Evil Roommate Bitcoin Theft: Difference between revisions

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Graphic

An early bitcoin adopter reported in 2013 that their roommate had managed to steal funds from their computer. They identified the theft through blockchain analysis, since the roommate had used it to pay one of their friends, who had paid them back. While their roommate had moved out and was ignoring communications, the latest messages from them suggest that they were planning to pursue legal action.

About trust_nobity

"I first got into bitcoin about a year ago. Like many folks on this sub, I told my friends about it, and used it to buy pizza, play cards, and reimburse others for lending me cash. I didn't make a million dollars through hoarding, but instead I kept my wallet pretty active. Never had a problem with lost coins and I thought I had a pretty good grasp on keeping my funds safe."

"Once I felt comfortable enough with Linux, I decided to buy a cheap netbook, install an OS with a small footprint, and use my netbook for banking only: bitcoin stuff, fiat stuff, anything that I wanted to keep separate from general browsing. I made all the necessary precautions (ad blocker, script blocker, encrypted HD, backups, etc). Then went about the business of funding my wallet."

The Reality

Reusing passwords and storing the majority of funds in a hot wallet is never a good idea.

Prior Theft Happening

The poster in question had reported that 2.3 bitcoin had gone missing from their wallet roughly 4 months earlier^[1].

"About four months ago my software wallet was drained of a whopping 2.3ish BTC."

In response, they had switched their operating system from Windows to Linux, however they had not been able to isolate the root cause of the exploit^[1].

"After doing some research, I figured it must have been a problem with my operating system. Maybe I went to the wrong site, downloaded spyware, whatever. I immediately uninstalled Windows and started to learn Linux, figuring that Linux was safer."

What Happened

The original poster had their coins stolen for a second time near the end of May, 2013.

Technical Details

Known facts in the case:

• The original poster reused passwords, including the password to get into his encrypted hard drive. The same password was used to get into my software wallet and several other websites and programs.
• "My roommate took advantage of the fact that he lived with me and had many opportunities to steal from me."
• The roommate used a distribution of Linux known for penetration testing.
• The computer with the bitcoin wallet was left unattended and within reach of the roommate at multiple point, including when he wasn't home.
• There is no evidence that any monitoring was being done for login or decryption attempts on the PC.

There are multiple potential theories for the exploit.

Data Dump Breach

One simple explanation is that the roommate was able to locate the password in a data dump from a previous breach. Information that he had access to such as the roommate's email address or phone number could have been searched up, and if the password had been reused on another website, this may have been retrievable. Many large websites were breached during this time period, and data could be available online.

Keylogger Hardware

There exist devices which can be used to intercept keystrokes. While this is more common on a desktop computer, it can also be done to a laptop computer using various methods^[4][5]. There are also "Rubber Ducky" USBs^[6].

Keylogger Software

One theory raised is about the installation of key logger software on the computer.

"Most likely he had physical access to your computer and installed a backdoor/keylogger." "Not that it would have been very hard for him. He could have accessed my netbook while I walked away for a moment, to talk on the phone or to take a shower."

"My password to get into my encrypted HD was the same password I used to get into my software wallet and several other websites and programs. My theory is that he somehow got this password by monitoring my keystrokes via Backtrack or by installing a keylogger on my computer via a link or an email he sent to me. Then he waited till I wasn't home, logged into my computer, and sent the coins to himself. It's only a theory though."

Network Monitoring

"My theory is that my roommate used this CD to monitor my computer on our shared network. Of course this is only a theory. I have no proof that he did this (only proof that he has at least some of my stolen coins). If he was in fact monitoring me, he probably stole my passwords, got into my computer, and then sent the coins to himself. I can't think of another way he could have stolen my coins."

More About BackTrack

BackTrack was a Linux distribution specializing in security, originally based on Knoppix and geared toward digital forensics and penetration testing^[7]. It emerged from the merger of two competing distributions: WHAX and Auditor Security Collection^[7].

It featured an extensive array of security tools, including Metasploit, Aircrack-ng, Nmap, and Wireshark. BackTrack categorized its tools into 12 groups, covering areas like information gathering, vulnerability assessment, and forensics^[7]. It supported Live CD and USB functionality, allowing users to boot directly from portable media^[7].

BackTrack went through several releases, with the final version, BackTrack 5 R3, released on August 13, 2012^[7]. Older versions lost support whenever a new release came out, and currently, there are no supported versions of BackTrack^[7].

