A fool and his not-really-money are soon parted
-
-
Bitcon, the currency of the future, based on secure, stable cryptogra... places hand on ear What's that? Oh.
clears throat Ladies and gentlemen, we interrupt our scheduled feature, The Virtues of Bitcon and Why It's Not Too Late for You to Invest, to bring you this breaking news:
HOW THE ATTACK WORKS:
Attacker added tens of malicious servers to the Electrum wallet network.
Users of legitimate Electrum wallets initiate a Bitcoin transaction.
If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
User clicks the link and downloads the malicious update.
When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
The malicious Electrum wallet uses the 2FA code to steal the user's funds and transfer them to the attacker's Bitcoin addresses.
-
@izzion said in A fool and his not-really-money are soon parted:
If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
User clicks the link and downloads the malicious update.FIXED!
After receiving news of attacks, the Electrum team responded by silently updating the Electrum wallet app, so these messages don't render as rich HTML text anymore.
Some users were more inconvenienced than alerted. These users manually copy-pasted the text link shown inside the popup into their browser, and then downloaded and installed the tainted Electrum wallet update.
-
This post is deleted!
-
@izzion said in A fool and his not-really-money are soon parted:
Bitcon, the currency of the future, based on secure, stable cryptogra... places hand on ear What's that? Oh.
clears throat Ladies and gentlemen, we interrupt our scheduled feature, The Virtues of Bitcon and Why It's Not Too Late for You to Invest, to bring you this breaking news:
HOW THE ATTACK WORKS:
Attacker added tens of malicious servers to the Electrum wallet network.
Users of legitimate Electrum wallets initiate a Bitcoin transaction.
If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
User clicks the link and downloads the malicious update.
When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
The malicious Electrum wallet uses the 2FA code to steal the user's funds and transfer them to the attacker's Bitcoin addresses.
It's still only an example of the exchanges and wallet managing software being unsafe, not so much the cryptocurrency itself. If a bank doesn't send too much phishing warnings then a victim might just as well wire US dollars to the scammer...
What surprises me more though: how is it still worth stealing?!?
-
@JBert They might just be easy targets; some people get a kick out of seeing if they can succeed.
-
@kazitor said in A fool and his not-really-money are soon parted:
@JBert They might just be easy targets; some people get a kick out of seeing if they can succeed.
Could also be a forgotten automated attack that can still afford to keep buying itself instances to run on.
-
@DCoder said in A fool and his not-really-money are soon parted:
But the ability to paypal or western union or otherwise send to people without their consent exists and is not illegal or unethical.
O.M.F.G. you idiot.
I can paypal or WU money to someone directly, even without their consent, because I am sending it TO THEM. They can refuse, and the money (minus service fees) would make it back to me or get lost in the system.
I cannot tell people to paypal or WU money TO ME because I claim to be representing a third party. That is the exact definition of illegal, unethical, and is the foundation of nearly every scam on the internet.
Idiot. IDIOT.
-
The sweet smell of schadenfreude lies over the land…
And just as the public had been given every possible blockchain explainer that could be written, the whole thing collapsed. The bubble popped.
Today the price of Bitcoin — $US19,783 last December — is $US3,810. Litecoin was $US366 a coin; it's now $US30. Ethereum was $US1,400 in January; today it's $US130.
Those still chipping away at crypto dreams insist that this is all a good thing because only the serious ones, the true crypto believers, remain.
Not everyone is struggling in the downturn. For lawyers, it is a new gold rush.
"Now that the market dropped, everyone is getting sued," said Chante Eliaszadeh, a law student and the president of a blockchain law club called Blockchain at Berkeley Law.
She said the legal scene is pretty exciting right now. As the Securities and Exchange Commission cracks down, some scammers are trying to escape to Bali or Malta, where regulations are more lax.
-
@DCoder "At least the lawyers are having fun" is probably not a phrase you want associated with the currency of the future(tm).
-
@Kian said in A fool and his not-really-money are soon parted:
@DCoder "At least the lawyers are having fun" is probably not a phrase you want associated with the currency of the future(tm).
I believe the technical term is "shark feeding frenzy". And yes, they can smell the
bloodmoney.
