On a daily basis, Cryptoforensic Investigators gets inquiries from people who had their Bitcoin or cryptocurrency stolen from them in a hack and seeks our assistance tracking and recovering the cryptocurrency. A considerable amount of the time, these individuals think or believed they had an “extremely secure setup” and seek to place blame on other parties (besides the thief/thieves) for the theft under the impression that such parties ought to bear responsibility. The parties they blame are generally classified in one of four categories:
- Cryptocurrency Exchanges (in the event of theft from an exchange account)
- Mobile Service Providers (in the event of a SIM-Swap)
- Cloud Hosting Providers (e.g. Google, Dropbox, in event of seed phrase breach)
- Hardware Wallet Manufacturers
In this post, we detail why we believe the responsibility (insofar as the root cause) for the hack lies with those that fail to heed security warnings and the thief/thieves in question and discuss the most successful ways to recover stolen cryptocurrency accordingly.
Personal Responsibility & Custodianship
One of the core aspects of Bitcoin and other cryptocurrencies is that people sometimes forget is it requires people to take full custody (and responsibility associated with that custody) of their own money. “Be your own bank”, is a phrase commonly heard in cryptocurrency circles and a phrase that bears repeating here. Taking custody of your own money requires a certain sense of responsibility.
If you lose your private keys or seed phrases the funds are gone forever. No one’s there to help you remember your password. Likewise, if someone else gets a hold of your private keys or seed phrases, they can easily steal your funds. Frankly, this level of security and personal responsibility for securing one’s assets is something that the vast majority of cryptocurrency users aren’t prepared for, much less equipped for.
For hundreds of years, we’ve lived in an age whereby institutions like banks are the ones taking responsibility for the custody of most financial assets, especially valuable ones. The money you have in your bank account isn’t yours. It belongs to the bank. The money in your bank account is merely an IOU issued by the bank. This way, if the password to your online bank account gets stolen and someone steals your funds, your bank can often adjust that IOU accordingly. Likewise, if you lose your password it’s not a problem either.
When a bank is the victim of the robbery, it’s the bank’s assets being stolen, not customer assets. The bank is responsible for their own security, thus they are directly responsible for the theft of their own assets, and can write off such losses accordingly. Granted, banks almost always pay to insure their assets against theft so they don’t become insolvent in the event of a major theft.
The only financial assets other than cryptocurrency that people have the ability to take full custody of are commodities like gold (which are generally impractical to self-store securely at least in larger quantities) and cash. If you had the cash in your wallet stolen, who would you hold liable? The ATM of the bank that gave you the cash because they “failed to ensure you stored your cash securely”? The wallet manufacturer? Of course not! The thief is responsible, not the service providers.
When a person’s account on a cryptocurrency exchange is hacked resulting in loss of cryptocurrency, people sometimes like to pin the blame on the exchange. To be more specific, I’m talking about when a user account is breached here; not the exchange or their reserves as a whole. “They should have done a better job securing my account” or “They failed to identify suspicious activity and allowed the withdrawal” or “They didn’t do their due diligence by verifying exactly who requested the withdrawals”. A breach of an email account is most often involved here as well.
But here’s a newsflash: a cryptocurrency exchange is NOT a bank. And just because you send cryptocurrency to them just as you would fiat to a bank, doesn’t make the two analogous. You aren’t paying the exchange to compensate you against theft in the event your own account is breached. While some cryptocurrency exchanges are insured, that insurance is for a breach of the exchange itself — not insurance against users failing to properly secure their exchange accounts (or the means to access the exchange accounts.)
Exchanges offer a variety of tools to secure your account, and most people who are hacked don’t use them all or fail to use them correctly. They often fail to use app-based 2FA, in favor of no 2FA or SMS 2FA which is highly insecure. Often their email account they use for the exchange is compromised which enables the theft.
But even if the exchange lacks security features or even if you used all available security features, the hacker didn’t defeat the exchange here. They defeated your account with your credentials which you set up and took responsibility for.
