What do you do when a hacker steals crypto to the value of $1 million? In the 1996 film Ransom, instead of paying $2 million to the kidnappers who take his son, Mel Gibson offers the money to bounty hunters, knowing he stands a better chance of getting his son back alive. Such sums of money are a powerful incentive, which is why one bitcoin and NXT holder offered up a 500 bitcoin bounty for the return of stolen funds.
by Brandon Hurst
Earlier this week, Androklis Polymenis was shocked to find that a hacker had managed to gain access to all of his cryptocurrency accounts. The scale of the theft was immense. As well as owning over 1,000 bitcoins, Polymenis – who goes by the handle kLee on the forums – was one of the original NXT stakeholders who had scored a 31 million share of the new currency. He also held account details for the NXT infrastructure fund of some 2.8 million NXT (around $130,000 at current prices).
The hacker cleaned out kLee’s crypto stash, netting himself over $1 million in cryptocurrency. Some of this went straight to BTER and was cashed out, causing a temporary crash in the price of NXT – though it seems that some of that may have been bought back, essentially using the exchange as a mixer to ‘launder’ the stolen coins. The bitcoins, which represent around $725,000, have apparently not yet been sold. Polymenis has offered a bounty of almost half the amount – 500 bitcoins or $310,000 – for information leading to the apprehension of the hacker and return of the money.
You can find more details about the episode, blockchain records, relevant information and the reward here.
How did it happen?
As is so often the case, a security lapse was to blame. It’s not entirely clear what happened, but it seems that the hacker was able to gain access to a file that contained the private keys and passphrases in plain text. How he did so could have happened in a number of ways:
- Physical access to the computer, with a keylogger installed
- Access gained remotely through a malware in a link posted on the victim’s Facebook page
- Access to a backup kept on Dropbox
Of these, it appears that the last is most likely. A copy of the unencrypted password file had been left on Dropbox and forgotten about. The heartbleed bug of some weeks ago may have opened an opportunity for a hacker to break into the account. (It’s also just possible that an unscrupulous employee might have read it – allegedly this is something that can theoretically happen.)
In any case, whatever happened could have been prevented by using cold storage and/or encrypting the password file. It’s an expensive lesson for the whole community, since infrastructure funds were stolen too. As an aside, it’s also worth reviewing your own security: hackers will go to great lengths to take your cryptocurrency.
Fast action of BTER
There is a silver lining in the form of BTER, who were above reproach in their response when informed that stolen funds had been sent to their exchange. BTER swiftly froze the relevant accounts when they had been made aware of the problem – not soon enough to prevent a significant quantity of NXT being sold, but fast enough to stop over 3 million NXT being lost. That represents not only the infrastructure fund but a few hundred thousand of kLee’s money, too. When the identities of the real owners and the nature of the theft had been established by BTER, with the help of known members of the community and signed tokens, negotiations began to return the funds (subject to legal issues being resolved satisfactorily, since these were stolen coins).
The bottom line is that BTER’s fast action provided very welcome damage limitation and they deserve full credit for their diligence in the matter.
500 bitcoin bounty
Sadly, the same cannot be said for the stolen bitcoins. At the time of writing, they are on the move in the blockchain. If they are sent to an exchange there may be some recourse – maybe. If they go to a tumbler, things become more complicated – legally and practically, since the result will be a mixture of stolen and legitimate coins in the same account. The good news is that there may be information (IP address, email and so on) that may have been made available from the BTER account, though any smart hacker would have used Tor and a throwaway email to register.
To incentivise the bitcoin community to track down the thief, kLee has offered a reward of 500 bitcoins to recover his stolen funds – almost half the full amount and an unprecedented bounty to bring a crypto criminal to justice. It’s already gone viral across Twitter, Reddit and elsewhere on the web, and you can bet that a lot of people have just taken a keen interest in the story.
Someone, somewhere, has almost $1 million in stolen crypto in a series of accounts that are suddenly being monitored by dozens or even hundreds of very interested parties. You can get a long way on $1 million – but people will go a long way for $300,000, too. This one’s going to be worth watching.