What would you do if a hacker stole all your bitcoin?
An early Bitcoin adopter lost his entire stash to a dodgy wallet more than five years ago — and he says he knows exactly who did it
Velishchuk Yevhen/Shutterstock modified by Blockworks
It’s the heat of a bitcoin bull market and you’ve just been phished for all your crypto.
If you’re anything like Colorado resident Andrew Schober, you’d turn to Reddit.
Back in 2018, Schober unknowingly downloaded a compromised iteration of the Electrum bitcoin wallet he’d found on the /r/BitcoinAirdrops subreddit.
Buried inside the phony wallet was malware: a clipboard hijacker designed specifically to phish bitcoin.
The malware would take any outbound Bitcoin address on Schober’s machine and mimic it, replacing the intended recipient address with one controlled by the hacker.
Schober, who’d been slowly acquiring bitcoin since 2014, ended up losing 16.5 BTC ($487,000) sent via the dodgy software — 95% of his net worth.
The bitcoin was valued at $180,000 when he was phished, but $1.1 million at bitcoin’s all-time high in 2021. Schober considered it “life-changing money.”
“I came across a link to the malware on Reddit and installed it on my PC and realized pretty quickly that it wasn’t doing what it was advertised to do,” Schober told Blockworks. “So I just deleted it off my PC and didn’t think about it anymore.”
“But unfortunately, once that Trojan is installed on your hard drive, deleting the original source program doesn’t get rid of the Trojan. So from that point forward, it was monitoring my hard drive for any time I copied a Bitcoin address.”
The malware was pre-coded with 195,112 different BTC addresses. “It doesn’t just change the Bitcoin address to some random new address,” Schober explained. “It matches the first few characters of the address you copied. So it looks pretty visually similar and if you’re not really paying attention, you won’t catch the difference and that’s what happened to me.”
Four of those addresses ended up receiving BTC from unknowing victims around the time of Schober’s attack, which considerably narrowed his scope.
Tracing stolen bitcoin through Monero
The beauty of the blockchain is in its open ledger. Almost all crypto transactions leave breadcrumbs that form a digital paper trail.
Most often, following that trail involves stepping through transfers to track where coins end up. But for anonymity-focused Monero, secondary data such as IP addresses, social media activity and even protected crypto exchange data helps link transactions beyond a reasonable doubt.
In Schober’s case, he’d traced bitcoin that had been stolen by the same malware to ShapeShift, the long-serving platform for atomically swapping between cryptocurrencies.
ShapeShift, for a time, maintained an API that shared addresses involved in its swaps. The API data showed Schober’s attacker had swapped BTC for XMR, as well as the addresses used.
So, Schober posted on Reddit, asking if it were possible to trace Monero transactions. Nick Bax, an on-chain investigator and asset recovery specialist, answered the call.
“He got like five replies that were like: ‘No, that’s impossible.’ I sent him a direct message that said: ‘This is really hard to do. But I’ve done it before. And I know one lawyer who managed to get funds recovered once,’” Bax told Blockworks.
Bax ended up submitting on-chain evidence identifying the hacker as part of Schober’s lawsuit filed in May 2021 — more than two years ago. Part of that process involved analyzing Monero transactions to determine, with high confidence, the provenance of XMR featured in attempts to launder Schober’s stolen BTC.
He coded the Monero-tracing software himself. “You flag an output [strings that instruct the Monero blockchain where to direct transactions] and look for every transaction that could possibly have spent that flagged output. When you do that, patterns start to emerge.”
This method of cracking Monero ring signatures — now known as an Eve-Alice-Eve (EAE) attack — popped up in the fallout of the prolific North Korea-fueled ransomware campaign WannaCry that started in 2017.
“Monero’s RingCT…hides the exact UTXO being spent, but does provide blockchain analysts with a list of plausible ‘ring members,’ one of which is being spent and the remainder of which are ‘decoys,’” Bax wrote in a blog unpacking his investigation.
