no people out their with a platinum/black debit card who arnt also billionaires.. pfft

anyone could shout out any shouldism they like. but a rational person. sticks to the realms/scope of realism of what was actually available in the victims hands at the time of the event

[BlackHatCoiner]

YOU said no one puts 200btc+ value on hotwallets.. so i responded that exchanges do.. (instant debunk)

I said no reasonable person does that. And, as history is concerned, my assertion is arguably confirmed.

even your response to loyce was that someone should use a signing device, negating his point about people (actual events) that dont have a signing device yet

It was merely a suggestion. People that have millions of dollars worth of bitcoin and haven't made the necessary precautions are just irresponsible, that's all I'm saying.

stick to actual events and not try to re-write history to pretend he must have had xyz in the past and should have used xyz

I don't know what's going on in your head, but please visit an expert.

[franky1]

stick to actual events and not try to re-write history to pretend he must have had xyz in the past and should have used xyz

I don't know what's going on in your head, but please visit an expert.

again to end your silyness.. and i hope you move on from the sillyism of shouldisms outside the practicals of this specific topic

you were spouting random shouldisms about things that luke didnt have. thus . saying he should have used a hardware wallet .. would only be true if time travel occured for him to have bought said device prior to september, prior to septembers exposure, prior to risking his wallet. ..
he had no such device at time of events(sept-dec). his funds were not on such device. thus your shouldism is not a reality of what he had but didnt use. but what he didnt have so couldnt use.

i personally have funds on legacy for my personal reasons. (none you would understand)
you cant just slide in a private key into a hardware wallet or a seed. it requires SPENDING to move funds to a new wallet that is seed based.

having funds on legacy doesnt help users of legacy to have shouldisms shouted at them about having keys in hardware wallets. because it requires them to SPEND the keys. meaning exposing they keys. thus..
advice is actually "WHEN spending it would have been best to not just use cores standard add change address to wallet.dat change address mechanism. as that wallet when SPENDING is exposed
he COULD have set a second destination to a fresh wallet to remove exposure by the new wallet destination being airgapped

do you now see the difference in advice and why my advice is more practical to the reality of occurrences and information availbe to us from luke and the locations of funds admitted by luke(this topic)

..
oh and as for your shouldisms about everyone having a hardware wallet its stupid not to
the hardware market is only $850m~
at an average of $85~
means only 10m devices..

there are 43,629,759 funded addresses (some single addresses represent multiple millions of people some multiple addresses represent a single person.. so not a good metric of crypto userbase
yet coinbase has 60m customers. binance has 25m customers
meaning adding all up all other exchanges aswell.. there are more then 100m users of crypto.
so at best bet only 10% are using hardware wallet AT BEST

oh and final debunk

you pretend your whitty, smart, and you absolutely have top security by promoting hardware wallets or HD seeds

seriously??
your 1BLACKWQ3LHpbh8GFYnarr5mpuJ7xz1v5h you advertise and want people to fund is not:
hd seed originated.
hardware wallet originated

heck you used a vanity gen which could have been compromised. where by the only reason no one stole from you is no one wants to tip you
balance received: 0

can i just ask why you dont want to advertise a HWwallet seeded segwit address/ LN channel as your tipping address?
(with all your promotions it seems hypocritical to not be using the things you advertise)

[fullhdpixel]

Having the hacker followed will not be going to bring the money back, they could literally sell it OTC and nobody would know, and they could have used a great mixer, or something like that to make this work, they could turn this into smaller chops and by far harder to follow up as well.

Long story short, there are a billion ways they could cash this into fiat in their bank account and nobody would be able to stop them. All in all, I would say that once an account is hacked, the money is gone, there is no way to return it to the original owner, any decent hacker who would be good enough to hack into it, would also know how to cash that out as well, that's easier to do.

[hatshepsut93]

I'm a bit late to the party, but want to share some thoughts.

First, it shows that not only "stupid" people or "noobs" get hacked. Anyone can make a mistake without realizing it. And anyone can become a target or catch some stray bitcoin-stealing malware. This should be a wake-up call to everyone to triple-check their storage setup and don't get arrogant thinking that you're a master of bitcoin security and can't be hacked. Instead look at yourself from a point of view of a hacker and think how can you get hacked.

Second, I see a bit of a privacy dillema here with Luke trying to find the thieves. If he succeeds, despite mixers and coinjoin, it would mean that Bitcoin privacy is not good enough to protect you from adversaries. What should Bitcoin (I'm talking about the whole ecosystem, not just the protocol) future look like - weak privacy that can be broken with certain effort, or complete privacy that protects everyone, even criminals?

[bbc.reporter]

This is another skeptical me argument hehehe.

"Don't trust, verify", remember? And then why trust somebody's claims, no matter who it is, if the things just don't add up?!

This might also be a way to prepare for an exit from holding bitcoin without being persecuted by the community? Claim he was hacked, mix the coins, keep the coins then sell on the next bull market when he has 10x of the present value. This is $20 million and very much enough for his retirement.

