Bitcoin developer @lukedashjr's wallet was hacked - page 10.

harlequininja

jr. member

Activity: 46

Merit: 13

Quote from: franky1 on January 02, 2023, 02:30:40 AM

speculated scenarios based on limited stuff said:

"email notifications from kraken/coinbase"
maybe the hacker got to the coins he had on an exchange

or

he uploads binaries for his bitcoin knots node to his server from github. hacker replaced binary with compromised one. luke downloaded binary from server without checking (who actually checks their own work if you believe you were the one that uploaded it(why check the binaries twice))
and then put his keys into the compromised binary of bitcoinknots and "byebye bitcoinio"

According to an article by ZyCrypto scenario B seems to be most likely.

Quote

Dashrj had reportedly used PGP to verify whether Bitcoin Knots or Bitcoin Core downloads were infected with malware before losing control of his keys in the process. Whereas Bitcoin Core is the most popular software used to connect to the Bitcoin network and run a node, Bitcoin Knots is a software with more advanced features than Bitcoin Core, but they are not as well-tested, making it more vulnerable to attacks.

https://zycrypto.com/crypto-community-on-high-alert-as-bitcoin-core-developer-loses-over-200-btc-in-hack/

So the blind spot probably was him working alone on this wallet/node software "BITCOIN KNOTS" . At least he was the responsible maintainer. By breaking his PGP they were able to mess with the source code probably and in the end even his 2FA which he introduced was comprised. Really tragic tale.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: headingnorth on January 04, 2023, 05:24:48 AM

Quote from: NeuroticFish on January 04, 2023, 04:53:21 AM

Quote from: Ucy on January 04, 2023, 04:49:20 AM

Part of the issue is irreversible transaction.
It would be safer to build a decentralized platform on top of Bitcoin where Bitcoin transactions can be reversed if unauthorized people gain access to users coins

You don't know what you're talking about. This would mean that anybody could reverse his transactions for no good reason. The merchants would have no reason at all to use Bitcoin, actually, it would be the opposite: they would avoid it.

Well any credit card transactions can be easily reversed by the credit card company or bank, but most merchants still accept credit cards.

That's done by centralized institutions you and the merchant (have no option but to) trust. Ucy was talking about decentralized platform where transactions can be reversed.

headingnorth

member

Activity: 248

Merit: 36

NO SHITCOIN INSIDE

Quote from: NeuroticFish on January 04, 2023, 04:53:21 AM

Quote from: Ucy on January 04, 2023, 04:49:20 AM

Part of the issue is irreversible transaction.
It would be safer to build a decentralized platform on top of Bitcoin where Bitcoin transactions can be reversed if unauthorized people gain access to users coins

You don't know what you're talking about. This would mean that anybody could reverse his transactions for no good reason. The merchants would have no reason at all to use Bitcoin, actually, it would be the opposite: they would avoid it.

Well any credit card transactions can be easily reversed by the credit card company or bank, but most merchants still accept credit cards.

I have reversed a few credit card transactions myself by simply calling my bank and asking them to do it when I felt the merchant charged me inappropriately or failed to render services. Most of the time the bank will do it. The merchant is usually given the chance to dispute the reversal.

Though I generally agree with bitcoin, transactions should probably not be possible to reverse. Or else you would need some person or persons to be the arbiter of any disputes and give them the power to reverse transactions. This would open a whole new can of worms.

If a dispute arises with a merchant that accepts bitcoin you simply can ask the merchant for a refund of your bitcoin. Failing that you can file a complaint with an authority or file a lawsuit.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: Ucy on January 04, 2023, 04:49:20 AM

Part of the issue is irreversible transaction.
It would be safer to build a decentralized platform on top of Bitcoin where Bitcoin transactions can be reversed if unauthorized people gain access to users coins

You don't know what you're talking about. This would mean that anybody could reverse his transactions for no good reason. The merchants would have no reason at all to use Bitcoin, actually, it would be the opposite: they would avoid it.

Ucy

sr. member

Activity: 2576

Merit: 401

Quote from: pawel7777 on January 03, 2023, 12:02:11 PM

....
If one of the most experienced devs can't keep his stash secure, how do we expect a random, way less tech-savvy users to do it?

So now, the average Joe will get the massage that self-custody is not safe and neither is holding on CEXs (i.e. because of FTX).