-
There is a galaxy brain joke here somewhere…
https://www.reddit.com/r/Bitcoin/comments/a9y5hr/my_own_experience_that_is_teaching_me_about_brain/
On a whim, I just created a wallet. I put a very small amt of $ in it. And within 3 seconds, it was emptied out.
What phrase did you use?
I used
moneymoneymoney
.
-
@DCoder I had to look that up.
Looks like attackers are watching a bunch of Bitcoin addresses which are likely to be generated with a particular software and a weak pass phrase seed. If they see any currency incoming they just try the guessed pass phrase to generate a corresponding private key and if that corresponds with the incoming transaction's public signature they can immediately exfiltrate the money.
Whoever thought about letting users enter their own seed input for cryptographic algorithms needing a high entropy is either the most misguided individual on earth or the world's best scammer.
People also haven't watched this DEFCON talk...
-
@JBert
I'm just surprised that anyone in the Bitcon scene has money left. Most lawyers I've known adhere pretty strongly to the old saying about blood and turnips.
-
@izzion said in A fool and his not-really-money are soon parted:
@JBert
I'm just surprised that anyone in the Bitcon scene has money left. Most lawyers I've known adhere pretty strongly to the old saying about blood and turnips.I would guess they're after the people who "conveniently retired" from the Bitcon scene when their 3rd Lamborghini got paid off.
-
Translation
Facts are a barrier to lawyer jokes
-
@DCoder said in A fool and his not-really-money are soon parted:
"Brave believes opting every creator into their system, and holding donations without consent, is ethical and in line with privacy laws. They also claim that a domain name or YouTube channel URL is not personally identifiable information. I disagree strongly with both of those."
The thing they're doing is bad and dumb, but so is this.
-
Advertising on reddit today: shovels for losers...
The crypto markets had a volatile 2018, and that might mean you lost money on your cryptocurrencies. Of course, that’s not the outcome any of us hope for, but the good news is that there is a way to recoup some of that apparent loss.
-
@Lorne-Kates said in A fool and his not-really-money are soon parted:
Idiot. IDIOT.
Think you a word
-
@DCoder said in A fool and his not-really-money are soon parted:
For lawyers, it is a new gold rush.
"Lawyers will always find a way to make money from a bad situation" is true for reasons very similar to the reasons cockroaches are expected to survive a nuclear holocaust.
-
@HardwareGeek
pictures cockroach lawyers in a nuclear holocaust...
-
@topspin That's insulting to cockroaches!
-
@HardwareGeek That, but not the antecedent, is insulting to lawyers.
-
@JBert said in A fool and his not-really-money are soon parted:
If a bank doesn't send too much phishing warnings then a victim might just as well wire US dollars to the scammer...
Yeah-- except that when I log into my bank account online, that request is handled 100% by the bank itself-- not some random third party server that is "just trusted" to handle the transaction properly.
-
@Gribnit said in A fool and his not-really-money are soon parted:
@Lorne-Kates said in A fool and his not-really-money are soon parted:
Idiot. IDIOT.
Think you a word
Nope.
-
So I saw this on Netflix and thought it’s a good joke for the fool‘s-money thread. But, just as you might expect, when I tried to google the clip it turns out that PotCoin is actually a real shitcoin. Well, as real as shitcoins get, anyway. Because off-fucking-course it is.
-
@topspin: Does SpectateSwamp know about this?
-
@Zerosquare
SSDS Blockchain edition?
-
“The group recruited electricians who managed to break into the sealed meters in order to add in private lines to use electricity for free before that usage reaches the meters.”
-
@Zerosquare said in A fool and his not-really-money are soon parted:
@topspin: Does SpectateSwamp know about this?
Nobody shares wallet keys like this!
-
@Zerosquare said in A fool and his not-really-money are soon parted:
@topspin: Does SpectateSwamp know about this?
You’re supposed to smoke grass, not swamp.
-
@boomzilla said in A fool and his not-really-money are soon parted:
@Zerosquare said in A fool and his not-really-money are soon parted:
@topspin: Does SpectateSwamp know about this?
Nobody shares wallet keys like this!
