Nation-States hunting for SEEDs?

[Forsyth Jones]

If you have a separate machine only for your financial needs and operations and you use it properly, it won't get infected with malware and crypto address hijackers. You wouldn't be interacting with anything that can cause that. Worst case scenario, such malware infects your day-to-day computer and unless the malware can spread all over your network and connected devices (unlikely), the most important machine stays safe.   

What I see being little disclosed, but the risk is imminent, is when thousands download Windows activators/crackers. These are downloaded from random, unverifiable websites, such as KMSpico (activator software). There have been mentions that they may be full of malware designed to steal cryptocurrencies and banking data...

Imagine how many people have activated their Windows/office using cracked software and are using wallets on these activated Windows systems, and are at risk right now?

I don't remember any claim or news LUKS is broken, unless when the password is weak or encryption/decryption key generated in not secure manner. But it's worth to mention that,
1. LUKS2 is more modern and secure than LUKS1.
2. The encryption/decryption key usually stored on either RAM or CPU, which makes it vulnerable to advanced attack/hack.

When I installed Kubuntu, I enabled encryption at the Linux boot process during startup, I believe it's LUKS1 or 2.

[Pmalek]

What I see being little disclosed, but the risk is imminent, is when thousands download Windows activators/crackers. These are downloaded from random, unverifiable websites, such as KMSpico (activator software).

That's another example of unwanted and suspicious software that should have no place on a computer you use in connection with anything related to money. Linux is free and open-source. Everyone can get it. Those who insist on sticking with Windows can get a digital license for cheap. Many are provided with the laptops you purchase. There are free and open-source alternatives to most popular licensed and paid software. Cracks, keygens, and torrents are a no-go on machines meant to protect your livelihood. 

[Synchronice]

Heads up, crypto users.

Things are getting serious.

Ledger’s CTO has raised alarms about “zero-click” spyware attacks ^{reportedly backed by nation-states} with the aim of stealing SEED phrases stored on mobile devices. In such cases hackers can compromise your device without you clicking anything and very often through apps like WhatsApp or Signal.

It goes without saying: if your seed phrase is exposed, your wallet will be emptied.

Stay alert and vigilant.

It's ironic, isn't it? When Ledger's CTO warns us about the danger related to stealing our crypto wallet's seed phrases when it's the Ledger that has been lying to its customers for so many years about how securely their seeds were placed on secure chip and how impossible it was to extract them from this chip. Anyways, it's still nice to get any valuable information, even if it sounds ironic from the teller.

When will people learn that hardware wallet is still the best way to keep your crypto safe?

Depends on the wallet. Ledger's hardware wallet is not the best option but Passport and Coldcard are definitely a superior options. Airgapped computers/laptops are also an amazing option.

Step number 1 for staying vigilant - Don't use WhatsApp. I mean come on. Its problems are well-documented.  Telegram isn't that much better unless you only use E2EE chats, but I would be surprised that Signal can make the user infected like this.

Through what I understand, people can collect data on your location and other info from the cell tower you're connected to, but it eludes me how people can craft a malware that defeats the hardware security module (HSM). Is that not impossible?

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

[NotATether]

Imagine how many people have activated their Windows/office using cracked software and are using wallets on these activated Windows systems, and are at risk right now?

Very little, because the actual cracked software usually comes from Russia, where there are a lot of hackers who specialize in this trade, but the phony .EXE malware versions of the cracks are usually created by various different hacker groups to put a drainer or place you in a botnet or something.

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

I'm not sure. I never really used Signal that much.

[Forsyth Jones]

Very little, because the actual cracked software usually comes from Russia, where there are a lot of hackers who specialize in this trade, but the phony .EXE malware versions of the cracks are usually created by various different hacker groups to put a drainer or place you in a botnet or something.

I agree, these cracked software programs are often provided in youtube video descriptions, resulting in many people getting infected. "Nothing" suspicious might happen on the victims' PC, but there's certainly a botnet or spyware running to act at an opportune moment.

Unfortunately, people in poor countries still download a lot of pirated software. I don't trust anything cracked after I started doing self-custody. I recall having a small amount of BTC stolen by the clipboard malware, which I was using on Windows 7 or 8 in 2016.

