Bitcoin hacker returns stolen coins

Wednesday 16 July 2014

We recently explored the story of how an early bitcoin adopter and major NXT stakeholder lost over $1 million of cryptocurrency to a hacker. Androklis Polymenis (better known by his forum handle kLee) announced an unprecedented 500 bitcoin bounty for information leading the return of his money. Since then, things have moved fast and a resolution has been reached. Here’s how the story ended – and what lessons were learned along the way.

1) Some of the money was returned
The huge bitcoin bounty – over 40 percent of the stolen 1,170 bitcoins – generated a frenzy of interest. The prospect of a $300,000 reward on his head understandably proved to be a source of considerable anxiety to the hacker. 

cryptocurrency capitalism

As many noted at the time, people will go a long way for $300,000, and in a year or two years’ time that sum could have grown to $3 million if bitcoin appreciates along its historical path. One of the likely outcomes is that the episode could have ended very badly for both victim and perpetrator, with the hacker being violently hunted down and the bitcoins changing hands to another criminal, rather than being returned to kLee.

The hacker contacted kLee and offered to send back 462 bitcoins, on the condition that kLee called off the hunt. Although it seemed like he was in a strong negotiating position at this point, kLee chose to think of his dependents and accepted the offer, preferring to get back some of his money rather than run the risk of losing it all. The 462 coins have just been returned, in two instalments, and kLee has publicly cancelled the bounty. Of course, the hacker still holds some 700+ stolen coins, and there is no honour among thieves. Whether kLee’s statement will be enough to convince the bounty hunters to back off, or whether they will go freelance, remains to be seen. (Suffice to say that I still wouldn’t want to be in the hacker’s shoes. The fact that he even made the offer suggests enough information had been gathered that he considered his capture a distinct possibility.)

Alongside the bitcoin theft, several million NXT were also stolen. These were sent to BTER, where a large number were sold for bitcoin – crashing the price of NXT in the process. The good news is that swift action by BTER resulted in the hacker’s account being frozen and around 3 million NXT ultimately returned. Since the funds stolen also included 2.8 million NXT earmarked for NXT infrastructure spending, this was a welcome development for the NXT community. The transfer was made after identities were confirmed, and the hacker had been contacted using his sign-up email address and his acquiescence to the deal established for legal reasons.

2) The community response was exceptional
Cryptocurrency operates in a unusual environment. Whereas in the real world, banks and government would be tasked with recovering or compensating stolen funds, the almost regulation-free ‘Wild West’ crypto landscape emphasises personal responsibility.

There is no centralised body you can appeal to, or that has accountability for allowing the theft to happen.

In many similar instances, stolen funds have been lost forever.

In this instance, the NXT and bitcoin communities showed remarkable unity. Although there were inevitable recriminations (especially since some of the money belonged to the NXT infrastructure fund), the overall mood was one of outrage against the hacker. A $300,000 reward always helps improve sympathy, but even before this was offered there was a sense that this wasn’t going to be taken lying down. This is encouraging, because crypto can be harshly individualistic: a capitalism-on-steroids environment in which only the fittest survive. If real progress is to be made towards common goals outside of a traditional legal and regulatory framework, something needs to take the place of those safeguards – namely trust and solidarity, as proved to be the case in this instance.

3) Beefed-up security
The $1 million heist was a reminder that no one should take security for granted. It’s unclear how the hacker gained access to kLee’s coins, though poor security practices played a key role: the private keys were stored in unencrypted text files on his computer and in a Dropbox account.

Although this was asking for trouble, the lesson was learned by anyone who kept up with the story. Hackers will find more ways to steal your crypto than you can imagine. Just some of the things you can do to protect yourself include:

  • Use strong passphrases (35+ random characters) for NXT and cold storage for your private keys (bitcoin)
  • Encrypt password files, even on your own computer
  • Run virus and malware checkers regularly
  • Do not trust third parties (whether cloud storage or hot wallets) to look after your private keys
  • Don’t click on suspicious links

The episode has also resulted in renewed urgency in implementing and using multi-sig accounts and other security measures that would have avoided the theft of community funds. More than simply being a convenience for large crypto holders, such improved measures will actually be fundamental to reassuring new entrants to the market and giving confidence to the next wave of ‘Average Joe’ investors. Expect further developments in this space, as well as increased regulation and insured storage services.

See how the story of the bitcoin bounty unfolded here.

Brandon Hurst

comments powered by Disqus