It’s incredibly difficult for an exchange to justify covering incidents of theft associated with breaches of user accounts anyways for a variety of reasons. For one, if they were to cover it, it would encourage irresponsibility of account holders since they know losses would be reimbursed in the event their account is hacked (also, this could give the account holder incentive to pretend they were the victim of a ‘hack’ themselves). In short, utilization of a cryptocurrency exchange is not a step to lazily avoid the (far from difficult nor time-consuming) security measures needed for self-custody; in fact, securing credentials whether for an exchange or self-custody are equally important.
That being said, I do personally expect there to be more custodians that popup in the near future that offer to cover incidents of theft due to unauthorized account access. A few already exist, but they’re only practical for institutions, not habitual day-traders or HODLers. In all likelihood, since these custodians can’t truly trust individuals with their own credentials, besides enforcing mandatory app-based 2FA and mandatory changes with secure passwords, there will also be a premium charged as a percentage of the assets stored, perhaps in the 0.5%-2% range, making it cost-prohibitive to most people.
A percentage-based premium is the only way a business can justify offering this type of service since the custodian’s potential liability is proportional to the value of assets stored by each respective individual. Furthermore, such custodians may insist on in-person or video verification for withdrawals. Chances are if you’re reading this article you probably won’t be interested in this type of service as an individual.
Mobile Service Providers (Phone Carriers)
Cryptoforensic Investigators deals with SIM-Swapping incidents resulting in cryptocurrency theft quite frequently; so frequently in fact that we wrote the SIM-Swapping Bible with MyCrypto. Some people use SMS as a form of 2FA to secure their online accounts, thinking it makes them more secure. In a SIM-Swapping attack, a hacker ports someone’s phone number onto a SIM they control. This enables them to log into accounts they already have the password (since many passwords have already been exposed in database breaches). But even if they don’t have someone’s password, having control of their phone number allows them to reset many accounts since they’re able to verify the necessary codes via SMS.
First, a phone number gets ported onto a new SIM card the hacker provides to a mobile service provider. In many cases, they are able to do so by finding publicly accessible information about their target online, allowing them to successfully impersonate them. Somtimes, the social engineering of employees is involved to some degree. In some cases, the hacker has someone ‘on the inside’ at the mobile carrier able to port phone numbers for him or her, or in very rare cases work at the mobile service provider themselves.
The logic some people have is that if their mobile service provider ported their phone number without their permission, or didn’t implement safeguards to prevent it from being done fraudulently, that they ought to be liable for their mistake, including all damages or losses that arise as a result. And that’s precisely where we at Cryptoforensic Investigators strongly disagree.
Why Your Mobile Service Provider Isn’t Responsible for Losses Caused by a SIM Swap
First, the vast majority of instances of phone numbers being ported are legitimate. Mobile service providers can’t stop porting numbers from SIM cards given that virtually everyone wants their phone number carried over from one SIM card to the next. But even more importantly, the way cellular numbers are issued was never designed to be remotely secure to begin with given how easy it is to port phone numbers.
The concept of two-factor authentication via SMS came well after the existing mobile infrastructure was designed and set up. SMS 2FA was a feature built much later on by IT professionals who didn’t properly realize the security flaws inherent in it. And it certainly wasn’t built with the intention of securing access to millions of dollars worth of assets which hackers have a very high incentive to breach. If companies including financial institutions and even governments choose to utilize an individual’s phone number as a security layer (which it was never designed to function as), there’s no reason to hold the mobile service provider liable for such a breach.
The security issues inherent with SMS are well known by now, as already widely published in the news. But most people think it can’t or won’t happen to them. The reality is a SIM Swap can happen to literally anyone and everyone, including us at Cryptoforensic Investigators, and there’s literally nothing we can do to prevent it from occurring. The key is to make sure the SIM Swap if it does occur, cannot harm you in any way; it shouldn’t be any more than an inconvenience for you. Never use your phone number as a form of 2FA and never use your phone number as a backup recovery option.