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

I don't know, I used Signal a few years ago and liked its concept, it was a cleaner messenger. Unfortunately, private messengers aren't very popular due to the massive advertising by big techs.

[Cricktor]

... losing their bitcoins to malware like Clipboard Hijacker because they use hardware wallets on malware-infested computers and don't check the sending addresses.

Commonly you don't need to check your sending addresses, because they're usually your own ones (only you should have the private keys to sign transactions spending coins from those sending addresses; I omit cases of multi-sig and importing partially signed transactions).

You should always carefully check every output addresses before you sign a transaction with your hardware signing device. For this very reason it's mandatory that your signing device has an own independant display that can't be manipulated by the software wallet that hands over the transaction to be signed.

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

I'm not sure. I never really used Signal that much.

Signal is open-source. Threema is open-source. Those who can read code, can inspect what those open-source apps do behind the curtain (reproducible builds would give you then confidence to know that the executable does exactly what the source code shows).

Just because billions of (possibly brain-washed and -diluted) WhatsApp addicts use the Meta app doesn't mean everybody has to, too. There are decent alternatives, like Signal and Threema. I use both.


I don't know why people use hot wallets on mobile phones that contain more than "pocket money" value. Yeah, I guess it's sooo convenient...

I have Wallet of Satoshi and Phoenix Lightning hot wallets on my mobile, no more than roughly a total of 200k Sats in both of them. If I'd need more it would be only very temporarily.

Other open-source Bitcoin Mainnet wallets I would setup only as watch-only wallets on my mobile phone, no private keys or seed inside and use a hardware signing device to sign off transactions. But frankly I rarely need this mobile use case. I have a dedicated used business laptop, Linux with full filesystem encryption, which I use for my crypto wallet stuff. My SPV wallets talk to my own Bitcoin node and Electrum server to maintain as much privacy as possible for my wallet's addresses.

It's a bit funny how people put trust in Android and iOS devices to handle their money stuff when Android and iOS fight regularly and repeatedly with security issues. OS and mobile frameworks simply became too complex and big mobile tech fights against windmills.


If I'd put my conspiracy enchanted tinfoil hat on, get my brain cooked enough... ding! ...now it's ready: the massive penetration of society with heavily desired mobile phones makes those devices almost perfect spy-on-you tools. Do governments want to exploit this? Possibly in their wet dreams. Some more ruthless governments: why wouldn't they not?
Does mobile tech comply with governments wet dreams? Can't say, hope not. Can you verify? I don't think so!

There are complex components (baseband chip, SoCs and whatnot else) which are not open at all. We all have to trust and pray that our mobile phone spy bugs don't do much nasty stuff.

Phew, can't keep that tinfoil hat on for more than a few minutes, brain wave resonance makes me dizzy...

[Pmalek]

Unfortunately, people in poor countries still download a lot of pirated software. I don't trust anything cracked after I started doing self-custody. I recall having a small amount of BTC stolen by the clipboard malware, which I was using on Windows 7 or 8 in 2016.

On an unrelated note, address poisoning is becoming more and more common. Scammers monitor addresses and have surely automated software in place to strike as soon as a potential victim transfers crypto to one of the addresses that scammers find attractive.

I moved some altcoin over Ethereum yesterday from address A to address B. Only a few minutes after, I received two incoming transactions from addresses similar to my own. The first few and last few characters were identical. If I didn't know what I was doing or how to use wallets properly, I could copy one of the 'poisonous' addresses that looks similar to mine the next time I make a similar transaction and the money is gone.   

[Cricktor]

On an unrelated note, address poisoning is becoming more and more common. ...

Well, address poisoning scams only work because a lot of people are negligent and possibly don't know how to efficiently check public addresses. I strongly believe that proper address verification should be basic crypto currency 101.

It might be convenient when a wallet offers target address suggestions, but this just aids address poisoning scams. If there were an option to turn this off, I'd do it.

For the record and how I usually check (I don't claim my method is the best or the only one; it simply worked for me all the time):

• check a handful of symbols at the start, around the middle and at the end of a public address
  (for Bitcoin: don't account public address prefixes like 1..., 3..., bc1q..., bc1p... for your symbol match count)

If your checking for start, ~middle and end areas match, the rest will match, too, because it's practically near impossible to have a different address that matches all three areas, especially when you have a bit of wiggle room in the middle.

