$600m in cryptocurrencies swiped from Poly Network Poly Network, a Chinese biz that handles transactions across various blockchains, urged thieves to return $600m of digital cash stolen from it in what it called the “biggest [attack] in DeFi history.” DeFi is short for decentralised finance. Poly Network's technology can be used to exchange cryptocurrencies; it can be used to …
“Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions"
You know this Chinese crypto company you used, you know the ones from the country where cypto transactions are banned? Well they know these blokes in North Korea who are absolutely pissing themselves laughing at the moment.
Well, it handily takes $600 million out of the crypto pool, locking it as 'stolen assets'. So there is $600 million less to compete with if you're liquidating another account and exiting due to China's crackdown on crypto.
So, whenever I see one of these "someone stole our crypto", or "CEO dies in India and took the password with him and that's why we collapsed"... I immediately wonder if that is true.
The fake theft scenario runs like this:
Suppose that China is to crack down further on crypto .
People connected to PolyNetwork want to ditch their crypto, but they know that will tank and collapse their fake asset. They need to lock in others to keep the crypto afloat while they, themselves, exit.
Fake theft happens. This handily locks in $600 million, while they sell off. After they sell off, those crooks can return said crypto.... now worth $0. Company winds up, job done.
Does that make a lot of sense? Well for one thing, if China then does do a major new crackdown, and crypto-crapto is tanking ahead of that, (as if they are aware of impending crackdown), then in my mind that would confirm my hypothesis.
To the downvoters, there known as "exit scams", they make far more sense than theft.
Somebody steals crypto-crapto and transfers it to their 'swag' bag, and everybody in the blockchain can trace every amount transferred in and out of that 'swag' bag. Not just the stolen crypto-crapto, but anything else in that bag.
At some point that crypto would have to hit the real world, and the crypto-crapto would be traceable to the thief.
It's like stealing the ultimate in marked bills: Where the bill phones home and reports its every whereabout TO EVERYONE ALL THE TIME.
Theft of crypto makes no sense. Whenever I see the claim, I suspect shenanigans! SHENANIGANS!
So here I'm pointing out how a thief can ACTUALLY take their winnings, and that is simply to be the person exiting the Ponzi scheme ahead of the others. And doing that by locking out the others with a fake theft.
Same theft, but now there is a way for the crooks to take their ill gotten gains. An exit-scam.
It doesn't have to be a theft, it can be "oops our CEO died in India and took the password with him luckily he signed a will 12 days earlier" or "oops our exchange staff disappeared and so did all this crypto".
Quite common to claim theft too.
e.g.
https://www.bloomberg.com/news/articles/2021-06-23/s-african-brothers-vanish-and-so-does-3-6-billion-in-bitcoin
Africrypt : "The first signs of trouble came in April, as Bitcoin was rocketing to a record. Africrypt Chief Operating Officer Ameer Cajee, the elder brother, informed clients that the company was the victim of a hack. He asked them not to report the incident to lawyers and authorities, as it would slow down the recovery process of the missing funds."
https://news.bitcoin.com/court-summons-mirror-trading-international-executives-btc-global-scam/
Mirror Trading International: The court document explains that between September 2017 and March 2018, the defendants “conducted business under the names and style of BTC Global or BTC.” This scam claimed to allow clients to invest in a trading pool managed by a “master trader” called Steven Twain...there is no evidence that Twain ever existed. In addition, when investors could not withdraw their funds from the scheme, they were informed that Twain was attacked in his home and his equipment was stolen."
Lots and lots of exit scams, heres a tiny list:
https://selfkey.org/the-ultimate-list-of-exit-scams-how-to-spot-one/
PlusToken – $2.9 Billion
Bitsane
Coinroom
Pure Bit
MapleChange
Modern Tech
Centra
LoopX
BitConnect
Exit scam does sound like the most likely scenario given the facts. If it is theft though, I don't think the tea leaf would be as stuck as you think.
Assuming they find an exchange that isn't blocking the wallet address, can they not just flip the marked coins for a something untraceable like Monero? That or use a tumbling service? Or programmatically shunt the coins around to thousands of wallets making it impracticable for exchanges to block?
You've still got the issue of having to liquidate $600m to useful assets but if patient it could be done without raising any flags.
