Hacked: How I lost 25 Bitcoin worth $1,000,000

It’s surreal to find myself writing this article. It feels like I’m writing to you from the middle of my own Netflix special. Ultimately, the headline says it all. On November 11th of this year my father and I discovered that we had been hacked and had over $1,000,000 worth of Bitcoin stolen from us.

As you can probably imagine, it’s not my favourite anecdote to tell…

Nonetheless, given more and more people are adopting Bitcoin every day, sharing what happened to us may help save others from a similar fate… So here’s our story….

A Bit of Background

This story is a little easier to understand with a bit of background and context.

My Dad and I started our journey into the fascinating world of Bitcoin back in 2013. We were very early adopters through a mixture of curiosity, dumb luck, and it aligning closely with our existing view of economics.

Stumbling across Bitcoin back then was just good fortune, but unlike a lot of people we didn’t immediately dismiss it. Instead, we became instantly hooked, speaking for hours on the phone as we tried to understand it, falling all over ourselves at what it represented and the disruption it promised.

We didn’t dismiss Bitcoin for one simple reason. We understood the problem it was trying to solve. As professional ‘armchair economists’ we understood that the modern monetary system we currently operate within is nothing more than an experiment. We understood that since coming off the gold standard in 1971 central banks and Govt’s had given themselves licence to print money ad- infinitum.

Most importantly, we had learned from history (see the collapse of Rome or Weimar Germany) that constant and unfettered monetary expansion ultimately results in collapsing currencies and economic catastrophe.

For us, the debasement of all fiat currencies meant rampant inflation was inevitable and when it came it would most certainly NOT be ‘transitory’….

Eager to protect our purchasing power from the malaise of Modern Monetary Theory (MMT) we spent thousands of hours studying Bitcoin. To us it made perfect sense that it would be preferable to store wealth in a currency that is not constantly debased and would likely increase in purchasing power.

This thesis proved true. We would see the money we stored in Bitcoin appreciate in purchasing power by many thousands of %. Meanwhile we watched Governments around the world print trillions in the name of fighting a pandemic and in the pursuit of war. Asset prices would rip, and Gen Z would finally accept that for most, home ownership was merely a pipe dream. Worse still, people with dissenting opinions faced the very real risk of having their bank accounts frozen.

This meant that over the last decade it began to feel more and more comfortable holding wealth in a superior monetary asset with a predictable inflation rate with no censorship or reliance on corruptible 3rd parties.

You could say we got a little too comfortable….

The Father / Son Trip of a Lifetime…. (Or so we thought….)

Like any die-hard Bitcoiners we were astonished and excited when El Salvador took the brave step to embrace Bitcoin as legal tender in 2021 and make it a core part of its economic strategy. Having speculated and pontificated for years over what a Bitcoin standard might do for society we were finally going to get a real-life glimpse of what might transpire.

Over the years we saw El Salvador’s prospects improve dramatically. Once a place where tourists feared to visit, it saw its homicide rate drop more than 90% moving from the highest murder rate in the western hemisphere to the lowest! Tourism and business have subsequently boomed. There is a palpable sense of hope and progress emanating from ‘Bitcoin country’.

We had to go and check it out for ourselves. And what better way for a father and son with a shared passion to share an adventure together?

It was meant to be the trip of a lifetime. It felt like a celebration and an opportunity to spend some of the time and freedom that Bitcoin had gifted to us. It was an opportunity to test drive living on Bitcoin.

The trip started as well as we could have expected. We spent time at the Adopting BTC conference in San Salvador, spending Bitcoin as a local currency, attending interesting talks and meeting up with Bitcoiners in real life that we had only ever spoken to online. We were having a whale of a time!

Little did we know that things would take a severe turn for the worse…

Discovering The Hack

Having thoroughly enjoyed ourselves at the Adopting BTC conference we arrived back at our Airbnb in San Salvador after the final day. Our minds were racing with possibilities and fervently discussing all the talks we had attended. Spirits were high….

Given this boost to our enthusiasm we excitedly started working on a project of our own we have been developing for a few months. An app aimed at driving Bitcoin adoption and use. I won’t go into detail, but the app we are working on relies on Bitcoin’s lightning network as part of its infrastructure.