Part of the issue is irreversible transaction.
It would be safer to build a decentralized platform on top of Bitcoin where Bitcoin transactions can be reversed if unauthorized people gain access to users coins

headingnorth

member

Activity: 248

Merit: 36

NO SHITCOIN INSIDE

Quote from: pawel7777 on January 03, 2023, 12:02:11 PM

This is really bad PR for Bitcoin.

If one of the most experienced devs can't keep his stash secure, how do we expect a random, way less tech-savvy users to do it?

So now, the average Joe will get the massage that self-custody is not safe and neither is holding on CEXs (i.e. because of FTX).

The first round of news coverage is out:
https://www.cryptotimes.io/bitcoin-developer-luke-dashjr-reportedly-lost-200-bitcoins/
https://beincrypto.com/early-bitcoin-developer-luke-dashjr-loses-3-6m-btc-due-supposed-key-hack/
https://www.indiatoday.in/amp/cryptocurrency/story/bitcoin-core-developer-claims-hacker-stole-more-than-200-btc-2316348-2023-01-02

Will see if any of the major news outlets pick up on that story. Peter Shiff will surely have a field day with this one.

We've been through worse though.

I feel really sorry for Luke, can't even imagine what it's like to lose that kind of amount in such way.

This question is disingenuous. Dashjr broke one of the basic rules of self custody. Which is to never store your private keys online.

The average non-tech savvy person can secure their bitcoin by simply following basic security rules.

Whenever you buy any modern cold storage device such as a Trezor or Ledger it always warns you during initial setup of the device to never store your private keys on any computer, never take a picture of it, never store it on a hard drive, cloud, flash drive, etc. I know this because I own both a Ledger S Nano and a Trezor One.

I can't believe such a supposedly smart person actually stored his private keys on his computer. Does not matter if it was encrypted. Any encrypted file can be broken with software you can download from the internet. You don't ever store your private keys on any electronic storage device, period.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: bbc.reporter on January 03, 2023, 09:36:37 PM

This is another skeptical me argument hehehe.

"Don't trust, verify", remember? And then why trust somebody's claims, no matter who it is, if the things just don't add up?!

Quote from: bbc.reporter on January 03, 2023, 09:36:37 PM

This might also be a way to prepare for an exit from holding bitcoin without being persecuted by the community? Claim he was hacked, mix the coins, keep the coins then sell on the next bull market when he has 10x of the present value. This is $20 million and very much enough for his retirement.

I love the mix of drama, conspiracy and price speculation Cheesy

One thing that still looks odd is that all this shit show goes on only on Twitter. Nothing on Mastodon and nothing in here.
Another thing that must be cleared up is what was his actual "cold storage" setup.
And claiming that there's a CoinJoin in a tx that's actually clean...
...yeah, the things just don't add up. And I've got some logical explanations for this and that, still, far from enough.

I consider the hacking of 2 Twitter accounts easier than hacking into a cold storage.
The boating accident theory is also a not-too-bad idea.

larry_vw_1955

sr. member

Activity: 1036

Merit: 350

Quote from: pawel7777 on January 03, 2023, 12:02:11 PM

This is really bad PR for Bitcoin.

it certainly is. it makes people mistakenly think that maybe bitcoin is not secure.

Quote

If one of the most experienced devs can't keep his stash secure, how do we expect a random, way less tech-savvy users to do it?

very simple.someone can be good at one thing but terrible at another. it doesn't take an expert or a genius to keep their bitcoin secure. just someone that cares. cares to follow best practices.

Quote

I feel really sorry for Luke, can't even imagine what it's like to lose that kind of amount in such way.

well if it really did happen then it is likely his fault that it happened. onlyperson to blame is himself. that's bitcoin for you. that's how it was designed to work. you are your own bank. so you have to step up to the plate and keep your money safe. Shocked

maybe next time he'll set up an HD wallet and keep the seed offline on a titanium plate.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: franky1 on January 03, 2023, 07:36:36 AM

-Snip-

There was literally nothing in what you said that proves Luke Dashjr was compromised. LITERALLY NOTHING.