My sample space is likely miniscule, but this method never failed me.

For hex string addresses like in Ethereum space, I find it harder to check.

Anyway, for your own safety, do not skip to check all output addresses thoroughly, regardless what crypto currency you use. Make it a habit to really never skip this. It's an easy middle finger to address poisoning scammers.

[Forsyth Jones]

That's another example of unwanted and suspicious software that should have no place on a computer you use in connection with anything related to money. Linux is free and open-source. Everyone can get it. Those who insist on sticking with Windows can get a digital license for cheap. Many are provided with the laptops you purchase. There are free and open-source alternatives to most popular licensed and paid software. Cracks, keygens, and torrents are a no-go on machines meant to protect your livelihood. 

It was recently discovered that a version of KMSPico contains a Clipboard Hijacker monitoring victims' clipboards to replace crypto addresses divert funds.
There are several videos on Youtube warning not to use these Windows activators, especially KMSPico, as it's suspected of being infested with malware and we already have news about people being robbed.
https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/

-snip-
I moved some altcoin over Ethereum yesterday from address A to address B. Only a few minutes after, I received two incoming transactions from addresses similar to my own. The first few and last few characters were identical. If I didn't know what I was doing or how to use wallets properly, I could copy one of the 'poisonous' addresses that looks similar to mine the next time I make a similar transaction and the money is gone.   

Have you received dust attacks with addresses similar to yours, similar to this example here?



This attack is becoming very common, as there are people who access the public address of a block explorer, copying the address from the last transaction, which is a mistake, as it could be a poisoned address.


I've seen a report with a video on reddit from a victim showing the clipboard hijacker in action, where the victim withdraws an altcoin from binance, he provides Trezor's public address, checks it on the withdrawal confirmation screen and on the Trezor display, but after confirming the withdrawal, the funds were diverted to a completely different address (it didn't appear at any time on the confirmation screens). Is it malware that injects a fake confirmation screen, where it hides the real address (of the attacker)?
https://www.reddit.com/r/TREZOR/comments/1onokoc/urgent_my_binance_withdrawal_to_trezor_wallet_was/

[Pmalek]

Have you received dust attacks with addresses similar to yours, similar to this example here?

Yes, but on the Ethereum network. The image you are showing is for bitcoin. I have never experienced the same on the Bitcoin network.

I've seen a report with a video on reddit from a victim showing the clipboard hijacker in action, where the victim withdraws an altcoin from binance, he provides Trezor's public address, checks it on the withdrawal confirmation screen and on the Trezor display, but after confirming the withdrawal, the funds were diverted to a completely different address (it didn't appear at any time on the confirmation screens). Is it malware that injects a fake confirmation screen, where it hides the real address (of the attacker)?
https://www.reddit.com/r/TREZOR/comments/1onokoc/urgent_my_binance_withdrawal_to_trezor_wallet_was/

I don't think that's your standard clipboard hijacker. His clipboard wasn't hijacked in the normal fashion. He copied the correct address from his Trezor and pasted it into his Binance account. The correct address was also confirmed on the hardware wallet. Only after the transaction was sent from Binance do we see that it got sent to a different address.

This is something else and maybe a combination of a few things. Fake Trezor software or firmware, fake Binance exchange, a malicious browser, script, or extension that replaces crypto addresses in the background, or something like that. He did something very wrong to catch that nasty thing.

[UmerIdrees]

So I do not expect anyone to still be using any online devices to hold their coins, it is highly dangerous. But I can have little amount of coins on a mobile wallet which I can afford to lose.

For Bitcoin, yes, one can keep it offline or an airgapped device, etc, but what about people storing altcoins and especially the stable coins in Unstoppable or Trust Wallet (I don't recommend this wallet), etc ? Does this mean that we are at risk if we keep our coins in the Unstoppable wallet ?
Also they do not have any desktop version, so what are our options for altcoins storage

[Forsyth Jones]

I don't think that's your standard clipboard hijacker. His clipboard wasn't hijacked in the normal fashion. He copied the correct address from his Trezor and pasted it into his Binance account. The correct address was also confirmed on the hardware wallet. Only after the transaction was sent from Binance do we see that it got sent to a different address.