Whilst working on it we wanted to do some testing and to achieve this meant we needed to add some funds to a Bitcoin lightning node we were experimenting with. We needed to transfer some funds from our Bitcoin stack….

And this is where our tumble down the rabbit hole would begin…..What happened next will remain seared in my brain forever.

My dad, sat at his laptop said just one word….

"F*CK"

Me, (not thinking much of it)....

"What’s up?"

Dad:

"I’ve been hacked."

What happened next was a whirlwind. We stood there looking at our wallet balances which should have had combined balances of over 25 Bitcoin ($1,000,000) attributed to them. They now read ‘0’.

Panic at this point sets in hard. A dose of adrenaline is released in such a wave it makes your whole-body shake and your guts twist in a knot so tight you feel physical pain.

Soon after, the bargaining starts…..

Me:

"This can’t be real. This isn’t happening"

Dad:

"Well hang on, we did have to reorganise some things recently because of changing devices and splitting out some business and personal things. Maybe we’re just making a silly mistake here and we are looking at the wrong wallet."

He goes to his laptop to see if this is indeed just a fright rather than the real thing…

Me:

"Can you send me the Transaction IDs (TXID) of the Bitcoin leaving our wallets?"

Upon receiving them I went to a popular block explorer known as Mempool Space to track the transactions sent out from our Bitcoin addresses to better understand what was going on.

It was at this point the cold hard reality abruptly set in…..

The funds had been swept from our wallets almost a month prior on September 12th. The transaction IDs (TXIDs) of the funds leaving our wallets are as follows:

1) a2eea77741cd8dc122e4b36078518d5377389f01f050a492a1bf26216f7c971d

2) 3c4f5bff89acc20d592c438862e1ea583ed94cd02cc6b08b715a27253a4bac09

3) 52d24bd2e1e9391b39fa87cb62d794ad2e56f888cf1703ba50dfed0febab43e1

If you go to a block explorer like I did and enter these TXIDs in the search bar you can start following the transactions and where our stolen funds went. To make an already long story shorter….. our funds had been sprayed across the blockchain far and wide.

Upon seeing this activity, it was painfully obvious. These transactions were not sent by us, our Bitcoin was definitely stolen, and it was now attributed to addresses not controlled by us.

As my Dad so aptly put it…..

“FU*K!”

Going Viral; Bitcoin Community Assemble

The next 48 to 72 hours would not get any less surreal.

We felt like we were living in a vacuum. We knew our Bitcoin had been stolen and could to some extent track where it had been sent. Other than that, we felt completely lost.

Who do you call in a situation like this? Especially when you’re so many miles from home. Who would even know how to help with a situation like this?

As any true Bitcoiner already knows, the answer to these questions is likely to be “Nobody”. Bitcoin transactions are final and irreversible. Ironically, that’s one of our favourite things about it! What it does mean however is that this isn’t simply a case of calling your bank, calling foul, and having your funds re-imbursed. This can’t happen when nobody controls the ledger. Once your Bitcoin is gone…. It’s gone.

Feeling lost I turned to the only people I knew might be able to help…. The Bitcoin community. And if there is one place you’re going to be able to reach the brightest minds in Bitcoin, it’s Bitcoin twitter.

Now I’m not a prolific social media user and I prefer a quiet life but given the situation I felt compelled to share it with the only people who I knew would understand.

I wasn’t prepared for what would happen next….

The amount of support we received was truly overwhelming. Whilst Bitcoiners often find themselves being labelled ‘toxic’ by the media this belies the real truth, which is that true Bitcoiners are some of the most intelligent, compassionate and talented people I have ever had the good fortune of meeting. Collectively the community poured out support and I was contacted by some of the most influential people in the space. Those with the requisite skills would spend countless hours trying to hunt down information about where our funds went and how the attacker might be tracked down.

I’m not going to name anyone specifically, as most of the people who reached out to help would prefer to remain anonymous, but you know who you are, and my appreciation knows no bounds.

Thanks to a veritable army of Bitcoiners we were in a much stronger position to understand what had happened and share this information with law enforcement to begin making our case and starting an investigation.