Total Amount Lost

The total amount lost has been estimated at $3,000 USD.

"All in all, I lost nearly 3,000 USD to this guy. Not counting this month's rent and utilities, which I'm sure I won't get, since he moved back into his parent's house and refuses to answer my phone calls. He not only spyed on me, stole from me, but left me with 2x the bills I expected to pay this month."^[1]

Immediate Reactions

"Two weeks ago... I'd accumulated a savings of almost 21 bitcoin before I logged on to my wallet and found them all missing! They were sent to an unknown address, then another address, then another. Needless to say I was pissed off. What had I done wrong? How could I have been hacked again?"

"I started telling my friends about it, and some of them took pity on me, even sending me a few coins to a new wallet I created. For some reason (probably paranoia) I started using blockchain.info to track these new transactions."

Ultimate Outcome

"Many late nights looking at addresses and transactions going in and out of my friends' wallets. Thought I was going crazy until I noticed something."

"Some of the coins that a friend sent me led back to my roommate's wallet."

"I'm sure you see where this is going ... after painstakingly tracking transactions through the blockchain, I finally discovered that it was my roommate who stole my coins! He then sent some of those coins to various addresses, but made the mistake of using those same coins to pay a mutual friend for a debt he owed in a real-life poker game that we all play together. (Not very big stakes, just a fun get-together)."

"I confronted my roommate and of course he denied everything. He accused me of being paranoid, got loud and almost violent with me, then started making plans to move out of the apartment."

"I don't feel good about what happened next … because I waited for my roommate to go to work, and then I snuck into his room and tried to log onto his computer. Couldn't get into his computer because of an encrypted password, but I did find a CD in his optical drive. The CD was entitled “BackTrack” which I've since learned is a “hacker” distro used for penetration testing."

"I have created a log of all the transactions that link his wallet to the stolen BTC. Also, I have a friend who says he will testify that the one of the payments came from his wallet."

"I can't even get in touch with him anymore. Neither he nor his parents are answering my phone calls nor returning my messages."

"Regardless of HOW he did it, I have definitive proof via the blockchain that he, in fact, was the one who stole my coins. Just hope that it's enough proof to hold up in court. I doubt it though. Just glad he's out of my life." "I have created a log of all the transactions that link his wallet to the stolen BTC. Also, I have a friend who says he will testify that the one of the payments came from his wallet; however, I'm not sure if this will help. I have never done anything like this before."

"All in all, I lost nearly 3,000 USD to this guy. Not counting this month's rent and utilities, which I'm sure I won't get, since he moved back into his parent's house and refuses to answer my phone calls. He not only spyed on me, stole from me, but left me with 2x the bills I expected to pay this month."

"He failed because he didn't keep his transactions anonymous (enough) on the blockchain, so I was able to track my coins back to him. But it took hours and hours and hours, and many sleepless nights to do so. Not that it matters much. The coins are gone, and he denies it anyway."

BackTrack Linux Becomes Kali Linux

Backtrack Linux was later rebuilt around Debian by Khaled Baoween and the Offensive Security team, becoming Kali Linux^[7].

Case Mentioned By TradeFortress

The situation (or potentially a similar situation) later received a casual mention by TradeFortress^[3], who at the time was a founder of the relatively well known inputs.io exchange.

Total Amount Recovered

The total amount recovered is unknown. No details have been provided in this case.

Ongoing Developments

"The only real proof I have that he stole my coins is a complex web of transactions that I tracked through the blockchain. But it's definitive proof. The blockchain doesn't lie. And though he thought he was acting anonymously, I managed to catch him. Still I have no idea what I'm going to do next. Not sure the blockchain record will help me in court."

"Anyway, I posted this because I wanted to warn others. Hopefully my story will inspire you to take steps to protect yourself. I certainly learned an expensive lesson."

Individual Prevention Policies

The majority of funds should be stored in offline cold storage. Break up a seed phrase and store the components in multiple separate secure locations, or use a hardware wallet. Even more advanced security can be achieved by using a multi-sig wallet or storing information in a location such as a bank safety deposit box.

This situation could have been prevented if funds had been stored offline instead of in a hot wallet. There are also various strategies which can be employed if a hot wallet is used such as never reusing critical passwords^[2] and keeping a separate device for the wallet instead of using a device which is shared with other functions! Even greater security can be achieved by setting up a multi-signature scheme on the wallet, which prevents access if only a single device is compromised. Ideally, the other signatures would be in locations where the roommate does not have any access.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References