You merely said his religious beliefs, which many people already know, is very conservative to put it mildly. But that doesn't prove he is compromised. You continue with Segwit and start to try and gaslight everyone again with one long, senseless post. The franky1 we know. Haha.

bbc.reporter

legendary

Activity: 2926

Merit: 1440

Quote from: NeuroticFish on January 03, 2023, 05:41:08 AM

I tend to believe more and more it's a prank.

* The story is still only on Twitter and not on Mastodon, although it tells everywhere "Mastodon preferred"
* Stealing from the cold storage would be possible only if the user would be more than incredibly sloppy/uncautious.
* I don't think that somebody for so long in Bitcoin would ask for FBI help, and also would not do it on Twitter.
* Luke Dash Jr is (proudly!) asking for donations for his work; was he indeed owning 200 BTC ?!

I *know* that Peter Todd has confirmed the story, but the things still don't add up.

Quote from: franky1 on January 03, 2023, 05:29:29 AM

as for the supposed 'coinjoin mixer' scenario luke hints.. strange thing is his raided coins went into the 1YAR address.. but have not moved out.

Yes, that too; I've followed some of those transactions and it looks more a consolidation of funds than anything else.

This is another skeptical me argument hehehe. This might also be a way to prepare for an exit from holding bitcoin without being persecuted by the community? Claim he was hacked, mix the coins, keep the coins then sell on the next bull market when he has 10x of the present value. This is $20 million and very much enough for his retirement.

harlequininja

jr. member

Activity: 46

Merit: 13

I hope the community will be able to come up with a proper report of the events once @lukedahjr's is capable of explaining what actually has happened since this is probably a lesson that should be taken very seriously, IMHO. I've been following the developments of Bitcoin for some time and I was never convinced by this bold claims like "Bitcoin fixes this", "In code we trust" or "not your keys, not your Bitcoin". As long humans are involved there will be no way to create a trust-less system. BitcoinMaxis would be well advised to accept this and act accordingly.
Today I've read an article by Jameson Lopp about the Death of SMTP

https://blog.lopp.net/death-of-decentralized-email/

Quote

My fellow Bitcoiners: we must remain vigilant and we must push back against the creeping advance of tyranny. If we become complacent, if we settle for convenience over security, we can expect this elegant protocol to morph into a monster.

Although I couldn't agree more, I'm really surprised that Lopp himself didn't take notice of the current events in his twitter timeline although this is a crucial example how decentralization in Bitcoin could evaporate in no time.

More tutorials and best practice examples are needed apart from other opensource wallets like Electrum or ArmoryWallet that provide the basis for a full node.

pawel7777

legendary

Activity: 2436

Merit: 1561

Quote from: OgNasty on January 03, 2023, 01:23:49 PM

It seems a little hard to believe that so much BTC could have been left available for hackers to access. My first thought was that this was a lost my private keys in a boating accident type of incident. The timing of it along with him publicly messaging the FBI… Just seemed almost like theater. I hope for lukedashjr that this is some sort of cautionary tale, but everyone seems to be taking it as a legitimate loss, which is absolutely terrible.

Heh, I knew that someone will make a "boating accident" reference here. I agree his tweets looked a bit off - the one you mentioned + that "Help please" part, that just didn't sound like him. But I take into account that those funds might have very likely been a majority of his life savings, so losing that would put anyone into despair and make them act irrational/unusual.

Speculating on him pulling the "boating accident" - there would have to be some sort of trigger, say he's in debt and creditors are on his back, or wife announced she want's a divorce etc. I don't think we have anything like that here, so would rule that out (for now).

OgNasty

donator

Activity: 4732

Merit: 4240

Leading Crypto Sports Betting & Casino Platform

It seems a little hard to believe that so much BTC could have been left available for hackers to access. My first thought was that this was a lost my private keys in a boating accident type of incident. The timing of it along with him publicly messaging the FBI… Just seemed almost like theater. I hope for lukedashjr that this is some sort of cautionary tale, but everyone seems to be taking it as a legitimate loss, which is absolutely terrible.

pawel7777

legendary

Activity: 2436

Merit: 1561

Quote from: fillippone on January 03, 2023, 12:48:27 PM

Quote from: nullama on January 03, 2023, 12:32:22 PM

An average Joe that wants self-custody today will generate a seed phrase on an air-gapped device, so they will be in a more secure setup than what Luke had.

I am afraid you are overstimating the capabilities of the average Joe. Not because generating a seed on an air gapped device is difficult "per se", but because the average Joe is lazy as fuck.