Whilst it’s true that Bitcoin transactions are final and irreversible that doesn’t mean to say that these stories never have a happy ending for victims. Law enforcement agencies do have sophisticated chainalysis tools to track transactions and if the hacker(s) are silly enough to interact with a Bitcoin exchange or service that knows their identity then there is a chance they can be identified. However, if the hacker(s) has enough expertise, then they can make use of certain tools themselves like Bitcoin mixing services that can hide their tracks making it extremely difficult to trace them.

Unfortunately, in our case, the latter is much more likely than the former. 

For the sake of our own sanity, we are currently making peace with the fact that our funds are likely gone forever.  

The Lessons Learned

So, what happened exactly and how did the hackers access our Bitcoin?

Well, for people who have been in the Bitcoin space for a long time, this is where the story gets a little embarrassing. Some unforgivable mistakes were made on our part. It would be easy to slink off with our tails between our legs and keep it quiet, but on balance it seems better to share our mistakes as it might help others avoid a similar fate.

- Bitcoin In Self-Custody

First off, it’s important to point out that despite recently losing our Bitcoin we did manage to keep hold of it for almost a decade. The only reason we were able to keep our Bitcoin safe for that length of time is that we were informed enough to know we should self-custody our Bitcoin rather than leave it in an exchange or entrusted to any third party.

Taking this approach most definitely prevented us from losing our Bitcoin any sooner than we did. Over the years we saw countless exchanges get hacked and untold numbers of unscrupulous custodians abscond with user’s funds.

We managed to avoid many calamities. We avoided the Mt.Gox hack and subsequent collapse in 2014 and over the next decade managed to avoid many other disasters; Bitfinex, Celsius, FTX, Voyager…. and the list goes on.

So, the first lesson to learn from this story is this;

Do not leave your Bitcoin on exchanges or with a 3rd party. It’s just a matter of time until you lose them. Do not be tempted to loan out your Bitcoin for a generous ‘yield’. If you don’t understand where the yield comes from that’s because YOU are the yield.

Ultimately…. You MUST self-custody your Bitcoin. If your Bitcoin is currently sitting somewhere like Coinbase… you’re doing it wrong and you’re going to have a bad time.

- Self-Custody - What Was Our Setup?

So we held our Bitcoin in self-custody. A good start….

So where did it all go wrong?

Well when you create a new Bitcoin address you create a pair of keys. One is a public key which acts as your receiving address (think of this like your bank account number). You can share this key with others as it allows them to send Bitcoin to you.

The other corresponding key is a private key. It’s not a great analogy but think of it like the PIN to your bank card. You must keep it secret. If people get access to your private key, then they can sign transactions and move your Bitcoin!

Here is an example of a pair of Bitcoin keys:

Public Key:

1DSsgJdB2AnWaFNgSbv4MZC2m71116JafG

Private Key:

E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA3

As you can see, they are an unwieldy string of random numbers and letters.

Thankfully, in 2013 an improvement was made that allowed private keys to be generated and stored as a list of 12 or 24 words rather than a cumbersome string of random characters. This is known as a ‘seed phrase’ and having it allows you to recreate your private key.

A seed phrase looks like this:

The main thing to note here is that you need to:

A) Keep this seed phrase secret.

AND

B) Never lose it or lose access to your funds.

To solve this problem of storing our seed phrase we took the following approach….

1) We didn’t want to lose our seed phrase, or we would lose our funds. We needed to store them somewhere.

2) We decided to use a password manager to store the seeds. We didn’t want to use a 3rd party software like Lastpass (which has famously been hacked before) so we chose a self-hosted (no 3rd parties) and open-source option called Keepass. We encrypted this file with a passphrase, but it did live on a device that regularly connected to the internet (Big mistake).

3) We know that hard drives can fail, so needed to create a back-up of the Keepass file containing our seed phrases. We chose to back up this file to the cloud so it would always be accessible (Another big mistake).

4) Finally both the access to the cloud storage account and the Keepass file were encrypted with a passphrase. Crucially, these passphrases only lived in our heads and were never written down. To access either the cloud account or our keepass file you would need to get these passphrases.