I love the mix of drama, conspiracy and price speculation
One thing that still looks odd is that all this shit show goes on only on Twitter. Nothing on Mastodon and nothing in here.
Another thing that must be cleared up is what was his actual "cold storage" setup.
And claiming that there's a CoinJoin in a tx that's actually clean...
...yeah, the things just don't add up. And I've got some logical explanations for this and that, still, far from enough.

I consider the hacking of 2 Twitter accounts easier than hacking into a cold storage.
The boating accident theory is also a not-too-bad idea.

Hehehehe I am happy than someone does not feel offended or antagonized with my replies.

In any case, similar to some of you the more time I spend thinking and speculating about this, the more I cannot believe or understand how a bitcoin developer and an expert in the cryptospace had his coins in cold storage stolen from him.

[franky1]

Second, I see a bit of a privacy dillema here with Luke trying to find the thieves. If he succeeds, despite mixers and coinjoin, it would mean that Bitcoin privacy is not good enough to protect you from adversaries.

bitcoin is private

no one knows the name of the entity moving the coins thus far.
no one knows the country of the entity moving the coin thus far.

bitcoin is not revealing that..
the point at which privacy breaks. is the KYC of using an exchange

[larry_vw_1955]

YOU said no one puts 200btc+ value on hotwallets.. so i responded that exchanges do..

that's because 200btc represents small percentage of their total owned. so it's like a normal person storing 0.005 btc on a hotwallet while they have 1btc on a paper wallet. not unreasonable right?

Second, I see a bit of a privacy dillema here with Luke trying to find the thieves.

assuming there are thieves. but a bigger issue is that's how satoshi designed bitcoin is so that whoever has the private keys can spend the money. if the thief sent all the money to a burn address what then? are we going to roll back the bitcoin blockchain? if so then bitcoin has no meaning...

[JayJuanGee]

Having the hacker followed will not be going to bring the money back, they could literally sell it OTC and nobody would know, and they could have used a great mixer, or something like that to make this work, they could turn this into smaller chops and by far harder to follow up as well.

Long story short, there are a billion ways they could cash this into fiat in their bank account and nobody would be able to stop them. All in all, I would say that once an account is hacked, the money is gone, there is no way to return it to the original owner, any decent hacker who would be good enough to hack into it, would also know how to cash that out as well, that's easier to do.

I have a hard time speculating that at some point the hacker is not going to make some kind of a mistake that causes his/her identity to become apparent, yet some of these cases take a long time to figure out - especially if the hacker ends up sitting on the coins and just hoping that with the passage of time, there is less attention on the matter.  I am sure that various kinds of USA govt officials are less excited about Luke's coins as compared with the 94k Bitfinex coins that they ended up getting after around 5 years or the 40k Loaded coins that they ended up getting after around 9 or 10 years.  Of course, there are likely several other examples, but those are the two that come to mind for me recently.... 200 coins?  are we paying attention? 

Are people with forensics paying attention?  Anyone besides CZ's public comment to keep his eyes peeled for the coins hitting his exchange, if that's going to work?  I am not sure.  Remember a few years ago when CZ had something like 7k coins hacked and asserted that he was going to get the chain rolled back.. hahahahaha.. that did not happen, and he got beat up publicly for making such assertions.

[franky1]

Remember a few years ago when CZ had something like 7k coins hacked and asserted that he was going to get the chain rolled back.. hahahahaha.. that did not happen, and he got beat up publicly for making such assertions.

oh your one of them types of people, still.. i thought you were getting better then that.. seems i came too early to treat you differently than them
anyways years ago
other people suggested to CZ about a possible roll back. he told wider community that he had talks with others who came up with suggestions and in same video he said his priority that week was to sort his server security and custody security, finding the bug/entry,loophole the hacker used.. and plug it..
.. and within 8 hours of video he made it clear he wont be doing a rollback.. thus it was a non starter-drama of meaningless effect that should have died within the same 8 hours of speculative chatter

timeline
8thmay 2019
8th: he done a AMA to explain why the maintenance event happened
where someone proposed TO HIM to do a roll back
https://www.pscp.tv/w/1mrGmvjpbqBJy
"this morning alot of people have offered us support, and there is a few topics i will discuss in this regard"
"the idea came from the community and i did not know that we could do that"
"To be honest, we can actually do this probably within the next few days. But there are concerns that if we do a rollback on the bitcoin network at that scale, it may have some negative consequences, in terms of destroying the credibility for bitcoin."

same day 8th
Quote

  After speaking with various parties, including @JeremyRubin, @_prestwich, @bcmakes, @hasufl, @JihanWu and others, we decided NOT to pursue the re-org approach. Considerations being:— CZ 🔶 Binance (@cz_binance) May 8, 2019

purple words are not CZ talking about something HE came up with

plus it was all a non event, no drama that extended for .. a few hours.
i dont like central exchange or luke.. yet even i can stay rational and keep to the facts..
.. wish some others would keep their biases aside

my biases atleast can be found in real data and activities that actually happened