Coin Robbery
Feb 27, 2018
My cryptocurrency is always safe from hackers. I keep them in the best wallet available and have no fear of being hacked. I just don't expose myself to that possibility, and that's a great peace of mind considering how much value these coins might have some day.
Things have been going well for me lately, and it had been a while since I hung out with my friends at the local bar. This time was different however, for now I was LOADED with my crypto winnings. The night is filled with loud conversations about riches and cars and yachts, etc.
Leaving the bar, walking home, I sense someone behind me, but before I get a look, there's an arm around my neck that smells like the bar I just left, and a gun to my head. A low voice says, "get your phone out of your pocket, and send me your crypto now, or you're dead."
Visions of a perfectly placed leg left kick with a simultaneous spin to knock the gun away from my head, fade off into both terror and remorse; acknowledgment that I really fucked up, and was about to lose everything. Tears in my eyes, I follow the perpetrator's instructions to the T, and he cracks me over the head as he leaves, ouch! goddamit...
Rewind.
Let's have some drinks at my friend's place, I suggest. Ok. Now we're in a safe environment, nobody can overhear us, and the talk about crypto and wealth continue late into the night. Life is good.
A week later, I wake up to the sound of someone cocking a gun in my face. My pistol remains out of reach in the top drawer. He handcuffs me to the radiator, grabs my phone, and demands the password to my wallet, which I don't even hesitate to relinquish. All my coins gone. Crack over the head...oh that fucking hurt. blackness.
Wake up in the hospital to see my friends. I ask them if they told anybody; but of course they said no.
Rewind.
I decide to stop talking about my crypto altogether, and don't have any more issues. Crypto is still obscure enough that there aren't many cypto criminals on the prowl..
A year goes by.. Pop! As in WOW, did my coins POP in a year! Bloody hellish rich! Even more importantly, my coins are now accepted everywhere! I never need fiat again!
I decide to try out my first retail purchase from a grocery store I always shop at. They're still new at this, but they take my coins with zero issues. My heart is aleap with joy!
Later that night I'm watching a movie, and before I knew what was happening, two guys have me pinned to the floor, yelling at me for the password to my wallet. I momentarily resist, and I was instantly smashed in the face, for sure blinded in one eye by the kick of a boot. Struggling for consciousness, and sobbing like a complete wreck, I give them the password, and all my incredibly valuable coins are gone into the night with them.
I could swear I saw one of them wearing a shirt with the collar labeled with the grocery store I visited. Hmm.. They must've checked the blockchain to see the balance of the account that I paid with.. I could probably eventually get them arrested, but who knows where that money will be by then.
Rewind.
Ok, let me try to makes things a little harder for crooks. I'll put some on an exchange, a very large chunk into escrow for a month where even I can't get to it, and another big chunk in a hardware wallet in a safe deposit box, and just a token amount in my phone wallet. That way I can just show any potential perpetrators the token amount and give it to them, and hope they don't hit me.
I again use my coins in a public venue, but at a fine restaurant. A week goes by, I hear the front door creak open; thought for sure I locked that? Hello? I didn't even notice the guy behind me, until he cocked the gun. The guy in front of me calmly says, hi, have a seat. He asks if I wanted anything to drink, I said no. He tells me to relax, nobody is going to get hurt if everything goes according to plan. I'm really scared now, mostly because of his lack of disguise; he's all in on this, and if he doesn't get enough to clearly leave the country with, well, I'm a goner.
He asks me to show him my phone balance. About $320 worth. He says, keep that. You're going to give me the pile where this $320 came from. Where did you get them?
I think to myself that they came from the hardware wallet, but he doesn't have to know that, they could just as easily have come from my exchange. He sits behind me while I clickety-clack my laptop into the exchange where I have about $26,000 worth of coins. He takes over the laptop and trades the coins into bitcoins, and sends them off. I'm actually relieved. He got his money, my bulk is safe, he should be leaving now right?
He says, I sincerely thank you for this money that I didn't know about, but I'm going to ask you again, and this is the last time I repeat myself, where did those "first" coins come from? I'm speaking about the $380,000 balance...
Me, uh.. uh......and a fist lands squarely in my face!! I'm on the floor, blood gushing out of my nose and mouth. I yell, ok ok ok, wait wait, I'll tell you, I have a hardware wallet locked in a safe deposit box at a bank.
The crooks both start laughing.. He says, fair enough, what kind was it?
And he opens a box of about 10 different types. He says, if you waste one second of my time lying to me, I will kill you.
I don't hesitate to point out the super-duper model I have, a little confused at what exactly he hopes to accomplish. He says, ok, where did you put the 12-word key?
I tell him almost defiantly, 4 words are in the bedroom, 4 more at my sisters, and 4 more at my friend's.
