Fake Wallet From Reddit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:56, 6 February 2025 by Azoundria (talk | contribs) (Integrated information from KrebsOnSecurity article and lawsuit. Added significant additional sources from BitcoinTalk and online web search. Filling in extra information on wiki Timeline.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

In January 2017, Andrew Schober was tricked into downloading a malicious application which modified his clipboard. As a result, he ended up sending his bitcoin to 2 teenagers in the UK. The thieves did nothing to obscure the coins and deposited them directly on the Bitfinex platform. Andrew Schober spent tens of thousands of dollars and many years tracking down the culprits and is presently attempting to sue them. However, the statute of limitations limits claims to 2-3 years.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

Unsure if related:[17][18][19][20]

About Andrew Schober

Andrew Schober lived in Colorado, USA.

The Reality

Wallet software entails a high degree of trust.

Schober had downloaded a malicious cryptocurrency wallet app from Reddit, which was reportedly created by the minors[1].

What Happened

"Colorado resident Andrew Schober’s stash of 16 Bitcoin was stolen from him in a 2018 malware attack, court documents allege. At the time, it was worth about $220,000 and was ​​95% of his net wealth."

Key Event Timeline - Fake Wallet From Reddit
Date Event Description
January 15th, 2017 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
November 11th, 2017 5:48:00 AM MST Confirmed Malware Tweet Electrum (@ElectrumWallet) posts a warning on Twitter about the Electrum Gold wallet as "confirmed malware".
November 13th, 2017 12:53:50 PM MST BitcoinTalk Electrum Gold Posted Oliver Reid "a wallet made especially for Bitcoin Gold users, as I felt that Electrum, being the master wallet, should be enjoyed by gold users too."
October 21st, 2018 Deadline To Return Funds The deadline which Andrew Schrober provides for return of the funds in an email to the parents.
December, 2019 Notification To Parents Andrew Schrober notifies and pleas with the parents of one of the boys who were able to take his funds.
August 9th, 2021 Initial Disclosure Initial Disclosure submitted to court. Defendant Hazel Davina Wells submits her initial disclosures under Rule 26(a)(1) of the Federal Rules of Civil Procedure. The disclosure includes a list of individuals with relevant information, such as Defendant Oliver Read, who has knowledge of correspondence from the Plaintiff, cryptocurrency mining, and UK police involvement, and Defendant Hazel Davina Wells, who has knowledge about the Plaintiff’s correspondence and her son’s questioning by UK police. The document also lists various correspondences, including those between the Plaintiff and the Read Defendants, and affirms Wells will supplement her disclosures as needed during discovery. Additionally, it includes a certificate of service stating the document was sent to the parties involved in the case.
August 25th, 2021 5:52:00 PM MDT Krebs On Security Article Brian Krebs from Krebs On Security promotes his article about the situation. "Andrew Schober was robbed of ~$1M in bitcoin in 2018. Investigators he hired found 2 minors in the UK who allegedly authored the clipboard stealing malware that siphoned his bitcoin. Now he's suing the kids' parents after they refused to return the $"

Technical Details

In January 2017, Andrew Schober’s "computer was infected by a malicious program called Electrum Atom that stole £145,800 worth of Bitcoin."

"A forensic investigation of Schober’s computer found he’d inadvertently downloaded malicious software after clicking a link posted on Reddit for a purported cryptocurrency wallet application called “Electrum Atom.” Investigators determined that the malware was bundled with the benign program, and was designed to lie in wait for users to copy a cryptocurrency address to their computer’s temporary clipboard."

"The malware was designed to wait for the user to copy a crypto wallet address to the temporary clipboard of his computer. When he tried to move 16.4 Bitcoins from his account to another, the malware changed his payment wallet address with a different address controlled by the two young men."

"Schober alleges that Benedict Thompson, of Hampshire, UK, and Oliver Read, of West Yorkshire, UK, orchestrated the theft when they were minors."

"Thompson is now studying computer science at the University of Warwick, the suit says, and Read previously studied computer science at Greenhead College in the UK."

"When the two were boys, they allegedly advertised criminal software on Reddit, where Schober inadvertently installed it, thinking it was a legitimate program."

"The malware was able to direct Schober’s bitcoin to a third-party account that allegedly belonged to Thompson and Read."

"The stolen funds were then [deposited] at the cryptocurrency exchange Bitfinex. With the help of an attorney and private investigation firm, the theft was traced to Oliver Paul Read, from Bradford, West Yorkshire. It seems your son has been using malware to steal money from people online."

False Implication Of Sulaiman Hussain

One item mentioned in the initial disclosure is an impersonation/implication of Sulaiman Hussain,

[21]

[22]


Malicious Malware Transaction Of Someone Else: [23]

One Receiving Wallet (May Be Unrelated): [24]

Total Amount Lost

The total amount lost was 16.4552 bitcoins[2]. The value has been estimated at $220,000 USD.

Immediate Reactions

Andrew Schrober reportedly “did not eat or sleep for days afterward and has been in a severe state of distress for the past three years.” It adds: “Mr. Schober was planning to use the proceeds from his eventual sale of the cryptocurrency to help finance a home and support his family.” "The cryptocurrency accounted for approximately 95 per cent of his net wealth at the time it was stolen from him."

Ultimate Outcome

Andrew Schrober ultimately completed an investigation to determine who had taken his bitcoin.

Investigation Tracing Funds

"Schober spent $10,000 on an investigation and tracked the Bitcoin to the two teenagers in the U.K., documents say. Both Thompson and Read have studied computer science, including at a top U.K. university, the filing notes."

