Fake Wallet From Reddit: Difference between revisions
No edit summary |
(Updated case construction template. Dramatically restructured information from the about section into other sections of the wiki. Created basic about section. Looking up more information about the Electrum Atom software, which appears to be malware, though there is also a related protocol. Filling in immediate reactions and basic prevention part.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}{{Unattributed Sources}} | ||
{{Unattributed Sources}} | |||
In January 2017, Andrew Schober was tricked into downloading a malicious application which modified his clipboard. As a result, he ended up sending his bitcoin to 2 teenagers in the UK. The thieves did nothing to obscure the coins and deposited them directly on the Bitfinex platform. Andrew Schober spent tens of thousands of dollars and many years tracking down the culprits and is presently attempting to sue them. However, the statute of limitations limits claims to 2-3 years. | In January 2017, Andrew Schober was tricked into downloading a malicious application which modified his clipboard. As a result, he ended up sending his bitcoin to 2 teenagers in the UK. The thieves did nothing to obscure the coins and deposited them directly on the Bitfinex platform. Andrew Schober spent tens of thousands of dollars and many years tracking down the culprits and is presently attempting to sue them. However, the statute of limitations limits claims to 2-3 years. | ||
This is a global/international case not involving a specific country.<ref name="decrypt-6229" /><ref name="krebsonsecurity-6230" /><ref name="krebsonsecurity-6231" /><ref name="nypost-6232" /><ref name="briankrebstwitter-6233" /><ref name="livebitcoinnews-6234" /><ref name="yahoomovies-6235" /><ref name="cryptonewsflash-6236" /> | This is a global/international case not involving a specific country.<ref name="decrypt-6229" /><ref name="krebsonsecurity-6230" /><ref name="krebsonsecurity-6231" /><ref name="nypost-6232" /><ref name="briankrebstwitter-6233" /><ref name="livebitcoinnews-6234" /><ref name="yahoomovies-6235" /><ref name="cryptonewsflash-6236" /><ref>https://medium.com/@nbax/anatomy-of-a-bitcoin-heist-the-electrum-atom-malware-saga-1685abf7c903 (Accessed Jan 31, 2025)</ref> | ||
== About | Unsure if related:<ref>https://web.archive.org/web/20171227183707/https://bitcoinatom.io/ (Accessed Jan 31, 2025)</ref><ref>https://github.com/bitcoin-atom/electrum-atom?tab=readme-ov-file#readme (Accessed Jan 31, 2025)</ref><ref>https://bitcoinatom.io/ (Accessed Jan 31, 2025)</ref><ref>https://github.com/bitcoin-atom/electrum-atom (Accessed Jan 31, 2025)</ref> | ||
== About Andrew Schober == | |||
Andrew Schober lived in Colorado, USA. | |||
== The Reality == | |||
Wallet software entails a high degree of trust. | |||
Schober had downloaded a malicious cryptocurrency wallet app from Reddit, which was reportedly created by the minors<ref name="decrypt-6229" />. | |||
== What Happened == | |||
"Colorado resident Andrew Schober’s stash of 16 Bitcoin was stolen from him in a 2018 malware attack, court documents allege. At the time, it was worth about $220,000 and was 95% of his net wealth." | "Colorado resident Andrew Schober’s stash of 16 Bitcoin was stolen from him in a 2018 malware attack, court documents allege. At the time, it was worth about $220,000 and was 95% of his net wealth." | ||
{| class="wikitable" | |||
|+Key Event Timeline - Fake Wallet From Reddit | |||
!Date | |||
!Event | |||
!Description | |||
|- | |||
|January 15th, 2017 | |||
|Main Event | |||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |||
|- | |||
| | |||
| | |||
| | |||
|} | |||
In January 2017, Andrew Schober’s "computer was infected by a malicious program called Electrum Atom that stole £145,800 worth of Bitcoin | == Technical Details == | ||
In January 2017, Andrew Schober’s "computer was infected by a malicious program called Electrum Atom that stole £145,800 worth of Bitcoin." | |||
"A forensic investigation of Schober’s computer found he’d inadvertently downloaded malicious software after clicking a link posted on Reddit for a purported cryptocurrency wallet application called “Electrum Atom.” Investigators determined that the malware was bundled with the benign program, and was designed to lie in wait for users to copy a cryptocurrency address to their computer’s temporary clipboard." | |||