This is something else and maybe a combination of a few things. Fake Trezor software or firmware, fake Binance exchange, a malicious browser, script, or extension that replaces crypto addresses in the background, or something like that. He did something very wrong to catch that nasty thing.

Yeah, it could be a combination of several factors. It's more likely that he downloaded cracked software or a game, and that same installer may have downloaded several other malware programs through malicious ddls to increase its success. This means that if you identify a clipboard hijacker on your machine, it should be considered a red flag, as it's very likely that its malicious code may be downloading several members of the same family of highly undetectable malware.

For Bitcoin, yes, one can keep it offline or an airgapped device, etc, but what about people storing altcoins and especially the stable coins in Unstoppable or Trust Wallet (I don't recommend this wallet), etc ? Does this mean that we are at risk if we keep our coins in the Unstoppable wallet ?
Also they do not have any desktop version, so what are our options for altcoins storage

There's always the risk of your online machine being compromised by an infostealer that can scan your machine in seconds. Malwares is increasingly using encryption techniques to remain undetectable by antivirus software. So you never know if your device is infected.

A hardware wallet like Trezor is considered a "secure" device because the private keys are stored on the device's chip and transactions are signed in the device's isolated environment, invalidating any malware from acting there (to date, I haven't heard of any malware obtaining private keys from such a device). Besides supporting various altcoins, you can use it on your Android/iOS device (depending on the model, like Safe 7).

I prefer airgapped wallets like Passport, Coldcard or Krux (for Bitcoin), but for those who want to store altcoins, the best alternative is Trezor.

For more information about multicoin wallets, visit this thread: list Multicoin Open Source Wallets

[Pmalek]

Does this mean that we are at risk if we keep our coins in the Unstoppable wallet ?

You are at risk keeping your coins anywhere if you don't know what you are doing. You can mess up in different ways on an airgapped setup as well. They are not bulletproof against accidents and mistakes. But they are inherently safer than hot wallets. Let's not forget that hardware wallets weren't around in the early days of Bitcoin. Bitcoin Core was and can still act as a hot wallet, but you wouldn't call it unsafe, right? It's what you do on the device where you have installed your Bitcoin software that can make your wallet and your coins more or less safe.

[Satofan44]

If you have a separate machine only for your financial needs and operations and you use it properly, it won't get infected with malware and crypto address hijackers. You wouldn't be interacting with anything that can cause that. Worst case scenario, such malware infects your day-to-day computer and unless the malware can spread all over your network and connected devices (unlikely), the most important machine stays safe.    

How people spend their money in this day and age is possibly the worst that it has every been. They will buy overpriced subscriptions, clothes and whatever other junk that they have but meanwhile they won't buy a second laptop or phone. The machines that are required to solely run wallets or other financial software are very cheap. As the OP mentions zero-click vulnerabilities for phones, you can't be hacked this way if you use crypto on a separate phone that is solely for that and that remains offline all of the time that you don't use it. This security measure is simpler and better than most technological solutions that one could think of, simply because the phone has a very limited surface of attack and limited activity. I have some old phones like that with different things, they are offline 99.99% of the time and never has a single one been compromised.

What I see being little disclosed, but the risk is imminent, is when thousands download Windows activators/crackers. These are downloaded from random, unverifiable websites, such as KMSpico (activator software). There have been mentions that they may be full of malware designed to steal cryptocurrencies and banking data...

Imagine how many people have activated their Windows/office using cracked software and are using wallets on these activated Windows systems, and are at risk right now?

The biggest distributor of spyware, Microsoft, told you that activator software tools some of which have been working for more than a decade are full of malware? Propaganda does not even need to be complicated these days, people buy it all up just sprinkle some fear into it. There are going to be malicious actors in everything, that does not mean that all or even most of the activators are risky.

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

I'm not sure. I never really used Signal that much.

Whether software has vulnerabilities has nothing to do with the privacy goals behind the software, there is no reason to be surprised that Signal is on the list. The reason why it is there is because it has gained popularity and is important enough to devote significant resources to attack it.