Our Self-Custody Setup - Why It Was Inadequate

So, the question is…. How did the hacker identify us and access either our encrypted cloud storage account and/or our devices, take a copy of the encrypted Keepass file and manage to break into it?

Unfortunately, we don’t have any definite answers, just theories, but we do have some information that helps us understand why we were targeted, how they accessed our Bitcoin seed phrases and the mistakes we made that made it all possible.

The first telling piece of information we received was from law enforcement agencies. They showed us that our full names were attributed to our Bitcoin addresses. This is quite an alarming discovery as it means that it was essentially public knowledge that we held 25 Bitcoin. We can’t be certain, but we think it highly likely that this information being sold across the dark web is why we were targeted. It feels unlikely that these hackers just got lucky.

The next problem with our setup was that we stored our seed phrases on a file on a laptop that would connect to the internet daily. There are numerous threats out there that can give hackers access to your device and keeping files containing seed words (even if they are encrypted) on a device that regularly connects to the internet is simply a risk you do not need to take.

Furthermore, backing up these files to the cloud just created another attack vector for any would-be hacker. They might not be able to access your device but now they have another avenue to try and reach your critical information.

Finally, and sadly the final nail in our coffin was weak encryption. Ultimately the passphrases securing both the cloud storage account and the Keepass file containing the seed phrases were far too weak. They were 11 characters long and only produced about 30 bits of entropy.

Again, we can’t be certain, but our leading theory is that once the attacker had identified and targeted us, they could have quite easily ‘brute forced’ the weak passwords to break the encryption on our accounts and files and that was all she wrote….

To give you an idea of how easy it is becoming to break a poor password:

There could be other plausible explanations like key loggers installed on our device that record every key stroke and pick up your passphrase that way but for a variety of reasons I won’t go into here we think this is less likely.

The Lessons Learned: A Summary

1) PRIVACY IS ESSENTIAL

If you are going to buy and hold Bitcoin, consider finding ways to achieve this without giving out personal (KYC) information to exchanges. It’s not a case of if but when these details will be leaked. Buying NON-KYC is certainly trickier but the privacy you get is worth it to increase your security. Consider that in our case it was a digital attack but given our details were circulating the web it could have easily been a physical and violent attack. There have been many such cases reported. It pays to learn about buying NON-KYC Bitcoin to enhance your privacy.

Given most people have already bought Bitcoin from venues that require KYC you can still enhance your privacy from there. You can investigate learning about coin-joins to mix your coins and break any links to previous Bitcoin addresses. This is for advanced users, but it’s something that should be on your list to learn about.

And consider your privacy more carefully in general. Did you buy a Bitcoin hoodie and ship it to your home address? What if that company’s data leaks because hackers are after a list of potential targets? It’s something worth pondering for a while.

(I now send ALL my post to a P.O box so I never have to reveal my address)

2) DO NOT STORE BITCOIN SEEDS ONLINE

This one should be obvious enough and was one of the big mistakes we made. Storing any critical data online or on any device that regularly connects to the internet just increases the attack surface for someone to try and access it.

You should also be using ‘Air-gapped’ Bitcoin Hardware wallets for when you want to sign transactions. These devices allow you to make transactions without them connecting directly to the internet and exposing your private keys. We used them regularly.

It's important to note here that hardware wallets are often touted as the complete solution for Bitcoin security. This is false, they are extremely important, but they don’t solve every problem. it’s important to understand that you will still need to secure a seed phrase as a back-up to access your funds if you ever lose or break your hardware wallet.

There are a lot of options out there for this. You could record your seed on paper (but this faces the risk of fire or water damage) or you could stamp it onto metal plates. A metal plate can record them for a long time, and they aren’t connected to the internet!

Or you could go further and decide to split up your seed phrase and store different components of it on multiple metal plates in different locations or even countries. This means even if one plate is found then your funds are still safe. It does however carry the risk that you might find them harder to access as well!

Or you could of course just decide to memorise your seed phrase (typically 12 or 24 words). This is straightforward but is intrinsically vulnerable to head injuries!