He says, ok, that probably sounded like a good idea when you thought of it, but let me ask you this, do you want your sister and friend to be alive tomorrow?
I now realize how beaten I am. I say, listen, I'll call them, get the words, I guarantee they won't know anything's amiss, just please don't hurt them, please!
He says, I'm not a psychotic person, I am a desperate person. Do what needs to be done, and nobody will get hurt.
I take a few deep breaths, wipe the blood from my face, and call my friend. He answers, he was sleeping.
Hey man, sorry to wake you. I got my wallet out of the safe deposit box but I had to reset it and I need those words again. He says, uhuh, ok..but I thought you said never over the phone. I reply, I know I know, next time for sure. I don't have time to drive over right now.
A minute passes, the words come over the phone, I hang up.
I call my sister, at this point I'm starting to lose it. The guy with the gun walks up and puts it right to my forehead and whispers, she's next if you fuck this up... Sister answers. I'm amazingingly clear and convincing, her life depends on it. She also gives me a pile of shit about asking over the phone when we made it abundantly clear that that wasn't allowed. I said, I know, next time for sure. I just need to get shit done tonight.
A minute passes, the words come over the phone.
He plugs the words into the twin device, my $380,000 balance in coins shows up, poof, sent away.
That has to be it. They can't possibly think I have more.
He looks at me, and with a little hint of pity, he says, friend, we are not done yet. Obviously, you understand that I need to move far far away if I'm going to have any chance of you not identifying me to the police. That takes a lot of money, a lot more money than I've already taken from you. Now I've put a great deal of thought into choosing you, because you obviously don't understand how the blockchain shows all history, and your history shows you connected to all kinds of big money from a single source, plus you've made every mistake possible trying to protect your money from people like me. You've clearly got sooo much more; I can see it in your eyes. Now tell me, where is the rest of it?
My fear turned to defiance. It's in escrow for a month! Even I can't get to it. Sorry.
He looks at me with sadness for a brief moment, not sadness at not being able to get the coins, but more sadness he felt for me, then gathers himself. He says, where is the private key for the escrow target address?
I look at him in surprise because at first I couldn't figure out what the point of that would be. Then I realize what's about to happen, and I really start panicking. No, no, no, no. He hushes me, says, you have only one choice to make right now, it's whether your sister lives or dies, but I'm sorry friend, you will not see another sunrise.
He's going to kill me. He's got to kill me so he can wait for that escrow clock to run out without me possibly being the first to move it when the escrow ends. Think... think...
Rewind.
I'm back at the fine restaurant, and there he is, one of the waiters. Luckily it is before I ordered, and I leave in a huge rush, knocking people out of the way as I exit. I'm sure I ran half a mile before my legs just wouldn't go any more. But nobody was behind me, the sun was setting, and the overload of stress I just endured finally overwhelmed me with knee-buckling sense of hopelessness and profound paranoia.
A couple days later, I'm sitting at a cafe, paying with cash, trying to understand what the fuck good are these coins if they are always so vulnerable to theft. I can't even spend them without revealing how much I have, and there just doesn't seem to be any clear way to protect myself.
Or is there..
I start to scribble some notes:
My dear friends in crypto, please recognize that walking around with a ton of crypto in your phone makes as much sense as walking around with the equivalent in fiat. Wake the hell up. You have to treat crypto and fiat exactly the same. Your passwords will crumble with a gun to your head, no less than you'd give up that billroll in your sock.
Even more important is that you understand blockchain transaction history is forever visible. Every time you use crypto (whether it be Bitcoin, Ether, Litecoin, XRP, whatever..), you expose your entire transaction history to fresh sets of eyes, clearly showing how much money you control, same as showing them your bank statement.
While there may be some external or built-in tools out there for coin transaction history obfuscation (called Tumbling) to address this problem, it is a very dark area in terms of law enforcement because tumbling seriously compromises money laundering investigations, and generally these tools will be illegal until they evolve to no longer inhibit law enforcement. Even more exotic coins with built-in tumbling are bound to run into severe regulatory issues when attempting to go into widespread commercial use (scaling issues notwithstanding).
There does appear to be a large security gap here, which leads to the following somewhat complicated proposed stopgap to obscure our source of funds until such time that better options exist. What is needed is a more elegant, regulation-compliant means by which to simply hide our historical transactions from the general public. For now, using exchanges as a form of legal Coin Tumbler makes the most sense to me.