It was recently discovered that a version of KMSPico contains a Clipboard Hijacker monitoring victims' clipboards to replace crypto addresses divert funds.
There are several videos on Youtube warning not to use these Windows activators, especially KMSPico, as it's suspected of being infested with malware and we already have news about people being robbed.
https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/

Bad, but this is nothing compared to the number of systems activated by these or similar tools. It is in the hundreds of millions of devices. Of course some malicious actors will jump on the opportunity, still the data shows that it represents a small amount of devices that actually have a malicious activator. The amount stolen would be much higher otherwise. Anyway there is no reason to use Windows at all, and if someone does need it they can install it in a virtual machine without a network adapter. That way it is not going to be a problem even if you put a malware-infested copy of Windows on it. The exception would be malware that targets the VM but average users commonly don't stumble upon that.

You are at risk keeping your coins anywhere if you don't know what you are doing. You can mess up in different ways on an airgapped setup as well. They are not bulletproof against accidents and mistakes. But they are inherently safer than hot wallets. Let's not forget that hardware wallets weren't around in the early days of Bitcoin. Bitcoin Core was and can still act as a hot wallet, but you wouldn't call it unsafe, right? It's what you do on the device where you have installed your Bitcoin software that can make your wallet and your coins more or less safe.

Most of the hacks are due to complete incompetence of the user or some really dumb mistakes. It is probably 99.9% of the hacks. Even in the case that is given here, it is because the users are using crypto wrong. They have a significant amount of crypto on a mobile device, and it is the one that they actively use and have many other installed applications. That's 3 large mistakes chained into 1 scenario. I would be very concerned only if we see some very sophisticated hacks, but fortunately everything points out that the tools that are available and the cryptography that is used is very sound.

[Pmalek]

How people spend their money in this day and age is possibly the worst that it has every been. They will buy overpriced subscriptions, clothes and whatever other junk that they have but meanwhile they won't buy a second laptop or phone. The machines that are required to solely run wallets or other financial software are very cheap. As the OP mentions zero-click vulnerabilities for phones, you can't be hacked this way if you use crypto on a separate phone that is solely for that and that remains offline all of the time that you don't use it.

The last time I tried to orange-pill a good friend of mine, I gifted him and his wife some bitcoin, taught them how to check their address, how to spend the coins when the times comes for them to do it, and a bunch of beginner tips. I thought he understood my lessons. They said they had actually been thinking about purchasing bitcoin for a few months, so my gift was a good starting point. Several months later when we talked about BTC again, he said he gave up the idea of adding to his stash. I wasn't trying to push him or anything but asked what made him change his mind. He said, he is never going to have enough savings to buy one whole bitcoin. Btw, he knows, he doesn't have to buy a whole bitcoin and he knows about sats.

You mentioned subscriptions and what people spend money on. He initially found the idea of hardware wallets or a separate device for bitcoin appealing. Again, he changed his mind with time and decided it was an unnecessary investment. He has a mobile phone after all and he can do everything he wants with it. His words, not mine. The same phone his son uses to download and play dozens of games, whose ads he says all over the place. It's a miracle that something hasn't gone to sh** already because he uses the same device for banking and his family's finances.

So, hardware wallets are stupid and buying anything less than one bitcoin is also stupid. He asked me about VPNs and which ones are good. When he found out that a good one would require a €5 or €10 monthly subscription fee, he decided that they were a dumb idea as well. At the same time, he is subscribed to Netflix, Amazon Prime, DAZN, Disney, Apple TV, HBO, and God knows what else. 

You just can't help some people.   

[LoyceV]

You should always carefully check every output addresses before you sign a transaction with your hardware signing device. For this very reason it's mandatory that your signing device has an own independant display that can't be manipulated by the software wallet that hands over the transaction to be signed.

I only recently found out there's a thing called "blind signing" for shitcoins like Ethereum. Instead of confirming each address on your screen, you have to tell your hardware wallet to just trust the software again. So that's how people got all their coins stolen from their hardware wallet.

[DubemIfedigbo001]

If you have a separate machine only for your financial needs and operations and you use it properly, it won't get infected with malware and crypto address hijackers. You wouldn't be interacting with anything that can cause that. Worst case scenario, such malware infects your day-to-day computer and unless the malware can spread all over your network and connected devices (unlikely), the most important machine stays safe.   

What I see being little disclosed, but the risk is imminent, is when thousands download Windows activators/crackers. These are downloaded from random, unverifiable websites, such as KMSpico (activator software). There have been mentions that they may be full of malware designed to steal cryptocurrencies and banking data...