Put a noodle in it an verify it through a distributed ledger!
-
@DCoder said in A fool and his not-really-money are soon parted:
“The group recruited electricians who managed to break into the sealed meters in order to add in private lines to use electricity for free before that usage reaches the meters.”
- I hope my shitminers do this, because it increases the chance that they'll remove themselves from the gene pool
- What's the general law around this? If I use stolen X to manufacture or produce Y, who owns Y?
-
@Lorne-Kates said in A fool and his not-really-money are soon parted:
- What's the general law around this? If I use stolen X to manufacture or produce Y, who owns Y?
Usually the damaged parties will be awarded first, everything that remains will go to the state.
-
@Lorne-Kates Have you considered a ledger which runs on expensive Japanese analytic toilets, using the results as required randomizer inputs and parts of the signature? H'mmm?
-
@Gribnit said in A fool and his not-really-money are soon parted:
@Lorne-Kates Have you considered a ledger which runs on expensive Japanese analytic toilets, using the results as required randomizer inputs and parts of the signature? H'mmm?
Yes, but you need a very powerful laxative for a seed to generate enough entropy in the system.
-
@Lorne-Kates You nanocrowdsource that in a self-funding fashion, in other words by selling videos of it on the interwebz.
-
Time to wrap up the year with one last look at how those "top 4 Japan Crypto exchanges" closed out.
Original post: https://what.thedailywtf.com/post/1310295
First revisit: https://what.thedailywtf.com/post/1345724
Second revisit: https://what.thedailywtf.com/post/1415370
And last revisit begins...... now!
Number 4: SBI Virtual Currencies
As of Sept 20th, this "first ever bank-backed, exclusively XPR (Ripple)" currency hadn't yet started operations, because they failed their government security checkup. And were months overdue fixing it.
But then Japan officials
got bribed enoughdecided all on their own that cryptocurrency companies are ok regulating themselves, so we never heard from that again. Any mention of SBI failing their security checkup has been scrubbed from it's own website, so presumably they never did fix it.They still haven't opened their exchange yet, but near the end of December they made an announcement that they have an undisclosed magical way "to enable the three cryptocurrencies to be received from other exchange wallets." The technology doesn't exist yet, and hasn't been rolled out to anyone. Upon that announcement, XPR (Ripple) dropped from $0.36 USD to $0.35USD (which is still down from the expected $3 USD).
I can't find any information as to if they are still "bank-backed", or which bank is backing them. So I have to assume that everything that put them in the top 4 has gone down in flames. Bank-backed? Nope. Secure? Nope. Exclusively Ripple? Nope.
Resounding success!
Number 3: Zaif
After many, many, MANY fuckups and hacks, Zaif is basically dead.
Five days after our last checkup, when Zaif lost $60M in coins for some stupid reason, the FSA (Japan's SEC) gave them a third warning, telling them their response to the back was not sufficient.
The FSA says they (paraphrase) "regret ever letting Zaif continue doing business after it's second warning, and should have suspended it immediately."
Zaif claims a "hacked employee PC" was responsible for the loss. How? Why? We'll never know, because they literally didn't tell anyone.
They were immediately bought out by another exchange, who will spend $40M to compensate users fro the $60M in losses.
As of Nov. 22nd, Zaif is gone. People had until Dec 31st to do shit with their wallets. Poof.
Number 2: bitFlyer
They never complied with the FSA's "stop business" order. Like all exchanges, they effectively died. But like all good
scamscorporations, they avoided all responsibility whatsoever.BitFlyer was acquired by Bitflyer Holdings Inc. The directory of BitFlyer was forced to resign for his fuckups and is out of work. Lol just kidding he just stepped down then instantly became CEO of Bitflyer Holdings.
BitFlyer Holdings, BTW, is just a shell company BitFlyer made up so they could sell BitFlyer to themselves and sidestep the law.
So, this wonderful, totally legitimate and scrupulous new company will be opening an exchange soon under Japan's new "let them self-regulate" laws. I suspect we'll hear from them again in this thread. But of all intestine purses, the exchange is dead.
Number 1: Coincheck
Somehow-- mindbafflingly somehow-- these assholes are still around. Sort of.