The following instructions are painfully complex, but address a wide suite of risks. Some of you may not even be able to understand all the steps. At the very least, please only populate your phone wallet from your online exchange account, and don't keep a large balance on either the phone or the exchange. This is the biggest step you can take to protect yourself. However, if you have considerable wealth and are feeling frisky, the full strategy is below:
How to protect large crypto holdings from a physical heist
Shut the hell up about having made any money with your coin investments. Not in public, not in private, not with family, not with friends. Tell them the same thing. Mind your own business, and tell others to mind theirs. You're not just protecting yourself, you're protecting them. Bragging about money gets you, your friends, your family, robbed, kidnapped, blackmailed, if not killed.
I mean it. Shut. Up.
Don't you DARE potentially bring your loved ones or other acquaintances into harm's way with your misguided self-serving attempt to distribute your recovery/private key segments into their possession for your safekeeping. I sincerely hope this action becomes illegal some day.
Create a fresh wallet on your phone with a single address, which we'll call your "petty coins" address. In this address you never have more than a couple days worth of coins, equal to what you'd typically spend in a couple days with fiat/debit/credit cards combined. Never use this petty coin address for sums larger than this, and never let the balance drop below an amount required to satisfy a random street thug should you be robbed. The next step explains how to put coins in it. Do NOT keep any other wallets or source of funds in your phone. Remember, this is exactly like your fiat wallet, you can't walk around with a fortune in your pocket, ever; and you can't have phone access to a fortune either.
Open an account at an exchange that pools all their users' coins together on the blockchain; this we'll call the "Active Funds" account. Use a VERY COMPLEX INTENTIONALLY UNMEMORABLE PASSWORD that has your usual password as the beginning and a bunch of gibberish following, such as: MyUsual!PaswerdFH(&^GFIU*HS. Keep ONLY the gibberish part of it written down on a piece of paper in your home, preferably a safe. This exchange account is used SPECIFICALLY and ONLY for two purposes: A) making medium to semi-large purchases directly (don't ever make large purchases from your phone), and B) transferring coins to your petty coins address on your phone. Keep an expected 6 month's worth of petty cash on this exchange, and NEVER EVER log into this exchange from your phone; this account must never be accessible outside your home. This is your decoy amount that you will "willingly" relinquish to any criminal that has demanded you show the source of your petty funds. Keep the balance high enough that it should reasonably satisfy a thief.
Open another account at a different exchange that also employs coin pooling; this we'll call the "Throwaway account". Use this Throwaway account to first receive the 6 month's worth of petty cash coins from your cold stash (explained in next step), then immediately send those coins to the other "Active Funds" account from step 5, then permanently close this Throwaway account. Repeat as needed to replenish the Active Funds account. The point is to be able to truthfully tell a criminal that you migrated from one exchange to the other, but you will be unable to log in to the original account because it's closed, meaning the criminal will not be able to see where those original coins came from. The blockchain trail is cold. (You should also use Throwaway accounts for abnormally large purchases).
Keep the remainder of your coins on an air-gapped hardware wallet in a safe deposit box. This is your "Cold" stash. For the more sophisticated users, this step can be replaced with the repeated "escrowing" of your funds for months at a time. Escrowing is ONLY safe when the recovery keys are also out of your reach (as below).
Keep half the of the wallet's recovery key words on a piece of paper in a second safe deposit box at another location. Do not commit any of these words to memory. Mix these words with the same number of fake words that you will easily know are the fake ones (like every second word is a fake). This is some protection against brute force attacks should this safe deposit box become compromised for any number of reasons, including a court order. This fake word protection becomes near perfect if you use words from the same word list that the hardware wallet uses.
Keep the other half of the key words on a piece of paper in a safe at home. If a criminal demands to know if you have more coins, tell them that the rest is locked away in the safe deposit box, as well as some of the recovery key words. Keep all safe deposit box receipts to be able to demonstrate to a criminal that you're not lying, should it come to that.
I am the first to recognize that this method is exposed to law enforcement being able to commandeer your safe deposit boxes, perhaps dissuading the underground clique from following this exact process, but I haven't yet figured out how to safely store the hardware wallet and keys out of immediate reach, but tumbling remains an option for underground, so it may not even be an issue. For the rest of us, the law has many options at its disposal to seize your funds, or coercing you to fork over your funds, so having your wallet in a safe deposit box is really not increasing your vulnerability by much.
I would LOVE to hear any feedback/suggestions whatsoever to improve my above described strategy. That being said, I don't believe hiding/lying to a perpetrator should be part of any strategy. Pre-positioning is the smart approach. Should you encounter any scenario where someone has a gun pointed at you, do not lie, do not hesitate, do exactly as they say. Let your strategic setup be your protection.
I hope crowd-sourcing for further/improved ideas may very well surface a clear winning strategy that we can all use to keep our money, and ourselves, safe. Check back every so often for updates to this strategy.
Comments welcome at Twitter