"The malware was designed to wait for the user to copy a crypto wallet address to the temporary clipboard of his computer. When he tried to move 16.4 Bitcoins from his account to another, the malware changed his payment wallet address with a different address controlled by the two young men." | "The malware was designed to wait for the user to copy a crypto wallet address to the temporary clipboard of his computer. When he tried to move 16.4 Bitcoins from his account to another, the malware changed his payment wallet address with a different address controlled by the two young men." | ||
| Line 21: | Line 47: | ||
"The malware was able to direct Schober’s bitcoin to a third-party account that allegedly belonged to Thompson and Read." | "The malware was able to direct Schober’s bitcoin to a third-party account that allegedly belonged to Thompson and Read." | ||
"The stolen funds were then [deposited] at the cryptocurrency exchange Bitfinex. With the help of an attorney and private investigation firm, the theft was traced to Oliver Paul Read, from Bradford, West Yorkshire. It seems your son has been using malware to steal money from people online." | |||
== Total Amount Lost == | |||
The total amount lost was 16.4 bitcoins. The value has been estimated at $220,000 USD. | |||
== Immediate Reactions == | |||
Andrew Schrober reportedly “did not eat or sleep for days afterward and has been in a severe state of distress for the past three years.” It adds: “Mr. Schober was planning to use the proceeds from his eventual sale of the cryptocurrency to help finance a home and support his family.” "The cryptocurrency accounted for approximately 95 per cent of his net wealth at the time it was stolen from him." | |||
== Ultimate Outcome == | |||
Andrew Schrober ultimately completed an investigation to determine who had taken his bitcoin. | |||
=== Investigation Tracing Funds === | |||
"Schober spent $10,000 on an investigation and tracked the Bitcoin to the two teenagers in the U.K., documents say. Both Thompson and Read have studied computer science, including at a top U.K. university, the filing notes." | "Schober spent $10,000 on an investigation and tracked the Bitcoin to the two teenagers in the U.K., documents say. Both Thompson and Read have studied computer science, including at a top U.K. university, the filing notes." | ||
=== Appeal To Parents === | |||
Schober then wrote a letter to the parents of Read, where he asked for the money to be returned. “Your son is obviously a very intelligent young man,” he wrote in 2018. “I do not wish for him to be robbed of his future.” | Schober then wrote a letter to the parents of Read, where he asked for the money to be returned. “Your son is obviously a very intelligent young man,” he wrote in 2018. “I do not wish for him to be robbed of his future.” | ||
| Line 33: | Line 68: | ||
"If he returns what he stole in full, 16.4552 BTC, to [this address] by October 21, 2012, I will drop this matter and move on. If not, we will pursue recourse through Action Fraud. Given his age and the nature of the crimes, he would likely be charged as an adult. The minimum sentence for Theft: Category 1 Harm (>£100k) with high culpability, and Computer Misuse Section 3: Reckless Intent to Impair Operation, is 4 years and 6 months custody, plus payment of restitution." | "If he returns what he stole in full, 16.4552 BTC, to [this address] by October 21, 2012, I will drop this matter and move on. If not, we will pursue recourse through Action Fraud. Given his age and the nature of the crimes, he would likely be charged as an adult. The minimum sentence for Theft: Category 1 Harm (>£100k) with high culpability, and Computer Misuse Section 3: Reckless Intent to Impair Operation, is 4 years and 6 months custody, plus payment of restitution." | ||
=== Statute Of Limitations === | |||
"Now they are responding. One of the defendants —Hazel D. Wells — just filed a motion with the court to represent herself and her son in lieu of hiring an attorney. In a filing on Aug. 9, Wells helpfully included the letter in the screenshot above, and volunteered that her son had been questioned by U.K. authorities in connection with the bitcoin theft." | "Now they are responding. One of the defendants —Hazel D. Wells — just filed a motion with the court to represent herself and her son in lieu of hiring an attorney. In a filing on Aug. 9, Wells helpfully included the letter in the screenshot above, and volunteered that her son had been questioned by U.K. authorities in connection with the bitcoin theft." | ||