A now-patched bug in Monero may have made separating real UTXOs from the decoys — and thus tracing the transactions — easier at the time.
A brilliant idea: Subpoena the FBI
Bax determined that Schober’s alleged hacker had converted some BTC stolen from another victim to XMR through ShapeShift, before sending it back through the protocol to transform it into BTC once more.
The washed BTC was directed to what’s known as a “vanity address” that started with “1BeNEdict.”
As for Schober’s bitcoin, that ended up on Bitfinex. Crypto exchange hot wallets are effectively black boxes, as their balances represent pooled customer funds.
Once crypto goes into a hot wallet, it’s almost impossible to determine where they’re withdrawn to unless the amounts are identical and uncommon — and even that proof is not definitive.
That’s where Schober and Bax’s investigation sat for more than a year. Stuck. Schober had subpoenaed Bitfinex to disclose the owner of the accounts which received the pilfered BTC, but he was stonewalled.
“Bitfinex will only respond to law enforcement requests for customer information, not civil requests, because Bitfinex does not get involved in civil matters, in particular in the United States since US courts do not have jurisdiction over us,” Sarah Compani, Bitfinex legal adviser, told Schober’s lawyer Ethan Mora via email in response.
“The reason that some of these crypto exchanges like FTX and Bitfinex incorporate in the British Virgin Islands or the Caymans is for those legal reasons, where they don’t necessarily have to abide by US law, or any other law,” Schober said.
“They can just be down there and be kind of extrajudicial. They didn’t even really give us an answer.”
Blockworks has reached out to Bitfinex for comment.
With no way into Bitfinex directly, Mora initiated what’s known as a Touhy request to the Cyber Division of the FBI — demanding documents and other information related to the agency’s own investigations into the malware. Schober had reported the hack to the FBI just after he lost the bitcoin.
“The FBI started to issue subpoenas to companies that were involved in the malware, like Reddit [where it was posted] and GitHub, which was hosting it,” Schober said. The subpoenas happened in late 2018, early 2019. The FBI had even seized his computer for a few months as part of their investigation.
It took around 10 months, but the Touhy request worked. Suddenly, Schober’s team had internal Bitfinex data pointing to the exact IP and email addresses tied to the accounts which had received his stolen bitcoin.
“We really had no idea what the FBI investigation had uncovered until we got the response from the DOJ regarding the Touhy questions,” Mora said.
Vanity address comes back to bite
Thanks to the FBI subpoena, Schober’s team could identify the hacker’s accounts across a suite of online services: Gmail, Keybase, Reddit, Twitter and Github. Code necessary for the malware was found on the alleged hacker’s public GitHub repository, including the BTC address generator on which it hinged.
The 1BeNedict address used to launder stolen BTC through ShapeShift was also verified by some of those accounts — which Bax cited as proof of the hacker’s identity (the vanity address matched his first name).
A return address lodged with ShapeShift by the attacker during the apparent laundering process, where the protocol would send crypto in the case of transaction issues, was identical to the Bitfinex hot wallets which had received BTC stolen from Schober.
There was even a post on the bitcoin-dev mailing list, sent from an email address matching the alleged hacker’s real name, which described how easy it was to generate Bitcoin addresses with a striking resemblance to ones provided. The post matched the Electrum malware’s modus operandi to a tee.
After running enough diagnostics, Bax found that “every bitcoin transaction sent by the Electrum Atom malware operator went to a destination address that was linked” to the alleged hacker that had been investigated by the FBI. Addresses tied to the malware had received 17 BTC ($501,000) in total — 97% of it Schober’s. He was able to get in touch with another victim via long-running Bitcoin forum BitcoinTalk.
All this meant Schober could lodge a civil lawsuit against the suspected perpetrator — along with another individual who’d allegedly peddled the same malware on Reddit. Both were underage at the time of the heist, so the suit also named their parents. All parties deny any wrongdoing.