Imagine how many people have activated their Windows/office using cracked software and are using wallets on these activated Windows systems, and are at risk right now?

There is even a bigger risk which is that people download that software to be installed before crack from third-party cracked software providers like getintopc and it is obvious compromised software gets into their Pcs. They now crack with the KMSpico and the damage continues.

Furthermore, less tech-savvy people do not actually download their software themselves but rely on the services of the computer engineer to install his own software for them which may be compromised. Most of the engineers copy software from their peers and install for their clients, including operating systems, so if a compromised software enters a location of PC engineers, it has the ability to spread quicker and attack a wide range of clients who patronize them.

[goldphysicalbitcoin]

I had a friend buy some Bitcoin and kept stressing the importance of security to him. Hardware wallets weren’t really popular yet at the time, so I suggested he install the Bitpie app on a dedicated phone and set a very strong wallet password. Unfortunately, he later forgot the password, and those two Bitcoins have been stuck there ever since, unable to be moved.
For people new to cryptocurrency, securely storing assets is indeed a major hurdle. Sometimes I even feel that leaving funds on a large, reputable exchange might actually be safer than self-custody. Security really is one of the biggest barriers to wider adoption of cryptocurrency. Perhaps in the future, major crypto platforms will introduce insurance mechanisms similar to those in traditional banks.

[Pmalek]

I had a friend buy some Bitcoin and kept stressing the importance of security to him. Hardware wallets weren’t really popular yet at the time, so I suggested he install the Bitpie app on a dedicated phone and set a very strong wallet password. Unfortunately, he later forgot the password, and those two Bitcoins have been stuck there ever since, unable to be moved.

I have never heard of Bitpie or know anyone that has used it. By the sound of it, it looks like a custodial service. Is it? Did your friend not generate a seed phrase or received private keys to the addresses where he sent his bitcoin? Wallet passwords are meant to encrypt files locally, so that if an unauthorized third-party got hold of them, they couldn't abuse them. But you should always be able to recover your wallet elsewhere using a recovery phrase or individual private keys.

[Forsyth Jones]

Bad, but this is nothing compared to the number of systems activated by these or similar tools. It is in the hundreds of millions of devices. Of course some malicious actors will jump on the opportunity, still the data shows that it represents a small amount of devices that actually have a malicious activator. The amount stolen would be much higher otherwise. Anyway there is no reason to use Windows at all, and if someone does need it they can install it in a virtual machine without a network adapter. That way it is not going to be a problem even if you put a malware-infested copy of Windows on it. The exception would be malware that targets the VM but average users commonly don't stumble upon that.

But the simple fact that it's an activator, which can be hosted by any site, without any provenance, closed source code, and so on, is all unfavorable signs that you shouldn't install it on a PC with an unactivated Windows, because what are the chances of not having something very unpleasant there?

The simple fact that it's not open source and that there's no official team behind it already makes me want to stay away from this kind of thing. It's true that just not using Windows eliminates these problems, but if there's no other way, for example, having a pc for work to run things that only work on Windows-compatible software, the best thing is not to tempt fate and acquire a license. Besides, nowadays computers already come with pre-activated OEM Windows licenses...

I had a friend buy some Bitcoin and kept stressing the importance of security to him. Hardware wallets weren’t really popular yet at the time, so I suggested he install the Bitpie app on a dedicated phone and set a very strong wallet password. Unfortunately, he later forgot the password, and those two Bitcoins have been stuck there ever since, unable to be moved.
For people new to cryptocurrency, securely storing assets is indeed a major hurdle. Sometimes I even feel that leaving funds on a large, reputable exchange might actually be safer than self-custody. Security really is one of the biggest barriers to wider adoption of cryptocurrency. Perhaps in the future, major crypto platforms will introduce insurance mechanisms similar to those in traditional banks.

A person who isn't prepared to manage their own Bitcoin custody without relying on third-party services like exchanges isn't ready for Bitcoin. They can buy BTC through other means like ETFs, but either way, it's contradictory because Bitcoin isn't theirs. Bitcoin is an anti-censorship tool. And the most I can imagine of what you described is a bank providing indexed bitcoins in Excel...