| Line 42: | Line 78: | ||
"The plaintiffs point out that Schober’s investigators didn’t pinpoint one of the young men’s involvement until more than a year after they’d identified his co-conspirator, saying Schober notified the second boy’s parents in December 2019." | "The plaintiffs point out that Schober’s investigators didn’t pinpoint one of the young men’s involvement until more than a year after they’d identified his co-conspirator, saying Schober notified the second boy’s parents in December 2019." | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | There do not appear to have been any funds recovered in this case. | ||
== Ongoing Developments == | == Ongoing Developments == | ||
| Line 109: | Line 88: | ||
== Individual Prevention Policies == | == Individual Prevention Policies == | ||
{{Prevention:Individuals:Placeholder}} | {{Prevention:Individuals:Placeholder}} | ||
{{Prevention:Individuals:Always Verify Executables}} | |||
{{Prevention:Individuals:End}} | {{Prevention:Individuals:End}} | ||
| Line 114: | Line 95: | ||
== Platform Prevention Policies == | == Platform Prevention Policies == | ||
{{Prevention:Platforms:Placeholder}} | {{Prevention:Platforms:Placeholder}} | ||
{{Prevention:Platforms:Cryptocurrency Safety Quiz}} | |||
{{Prevention:Platforms:End}} | {{Prevention:Platforms:End}} | ||
| Line 119: | Line 102: | ||
== Regulatory Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators:Placeholder}} | {{Prevention:Regulators:Placeholder}} | ||
{{Prevention:Regulators:Cryptocurrency Education Mandate}} | |||
{{Prevention:Regulators:End}} | {{Prevention:Regulators:End}} | ||
== References == | == References == | ||
<references><ref name="decrypt-6229">[https://decrypt.co/79618/man-who-lost-800k-bitcoin-sue-teenagers-parents Man Who Lost $800K of Bitcoin Sues Parents of Alleged Teenage Thieves - Decrypt] (Jan 30, 2022)</ref> | <references> | ||
<ref name="decrypt-6229">[https://decrypt.co/79618/man-who-lost-800k-bitcoin-sue-teenagers-parents Man Who Lost $800K of Bitcoin Sues Parents of Alleged Teenage Thieves - Decrypt] (Accessed Jan 30, 2022)</ref> | |||
<ref name="krebsonsecurity-6230"> | <ref name="krebsonsecurity-6230">https://krebsonsecurity.com/wp-content/uploads/2021/08/pro-se-wells.pdf (Accessed Feb 3, 2022)</ref> | ||
<ref name="krebsonsecurity-6231">[https://krebsonsecurity.com/2021/08/man-robbed-of-16-bitcoin-sues-young-thieves-parents/ Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents – Krebs on Security] (Accessed Feb 4, 2022)</ref> | |||
<ref name="krebsonsecurity-6231">[https://krebsonsecurity.com/2021/08/man-robbed-of-16-bitcoin-sues-young-thieves-parents/ Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents – Krebs on Security] (Feb 4, 2022)</ref> | <ref name="nypost-6232">[https://nypost.com/2021/08/26/man-sues-over-bitcoin-stash-stolen-in-2018-and-now-worth-1m/ Man sues over bitcoin stash stolen in 2018 and now worth $1M] (Accessed Feb 4, 2022)</ref> | ||
<ref name="briankrebstwitter-6233">[https://twitter.com/briankrebs/status/1430679517857714177 @briankrebs Twitter] (Accessed Feb 4, 2022)</ref> | |||
<ref name="nypost-6232">[https://nypost.com/2021/08/26/man-sues-over-bitcoin-stash-stolen-in-2018-and-now-worth-1m/ Man sues over bitcoin stash stolen in 2018 and now worth $1M] (Feb 4, 2022)</ref> | <ref name="livebitcoinnews-6234">[https://www.livebitcoinnews.com/andrew-schober-is-one-of-many-victims-of-crypto-theft-but-hes-taking-action/ Andrew Schober Is One of Many Victims of Crypto Theft, but He's Taking Action | Live Bitcoin News] (Accessed Feb 4, 2022)</ref> | ||
<ref name="yahoomovies-6235">[https://ca.movies.yahoo.com/two-british-schoolboys-stole-nearly-184712819.html Two British schoolboys stole nearly $1m in Bitcoin and families refused to give it back, US lawsuit claims] (Accessed Feb 4, 2022)</ref> | |||
<ref name="briankrebstwitter-6233">[https://twitter.com/briankrebs/status/1430679517857714177 @briankrebs Twitter] (Feb 4, 2022)</ref> | <ref name="cryptonewsflash-6236">[https://www.crypto-news-flash.com/victim-of-malware-attack-sues-parents-of-thieves-who-stole-his-16-bitcoins/ Andrew Schober sues parents of young men who stole his 16 Bitcoins] (Accessed Feb 4, 2022)</ref> | ||