That was in May 2021, more than three years after Schober was phished for his BTC. The price of bitcoin had more than doubled in that time.
Complicating matters is that the alleged hacker lives in the UK. The FBI referred the case to UK law enforcement, leading to a joint investigation. Both suspects were arrested, interrogated and had their devices seized and forensically searched, Schober said.
But before their arrest, desperation (and perhaps a touch of naivety) meant Schober contacted them and their parents to let them know they’d been identified. “I hoped they would come clean and just return it to me because all I was doing was asking them to return what was stolen, and they didn’t do it,” Schober said.
“The UK Crown Prosecution Service ended up telling me that after I contacted them, they likely destroyed their devices because they had entirely new devices and there wasn’t enough forensic evidence for them to warrant pressing charges.”
(Bax said he would have done the exact same thing as Schober did — they figured the parents were probably decent people on account they worked at a bank and at the UK National Health Service. “They should just give the money back and I’d think it all goes away.”)
Schober’s civil suit is now potentially his one-and-only shot at justice. But the case is moving slowly, with lawyers arguing over in which jurisdiction a trial should take place.
Lawyers for the alleged hacker say the suit should be dismissed because Schober, based in the US, doesn’t have jurisdiction over someone in the UK. They also argue that the statute of limitations has expired for him to file a complaint.
“But that’s not true from our perspective because it took so much time and effort and investigation to even identify that it was a human being that was on the other end of this,” Schober said.
He feels he shouldn’t be punished by the statute of limitations argument, considering he was forced to wait 10 months for an FBI subpoena after being stonewalled by Bitfinex over critical information to his case.
An unprecedented case
Schober’s situation could really be the first of its kind, as it stretches across the pond.
“There aren’t many cases like this one, in fact, I’m not aware of any cases where an individual has ever tracked down, properly served (under international law), and sued hackers like this… let alone hackers who stole cryptocurrency,” Mora said.
“I was involved in some cases here in California where some individual plaintiffs sued some domestic scammers/hackers from other US states, but those defendants had been arrested in the US.”
Mora highlighted cases in which the government brought criminal charges against blackhats foreign and domestic, as well as instances where tech giants like Amazon and Google sued their hackers, some of which demand ransoms in crypto.
Schober is anything but a multinational conglomerate — a typical guy, unlike some high-profile wealthy victims of crypto theft that have brought cases against their attackers.
“I believe this case is unprecedented in a number of ways…there’s no telling how long this case could be going on,” Mora said.
Exactly how it might be resolved is really anyone’s guess. If a US court rules that the hacker owes Schober, then an English court would still need to recognize that ruling before it can enforce the judgment in the UK. Eventually, it could even come down to debt collection, liens or even wage garnishment.
Schober said they’d been able to trace a sizable amount of bitcoin sitting in addresses gleaned from the FBI subpoena, so it appears the alleged hackers do have funds to pay Schober back.
The situation is especially frustrating considering it seems Schober knows exactly who stole his crypto.
Still, Schober is pro-Bitcoin, despite everything that’s happened, legal fees and the half-million dollars in bitcoin lost. “I still love the promise of Bitcoin. That was what got me into it in the first place. But certainly, my early mover advantage has been erased, which is painful.”
“So it hurts but I’m still positive about it at this point. And I’m proud of the fact that I’ve been able to take this case to the point where it’s at now, because the odds against it were very, very slim.”
He’s optimistic that US courts will see that he’s a victim of theft. Had the alleged attackers been based in Russia or North Korea, for example, he’d hardly have any recourse.
“It’s been five years and I’m ready to move on from this as soon as possible,” Schober said. “But on the other hand, I’ve really put in so much effort and time and have people like Bax, and others, that are in my corner because they’ve heard the story and they think it’s kind of remarkable.”
“So I’m resolved to see it through to the end.”
Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.
Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.
Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.
The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.