^ I was going to post this but you beat me to it.

But there's also an ugly truth, that unless you possess relevant skills yourself, there's always some trust involved. For hardware wallets - you have to trust that manufacturers are competent and that they have not put anything malicious there. For offline generated wallets, you have to trust that address generating software is legit and that address is truly random and nor generated according to some easy-to-replicate pattern etc.

"Freedom ain't free" I guess.

fillippone

legendary

Activity: 2114

Merit: 15144

Fully fledged Merit Cycler - Golden Feather 22-23

Quote from: nullama on January 03, 2023, 12:32:22 PM

An average Joe that wants self-custody today will generate a seed phrase on an air-gapped device, so they will be in a more secure setup than what Luke had.

I am afraid you are overstimating the capabilities of the average Joe. Not because generating a seed on an air gapped device is difficult "per se", but because the average Joe is lazy as fuck.

nullama

hero member

Activity: 980

Merit: 957

Quote from: pawel7777 on January 03, 2023, 12:02:11 PM

~snip~
If one of the most experienced devs can't keep his stash secure, how do we expect a random, way less tech-savvy users to do it?

So now, the average Joe will get the massage that self-custody is not safe and neither is holding on CEXs (i.e. because of FTX).
~snip~

Luke wasn't using a modern wallet, he was using old private keys, and it seems he generated those keys, or at least seems to have some kind of information about those keys in a device connected to the internet.

An average Joe that wants self-custody today will generate a seed phrase on an air-gapped device, so they will be in a more secure setup than what Luke had.

darkangel11

legendary

Activity: 2296

Merit: 1335

Defend Bitcoin and its PoW: bitcoincleanup.com

^^^
This guy is conveniently playing into CZ's hands. I wouldn't be surprised if this was a much bigger plot aimed to scare people away from self custody and making Binance a monopoly. They need those bitcoins to fill the gaps made by people who took money out after FTX drama.

Quote from: bbc.reporter on January 02, 2023, 08:38:43 PM

I know Luke is a religious and a God fearing person who will never do something shameful only to avoid paying taxes. If this was Justin Sun it would be different hehehehe.

There's just too many religious murderers and thieves out there. Many of them used religion to justify what they were doing. This is by no means an argument in his favor.
By the way, isn't Richard Heart a Christian?

pawel7777

legendary

Activity: 2436

Merit: 1561

This is really bad PR for Bitcoin.

If one of the most experienced devs can't keep his stash secure, how do we expect a random, way less tech-savvy users to do it?

So now, the average Joe will get the massage that self-custody is not safe and neither is holding on CEXs (i.e. because of FTX).

The first round of news coverage is out:
https://www.cryptotimes.io/bitcoin-developer-luke-dashjr-reportedly-lost-200-bitcoins/
https://beincrypto.com/early-bitcoin-developer-luke-dashjr-loses-3-6m-btc-due-supposed-key-hack/
https://www.indiatoday.in/amp/cryptocurrency/story/bitcoin-core-developer-claims-hacker-stole-more-than-200-btc-2316348-2023-01-02

Will see if any of the major news outlets pick up on that story. Peter Shiff will surely have a field day with this one.

We've been through worse though.

I feel really sorry for Luke, can't even imagine what it's like to lose that kind of amount in such way.

franky1

legendary

Activity: 4214

Merit: 4458

the bit about gentoo(linux) and "they got it all" is about that he said he found malware that was script kiddie made but made to target his system(s) specifically

this means its the same people that were hacking him since november exploring his systems and then editing their malware to follow a path they seen so that they can get deeper into his system with each attack and get more access to things
..
manually hacking and exploring takes time which means more time for victim to spot an attack. but if you make a bot do most the work and you add on new paths per attack to automate the process so that you can get deeper each time before getting spotted then you have better chance of getting valuable data sooner with less attacks needed to explore the system

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: fillippone on January 03, 2023, 08:10:50 AM

New development:

How would CVE-2019-15847 be leveraged to make completely deterministic private keys in the first place? Libsecp256k1 that is used inside Bitcoin Core doesn't even use any RNGs from any APIs - it directly seeds from /dev/urandom.

Topic: Bitcoin developer @lukedashjr's wallet was hacked - page 10. (Read 12796 times)