</references> | |||
<ref name="livebitcoinnews-6234">[https://www.livebitcoinnews.com/andrew-schober-is-one-of-many-victims-of-crypto-theft-but-hes-taking-action/ Andrew Schober Is One of Many Victims of Crypto Theft, but He's Taking Action | Live Bitcoin News] (Feb 4, 2022)</ref> | |||
<ref name="yahoomovies-6235">[https://ca.movies.yahoo.com/two-british-schoolboys-stole-nearly-184712819.html Two British schoolboys stole nearly $1m in Bitcoin and families refused to give it back, US lawsuit claims] (Feb 4, 2022)</ref> | |||
<ref name="cryptonewsflash-6236">[https://www.crypto-news-flash.com/victim-of-malware-attack-sues-parents-of-thieves-who-stole-his-16-bitcoins/ Andrew Schober sues parents of young men who stole his 16 Bitcoins] (Feb 4, 2022)</ref></references> | |||
Revision as of 18:32, 31 January 2025
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
In January 2017, Andrew Schober was tricked into downloading a malicious application which modified his clipboard. As a result, he ended up sending his bitcoin to 2 teenagers in the UK. The thieves did nothing to obscure the coins and deposited them directly on the Bitfinex platform. Andrew Schober spent tens of thousands of dollars and many years tracking down the culprits and is presently attempting to sue them. However, the statute of limitations limits claims to 2-3 years.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9]
Unsure if related:[10][11][12][13]
About Andrew Schober
Andrew Schober lived in Colorado, USA.
The Reality
Wallet software entails a high degree of trust.
Schober had downloaded a malicious cryptocurrency wallet app from Reddit, which was reportedly created by the minors[1].
What Happened
"Colorado resident Andrew Schober’s stash of 16 Bitcoin was stolen from him in a 2018 malware attack, court documents allege. At the time, it was worth about $220,000 and was 95% of his net wealth."
| Date | Event | Description |
|---|---|---|
| January 15th, 2017 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
In January 2017, Andrew Schober’s "computer was infected by a malicious program called Electrum Atom that stole £145,800 worth of Bitcoin."
"A forensic investigation of Schober’s computer found he’d inadvertently downloaded malicious software after clicking a link posted on Reddit for a purported cryptocurrency wallet application called “Electrum Atom.” Investigators determined that the malware was bundled with the benign program, and was designed to lie in wait for users to copy a cryptocurrency address to their computer’s temporary clipboard."
"The malware was designed to wait for the user to copy a crypto wallet address to the temporary clipboard of his computer. When he tried to move 16.4 Bitcoins from his account to another, the malware changed his payment wallet address with a different address controlled by the two young men."
"Schober alleges that Benedict Thompson, of Hampshire, UK, and Oliver Read, of West Yorkshire, UK, orchestrated the theft when they were minors."
"Thompson is now studying computer science at the University of Warwick, the suit says, and Read previously studied computer science at Greenhead College in the UK."
"When the two were boys, they allegedly advertised criminal software on Reddit, where Schober inadvertently installed it, thinking it was a legitimate program."
"The malware was able to direct Schober’s bitcoin to a third-party account that allegedly belonged to Thompson and Read."
"The stolen funds were then [deposited] at the cryptocurrency exchange Bitfinex. With the help of an attorney and private investigation firm, the theft was traced to Oliver Paul Read, from Bradford, West Yorkshire. It seems your son has been using malware to steal money from people online."
Total Amount Lost
The total amount lost was 16.4 bitcoins. The value has been estimated at $220,000 USD.
Immediate Reactions
Andrew Schrober reportedly “did not eat or sleep for days afterward and has been in a severe state of distress for the past three years.” It adds: “Mr. Schober was planning to use the proceeds from his eventual sale of the cryptocurrency to help finance a home and support his family.” "The cryptocurrency accounted for approximately 95 per cent of his net wealth at the time it was stolen from him."
Ultimate Outcome
Andrew Schrober ultimately completed an investigation to determine who had taken his bitcoin.