The options I have listed above are far from exhaustive, but they show that whilst storing your seeds offline is essential, there is no ‘off the shelf’ perfect solution to self-custody. A lot of it is dependent on your own unique lifestyle, experience and skill level and needs.

3) CONSIDER A MULTI-SIGNATURE SET-UP

Bitcoin is programmable money and with that comes lots of interesting ways to secure and spend it. One of these is called ‘multi-signature’ addresses. In short, these addresses will only let funds move if transactions are signed with multiple signatures.

Multi-sig is very flexible. You could create an address that requires 3 of 4 private keys to sign a transaction or even 7 of 9. The choice is yours…

Having a multi-signature setup is one way to ensure your Bitcoin can’t be spent without multiple ‘parties’ signing off on it. The downside? You now have more information to store safely. Instead of storing one private key you now need to keep track of 3 or more. Everything has a trade-off!

To sum up….

I could go on and on about all the different approaches to self-custody that are available. The options for safely storing your Bitcoin are endless and each decision you take will come with its own trade-offs. The purpose of this post was to tell my story rather than write a guide on your self-custody options.

The take-away should be that self-custody is essential if you want to use Bitcoin properly but it’s something you need to explore carefully and thoroughly to protect yourself. With Bitcoin you can have all the benefits of ‘being your own bank’ but you need to accept and plan for the responsibility that comes with it.

What's Next?

So the first question to answer is probably;

“Will you ever get the Bitcoin back?”

At this point it’s currently under active investigation by the authorities and we are still waiting on more answers. I can only share so much. Ultimately the chances are slim but if any more comes to light or if we catch the attacker, I will hopefully be able to share more.

The next question I’m often asked is;

“That’s the end of your journey with Bitcoin, right? At this point surely, you’re turning your back on it for good?”

Definitely not.

If you think this post has shown why ‘Bitcoin doesn’t work’ then you have missed the point entirely. Nothing went wrong with Bitcoin here. This was user error, and the mistakes we made could have easily been mitigated.

I will continue to use Bitcoin because whilst I can correct these mistakes and mitigate the risks of something like this happening again, I can’t mitigate the risks of central banks printing money into oblivion causing rampant inflation.

The £ has lost almost 1/3 of its purchasing power in the last three years. Given I just had all my money stolen why would I seek to rebuild my life and wealth in a currency that is evaporating? I’ve taken a heavy blow, but I have not suffered complete leave of my senses.

Instead, I’m choosing to turn this outrageous turn of events into a win. I will continue to dedicate my life to Bitcoin and now with a renewed sense of purpose and a very clear mission….

To reach Bitcoiners with weak security and privacy before the hackers do and make sure they get their Bitcoin properly protected, to avoid sharing my fate.

That’s why this story is going to end on a high note. Amid the chaos of the last few weeks one of the first to reach out and offer help was an amazing company called The Bitcoin Way and I’m excited to share that I’ll now be working alongside them to make sure more Bitcoiners know how to secure and self-custody their Bitcoin properly.

The Bitcoin Way are cyber security experts with decades of experience. They have worked for years making data secure and now apply this knowledge to keeping your Bitcoin secure. They don’t hold your Bitcoin for you but instead expertly guide you through the process of getting your own self-custody as secure as possible for your circumstances and skill level.

They can help with a lot of things that I know too many Bitcoiners have not considered carefully enough:

• Setting up and managing wallets and UTXOs.
• Effective security and self-custody setup
• Inheritance planning
• Buying and using Non-KYC Bitcoin and protecting privacy
• Learning how to coin-join to increase privacy
• Integrating payment systems for your business

If you’re a Bitcoin user looking at the list above and thinking ‘I don’t have all of that completely nailed’ then consider this…

When your radiator falls off the wall, you call a plumber. Yes, you could look up explainer videos on YouTube to figure it out yourself, but by then your house will be flooded.

When you need to self-custody your Bitcoin you could take the same approach and learn it all yourself. Or you could reach out to specialists who have dedicated their lives to cyber security and make sure you get it right first time.

When you’re in my shoes having just lost $1,000,000 in Bitcoin it looks like an agonisingly easy choice. I’ll leave a link in the comments where you can book a free call with the team.

It's a PVP world out there. Make sure you’re training.