Last we checked, after multiple hacks, including losing $500M, they were acquired by Monex. Some users would get compensated pennies on the dollar.
And then, again quite coincidentally, after the FSA suddenly became crypto-friendly for no bribe-related reasons, Coincheck was GRANTED AN OPERATING LICENSE!
And they are planning on re-opening the exchange!!
And despite all those red flags, there is yet another nugget of redflag buried in there when the company says...
The operator, which was acquired by Monex Group for $33.5 million, warns customers that trading services may be temporarily suspended if the platform experiences a significant increase in the volume of transactions or sudden price fluctuations.
Which translated means: "We are literally operating without any money backing things. As long as everything goes 100% perfectly and we make a profit, we're good. If ANYTHING goes wrong, we don't have the funds to cover you, and you, idiot, will be out all your monies."
Anyone who signs up with them deserves what they get.
So, in conclusion, in the span of 11 months, the top 4 Japan exchanges managed to
- get hacked multiple times
- crash a currency (or be attached to a currency that crashed, six of one really...)
- lose nearly a billion dollars of their users money
- operate so shittily that the government had to invent an entirely new regulatory body!
- Somehow bribed enough politicians to then get that regulatory body neutered
- All four of them were effectively shut down or bankrupted
- Anyone left alive was because of shell-company bullshit that will allow everyone to dodge responsibility and squeeze blood from the zombie of what was.
2018 Crypto, everyone!
-
@Lorne-Kates said in A fool and his not-really-money are soon parted:
Zaif claims a "hacked employee PC" was responsible for the loss. How? Why?
"We took all your money and left. LOL."
-
@Lorne-Kates said in A fool and his not-really-money are soon parted:
2018 Crypto, everyone!
Stable.
-
@boomzilla said in A fool and his not-really-money are soon parted:
@Lorne-Kates said in A fool and his not-really-money are soon parted:
2018 Crypto, everyone!
Stable.
Stable like a hurricane.
-
@Lorne-Kates said in A fool and his not-really-money are soon parted:
@boomzilla said in A fool and his not-really-money are soon parted:
@Lorne-Kates said in A fool and his not-really-money are soon parted:
2018 Crypto, everyone!
Stable.
Stable like a hurricane.
Here I am?
-
Don't get caught with an unsold shovel inventory, or the lawyers will get to have their day...
-
@izzion said in A fool and his not-really-money are soon parted:
Don't get caught with an unsold shovel inventory, or the lawyers will get to have their day...
Lawyers are usually bad enough as is, but I find lawsuits of stockholders who didn't make as much money as they thought they would utterly frivolous.
Who is the class here? The stockholders who bought in a certain time frame. But all stockholders had the same information. So unless any possible damages come directly out of the personal pockets of NVIDIA's executives instead of the company, this is just taking money from some shareholders and giving it to others, unfairly.
-
@izzion One thing mentioned in the lawsuit was that a bunch of Nvidia C-levels were selling stock around the peak before the dive. But someone also pointed out such things need to be approved months in advance, so could just be coincidence, but yeah...
-
@topspin said in A fool and his not-really-money are soon parted:
taking money from some shareholders and giving it to others, unfairly.
Business as usual.
-
@kazitor said in A fool and his not-really-money are soon parted:
@topspin said in A fool and his not-really-money are soon parted:
taking money from some shareholders and giving it to others, unfairly.
Business as usual.
Business implies offering some sort of useful good or service. We're talking Chief Sociopath Officers and stockholders. They're as related to business as an Excel spreadsheet is to a game of Tetris.
This is capitalism as usual.
But when capitalism and crypto cross-sect and ANYONE involve loses, it's a win for everyone else. Even just for the laurfs.
-
@sweaty_gammon MasterCard provides value through consumer protections, and uses fees to recover their costs. Bitcoin is the digital equivalent of putting cash in an envelope and mailing it to some random chap.
-
@bb36e You're a bit late trying to convince him – he gave up before I'd even registered.
-
@Lorne-Kates said in A fool and his not-really-money are soon parted:
Excel spreadsheet is to a game of Tetris.
I guessed it had been done ... but appears to have been done a dozen times.