Investigation Tracing Funds
"Schober spent $10,000 on an investigation and tracked the Bitcoin to the two teenagers in the U.K., documents say. Both Thompson and Read have studied computer science, including at a top U.K. university, the filing notes."
Appeal To Parents
Schober then wrote a letter to the parents of Read, where he asked for the money to be returned. “Your son is obviously a very intelligent young man,” he wrote in 2018. “I do not wish for him to be robbed of his future.”
"As his parents, I am appealing to you first to give him the chance to make this right, without involving law enforcement. Your son is obviously a very intelligent young man. I do not wish for him to be robbed of his future, however it would not be just to let him inflict such a damaging blow to my future."
"If he returns what he stole in full, 16.4552 BTC, to [this address] by October 21, 2012, I will drop this matter and move on. If not, we will pursue recourse through Action Fraud. Given his age and the nature of the crimes, he would likely be charged as an adult. The minimum sentence for Theft: Category 1 Harm (>£100k) with high culpability, and Computer Misuse Section 3: Reckless Intent to Impair Operation, is 4 years and 6 months custody, plus payment of restitution."
Statute Of Limitations
"Now they are responding. One of the defendants —Hazel D. Wells — just filed a motion with the court to represent herself and her son in lieu of hiring an attorney. In a filing on Aug. 9, Wells helpfully included the letter in the screenshot above, and volunteered that her son had been questioned by U.K. authorities in connection with the bitcoin theft."
"Neither of the defendants’ families are disputing the basic claim that their kids stole from Mr. Schober. Rather, they’re asserting that time has run out on Schober’s legal ability to claim a cause of action against them."
“Plaintiff alleges two common law causes of action (conversion and trespass to chattel), for which a three-year statute of limitations applies,” an attorney for the defendants argued in a filing on Aug. 6 (PDF). “Plaintiff further alleges a federal statutory cause of action, for which a two-year statute of limitations applies. Because plaintiff did not file his lawsuit until May 21, 2021, three years and five months after his injury, his claims should be dismissed.”
"In August, lawyers for Hazel Davina Wells, the mother of Oliver Read, filed court papers that argued that the two year statute of limitations had passed before Mr Schober filed his case and asked a judge to dismiss the claim." "Schober’s attorneys argue (PDF) that “the statute of limitations begins to run when the Plaintiff knows or has reason to know of the existence and cause of the injury which is the base of his action,” and that inherent in this concept is the discovery rule, namely: That the statute of limitations does not begin to run until the plaintiff knows or has reason to know of both the existence and cause of his injury."
"The plaintiffs point out that Schober’s investigators didn’t pinpoint one of the young men’s involvement until more than a year after they’d identified his co-conspirator, saying Schober notified the second boy’s parents in December 2019."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
All large transactions or new wallets should be tested first with a smaller value transaction.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 Man Who Lost $800K of Bitcoin Sues Parents of Alleged Teenage Thieves - Decrypt (Accessed Jan 30, 2022)
- ↑ https://krebsonsecurity.com/wp-content/uploads/2021/08/pro-se-wells.pdf (Accessed Feb 3, 2022)
- ↑ Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents – Krebs on Security (Accessed Feb 4, 2022)
- ↑ Man sues over bitcoin stash stolen in 2018 and now worth $1M (Accessed Feb 4, 2022)
- ↑ @briankrebs Twitter (Accessed Feb 4, 2022)
- ↑ Andrew Schober Is One of Many Victims of Crypto Theft, but He's Taking Action | Live Bitcoin News (Accessed Feb 4, 2022)
- ↑ Two British schoolboys stole nearly $1m in Bitcoin and families refused to give it back, US lawsuit claims (Accessed Feb 4, 2022)
- ↑ Andrew Schober sues parents of young men who stole his 16 Bitcoins (Accessed Feb 4, 2022)
- ↑ https://medium.com/@nbax/anatomy-of-a-bitcoin-heist-the-electrum-atom-malware-saga-1685abf7c903 (Accessed Jan 31, 2025)
- ↑ https://web.archive.org/web/20171227183707/https://bitcoinatom.io/ (Accessed Jan 31, 2025)
- ↑ https://github.com/bitcoin-atom/electrum-atom?tab=readme-ov-file#readme (Accessed Jan 31, 2025)
- ↑ https://bitcoinatom.io/ (Accessed Jan 31, 2025)
- ↑ https://github.com/bitcoin-atom/electrum-atom (Accessed Jan 31, 2025)