Not only was SMS never designed for security, but it’s also not something you’re paying your mobile service provider for. If a mobile service provider could potentially be liable to you to the tune of millions of dollars, they would be charging you MUCH higher rates than people who aren’t using SMS to in any way secure their assets. The responsibility of the root cause of the theft relies with the individual with inadequate security.
Cloud Storage Providers (Google, Apple Dropbox, Microsoft, etc…)
When a person has a personal wallet of theirs breached (as opposed to an exchange account), whether it be a desktop wallet, hardware wallet, or mobile wallet, in the vast majority of cases it’s a seed phrase compromise. The vast majority of seed phrase breaches occur due to breaches of their cloud storage accounts such as Gmail, iCloud, Google Drive, Evernote, Outlook, and Dropbox, which people store their seed phrase on (sometimes inadvertently) despite very clear instructions not to do so. People often email themselves the seed phrases, or take pictures or screenshots of them, which they may or may not realize gets uploaded to the Google Drive or iCloud account as a backup.
It is these backups that are the most common breach vector. People’s security of these accounts is often inadequate, often due to insecure passwords, compromised passwords, and lack of usage of app-based 2FA. If someone is able to access your account by using your credentials, it’s your fault for not having your account setup securely; in all likelihood, the hacker provided the correct credentials (yours) — that being said you definitely should not be using any form of cloud storage to store your cryptocurrency (i.e. seed phrases) anyways. There are almost always instructions or even warnings about taking very specific actions, such as write this and do not store this online.
Even if a large scale breach were to happen whereby many accounts are breached through no fault of your own (as has happened with Yahoo), and your data on the cloud is accessed as a result causing cryptocurrency loss, it’s still your fault for using them to financially secure your cryptocurrency assets. Speaking of which, how much are you paying Google for access to your Gmail account and what insurance premium are you paying them relative to the percentage of cryptocurrency assets of yours a hacker could obtain if they got access to your account?
That’s what we thought.
Hardware Wallet Companies
The final party we want to discuss that victims sometimes like to blame are hardware wallet companies like Ledger and Trezor. These companies offer very clear instructions on how to secure your hardware wallet, which individuals sometimes don’t follow. That being said, security is never something you can perfect. You have to have to store your seed phrase somehow and that can be breached. But if you are breached after following their instructions, the blame still lies with you and the thief in question in our opinion.
Besides the standard seed phrase breach (often associated with compromised cloud storage), there’s one other type of attack we want to address that people sometimes try to hold such companies liable for: the Supply-Chain Attack.
The Supply Chain Attack
A supply chain attack involves an intermediary or middleman intercepting the hardware wallet before it’s delivered to the customer and they view the seed phrase before the customer receives it. This allows the middleman to steal funds from the end-user once they put funds on the device under the impression that no one else ever had access to the seed phrase. Is it fair to hold the hardware wallet manufacturer liable for such a breach?
First, it should be noted that hardware wallet manufacturers take ample measures to prevent such a supply chain attack from occurring by using a ‘tamper-proof seal’, advising never to buy second hand or from unauthorized resellers, as well as a variety of other security measures, and advising to closing inspect the box to make sure it’s unopened. Furthermore, they are very careful about who they do business with and certify companies as ‘authorized vendors’ accordingly.
It should be noted that in all incidents we’re aware of thus far, supply chain attacks have occurred in secondary markets (eBay, Craigslist, or “a friend”) or by unauthorized vendors. The hardware wallet manufacturers obviously have no way to prevent such sales and resales from occurring despite warning people otherwise, thus clearly have no liability in such instances since devices should already be presumed to be compromised.
Unlike phone carriers and cloud storage, when you buy a hardware wallet, you’re paying for a device designed for the purpose of securing cryptocurrency. Thus, one could reasonably expect the device should be able to do its job within reason (allowing for the occasional vulnerability) and that the device should not be compromised when acquired directly from the manufacturer. Hypothetically, if there was an internal breach and an employee of the manufacturer viewed the seed phrase (no such breach has ever happened, just to be clear), it would likely be reasonable to hold the manufacturer responsible (along with the employee) since the device is being purchased for the express purpose of securing cryptocurrency and it would probably be reasonable to assume the source (manufacturer) itself should not be compromised.