Appeal To Parents

Schober then wrote a letter to the parents of Read, where he asked for the money to be returned. “Your son is obviously a very intelligent young man,” he wrote in 2018. “I do not wish for him to be robbed of his future.”

"As his parents, I am appealing to you first to give him the chance to make this right, without involving law enforcement. Your son is obviously a very intelligent young man. I do not wish for him to be robbed of his future, however it would not be just to let him inflict such a damaging blow to my future."

"If he returns what he stole in full, 16.4552 BTC, to [this address] by October 21, 2012, I will drop this matter and move on. If not, we will pursue recourse through Action Fraud. Given his age and the nature of the crimes, he would likely be charged as an adult. The minimum sentence for Theft: Category 1 Harm (>£100k) with high culpability, and Computer Misuse Section 3: Reckless Intent to Impair Operation, is 4 years and 6 months custody, plus payment of restitution."

Statute Of Limitations

"Now they are responding. One of the defendants —Hazel D. Wells — just filed a motion with the court to represent herself and her son in lieu of hiring an attorney. In a filing on Aug. 9, Wells helpfully included the letter in the screenshot above, and volunteered that her son had been questioned by U.K. authorities in connection with the bitcoin theft."

"Neither of the defendants’ families are disputing the basic claim that their kids stole from Mr. Schober. Rather, they’re asserting that time has run out on Schober’s legal ability to claim a cause of action against them."

“Plaintiff alleges two common law causes of action (conversion and trespass to chattel), for which a three-year statute of limitations applies,” an attorney for the defendants argued in a filing on Aug. 6 (PDF). “Plaintiff further alleges a federal statutory cause of action, for which a two-year statute of limitations applies. Because plaintiff did not file his lawsuit until May 21, 2021, three years and five months after his injury, his claims should be dismissed.”

"In August, lawyers for Hazel Davina Wells, the mother of Oliver Read, filed court papers that argued that the two year statute of limitations had passed before Mr Schober filed his case and asked a judge to dismiss the claim." "Schober’s attorneys argue (PDF) that “the statute of limitations begins to run when the Plaintiff knows or has reason to know of the existence and cause of the injury which is the base of his action,” and that inherent in this concept is the discovery rule, namely: That the statute of limitations does not begin to run until the plaintiff knows or has reason to know of both the existence and cause of his injury."

"The plaintiffs point out that Schober’s investigators didn’t pinpoint one of the young men’s involvement until more than a year after they’d identified his co-conspirator, saying Schober notified the second boy’s parents in December 2019."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

All large transactions or new wallets should be tested first with a smaller value transaction.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 Man Who Lost $800K of Bitcoin Sues Parents of Alleged Teenage Thieves - Decrypt (Accessed Jan 30, 2022)
  2. 2.0 2.1 PLAINTIFF’S INITIAL DISCLOSURES - KrebOnSecurity (Accessed Feb 3, 2022)
  3. Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents – Krebs on Security (Accessed Feb 4, 2022)
  4. Man sues over bitcoin stash stolen in 2018 and now worth $1M (Accessed Feb 4, 2022)
  5. @briankrebs Twitter (Accessed Feb 4, 2022)
  6. Andrew Schober Is One of Many Victims of Crypto Theft, but He's Taking Action | Live Bitcoin News (Accessed Feb 4, 2022)
  7. Two British schoolboys stole nearly $1m in Bitcoin and families refused to give it back, US lawsuit claims (Accessed Feb 4, 2022)
  8. Andrew Schober sues parents of young men who stole his 16 Bitcoins (Accessed Feb 4, 2022)
  9. https://medium.com/@nbax/anatomy-of-a-bitcoin-heist-the-electrum-atom-malware-saga-1685abf7c903 (Accessed Jan 31, 2025)
  10. https://bitcointalk.org/index.php?topic=5357642.0 (Accessed Feb 6, 2025)
  11. https://loyce.club/archive/members/130/1306048.html (Accessed Feb 6, 2025)
  12. https://bitcointalk.org/index.php?topic=2398686.0 (Accessed Feb 6, 2025)
  13. https://bitcointalk.org/index.php?action=profile;u=1306048 (Accessed Feb 6, 2025)
  14. Rad3onx User Deleted - Reddit (Accessed Feb 6, 2025)
  15. https://www.toribash.com/forum/member.php?u=3111548 (Accessed Feb 6, 2025)
  16. https://www.unknowncheats.me/forum/members/881032.html (Accessed Feb 6, 2025)
  17. https://web.archive.org/web/20171227183707/https://bitcoinatom.io/ (Accessed Jan 31, 2025)
  18. https://github.com/bitcoin-atom/electrum-atom?tab=readme-ov-file#readme (Accessed Jan 31, 2025)
  19. https://bitcoinatom.io/ (Accessed Jan 31, 2025)
  20. https://github.com/bitcoin-atom/electrum-atom (Accessed Jan 31, 2025)
  21. Actual Profile Of Sulaiman Hussain - LinkedIn (Accessed Feb 6, 2025)
  22. sulaiman.h500 Profile - CryptoCompare (Accessed Feb 6, 2025)
  23. https://www.blockchain.com/explorer/transactions/btc/ca19c0ac445e262f6c980ce5760dd799e5e1a78dd0601262ada1a12e8f85d605 (Accessed Feb 6, 2025)
  24. https://www.blockchain.com/explorer/addresses/btc/14uBM5CP8a5KmgJ1qJJfy3x8PRs9iHcUwH (Accessed Feb 6, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Fake_Wallet_From_Reddit&oldid=6521"