The question that remains is whether or not the manufacturer ought to hold any liability in the event that a breach occurs with a partner of theirs, namely an authorized reseller or shipping company. It could be said that hardware wallet manufacturers take ample security measures to prevent a supply chain attack, but due to the inherent nature of shipping, it’s not reasonable to be able to guarantee that a package could not be secretly opened during transit. It would likely be argued that the manufacturer conducted sufficient due diligence here thus would not be liable.
If the seed phrase is compromised due to a corrupt authorized reseller, the manufacturer obviously cannot ever definitively conclude the authorized reseller is and will never knowingly engage in a supply chain attack, but they do their due diligence to minimize that risk. Presumably, they will have identifying information they would be able to provide law enforcement of any corrupt authorized reseller, so we believe it makes more sense to go after the authorized reseller if such an incident were to happen, rather than holding the manufacturer liable. Plus, the individual chose to purchase from the reseller than the manufacturer directly anyways. Fortunately, there’s an easy solution to avoid this type of risk; just purchase from the manufacturer directly.
Recovering Stolen Cryptocurrency
“So if blaming these parties for my security breach isn’t the solution, what’s the best way to recover Bitcoin stolen from me?” The answer is by seeking justice; the thief or criminal that illegally breached your cryptocurrency wallets or accounts. At first, this might seem like a large or even impossible undertaking. This is because most people typically only have a very vague idea of how cryptocurrency is tracked, and given that the attacker is anonymous in most cases, sometimes believe an investigation won’t readily be able to identify the hacker. And if you’re of this opinion, from a wealth of experience we can tell you that in almost all instances is that you’re simply and downright wrong.
Going after the thief in question isn’t just practical; it’s also the most likely to lead to the successful recovery of stolen Bitcoin or cryptocurrency. But we can also say that simply reporting the incident to law enforcement without conducting a proper investigation is not ideal either. This is because law enforcement generally lacks both the experience, knowledge, skills, and time-bandwidth (resources) to investigate such cases; the quantity of well-trained personnel is simply not caught up to the quantity of caseload law enforcement has faced. They like to go after “low-hanging fruit”, especially where the work has been done for them. And for that, you are going to need an expert capable of properly investigating your case.
That is precisely what Cryptoforensic Investigators does; through a combination of Bitcoin tracking (blockchain forensics), Open Source Intelligence (OSINT), and Off-chain intelligence, we fully investigate incidents and produce highly actionable reports for law enforcement, effectively serving them the case on a “silver platter” so that even if we are unable to identify the name of a suspect initially, it gives law enforcement actionable intelligence on where to look so the criminal can be identified and brought to justice so that ultimately, stolen cryptocurrency can be recovered.
The criminal, once identified, doesn’t get to keep the proceeds of the hack. In many cases, the criminal will hand over the funds as part of a plea deal (if not outright seized), but even if the criminal were to claim that no or few funds remain, they would typically be held responsible for proving that — presuming the right questions are asked. Plus, other assets can be seized in lieu, such as Lambos (we’re still working on moons), particularly if the hacker used the proceeds of crime to acquire them.
The alternatives here are either to simply write off the hack as a loss and move on or attempt to sue one of the four aforementioned parties. Those who attempt to sue, do so not understanding the likelihood of recovery via law enforcement channels in our opinion, and think pursuing an anonymous hacker has a much lower likelihood of recovery. They see these companies, which at least are known and have physical addresses, as much easier targets (which have money), and they sometimes have lawyers who help them re-enforce these beliefs of whom they, of course, hire for their lawsuits. In our opinion, they are wrong.
The road to cryptocurrency recovery via law enforcement isn’t always a short one, but it does work a considerable portion of the time with the help of a professionally conducted investigation and it’s by far the best course of action to take if you’re the victim of a hack where you’re seeking to recover stolen Bitcoin or cryptocurrency.
Note: Nothing in this article shall be construed as legal advice