I don't know how traceable these currencies really are though. Because they have "tumblers" who mix up huge numbers of transactions, in order to make sure there still is anonymity. It would make sense for the legitimate businesses using these coins to refuse to have anything to do with coins that have recently (or even ever) been through tumbers - in order to incentivise legitimate users not to use them. Thus leaving them only for the criminals.
known as "exit scams", they make far more sense than theft
I'd estimate an exit scam is about as probable as straightforward theft. It's not like we haven't had other massive cryptocurrency thefts (e.g. the DAO), and someone who finds a vulnerability that enables this sort of theft – highly probable – and is sufficiently unethical to exploit it – also probable – will likely take the chance even knowing it may not be possible to make use of all of the stolen assets. The associated risk is very low, so if you have no moral qualms, why not?
Shrug. Most of the victims are going to be legitimate cryptocurrency fans, high-risk investors, or small-time criminals. The chances of identifying the attacker are very low.
The DAO attacker retained around $8.5M (circa April 2021; I haven't looked for more recent figures) in ETC even after the post-DAO hard fork of Ethereum, and hasn't been identified yet. Probably never will be.
It wouldn't be hard to launder $300M in cryptocurrency, as long as you're patient and don't try to convert a lot at once. While there has been some promising work on de-anonymization and tracking of cryptocurrency transactions, including "tumbling" and other laundering operations, it's still quite limited, particularly against operators who have decent opsec.
I'm certainly not endorsing this sort of thing, but as criminal enterprises go I think it's both lucrative and low-risk, and so I expect we'll continue to see quite a lot of it.
“Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions"
Interesting question: I'm not aware of any country that recognises digital currencies as legitimate currency, So is this a financial crime? You don't get government backed guarantees as you do with that country's issued "dollar". Computer intrusion crime definitely. Theft, maybe, financial crime, debatable. If they do ever catch the guy/girl it would be an interesting test case in court. Well for those countries that have a semblance of innocent until proven guilty.
UDHR Article 11.1
It used to niggle me too, but it's logically sound, and fits with:
REPEAT
...<Freedom>
UNTIL boolGuilty
So it satisfies the programmer in me! (Although I avoid bottom conditional loops, unless absolutely necessary and every clock cycle counts.)
"I'm not aware of any country that recognises digital currencies as legitimate currency, So is this a financial crime?"
Yes, it would usually be. None of the major countries recognize cryptocurrency as currency, but most do recognize it as a thing you invest in, so it will likely be treated like a crime involving securities, gold, or similar. Then again, most criminal statutes aren't very different between financial or nonfinancial--if you steal things or money, they'll usually use similar laws to charge you if you get caught. Extra laws exist for financial crimes of other types, but that's for things like tax evasion. While it has little meaning, I think the statement is essentially correct.
And remember, the more you steal the less time you will do. Steal a couple of hundred dollars in a burglary and you'll probably end up doing 5-10. Steal a couple of hundred million dollars and you'll do 3-5 in a minimum security prison (and be out in 2 or 3, probably with an offical pardon).
Remember kiddies, go hard or go home...
Then you're not aware that El Salvador has declared Bitcoin its legal tender, along with the US dollar.
Nor about the efforts made in the US and plenty of other countries to tax the income made using crapcoins, which definitely means it's officially considered something of value by governments, right there with stock and other assets.
Indeed. I believe the current status in the UK, for example is that money made from dealing in cryptocurrencies (in fiat currency) is treated as money made from buying / selling any other investments and is subject to capital gains tax. The threshold for paying such is currently £12,300, so unless you're making serious money from it, it goes untaxed just the same as selling your old tat on eBay. Note that CGT is paid on profits as well, and not on amount, so if you bought £1M in bitcoin and sold it for £1,012,300, you'd still pay no CGT on it.
El Salvador's president can run whatever scam he wants but in reality the currency in El Salvador and between El Salvador and the rest of the world is the US dollar. This is a cheap stunt by a nasty dubious populist 'politician'. He'll siphon off funds for himself ready for when he has to skip the country.
Fools and their money are easily parted.
It doesn't matter whether they're recognised as currencies or not: they're tradeable assets and as soon as the trader is licensed the action can be treated as theft. Unlicensed trading is generally considered to be illegal.
But the real problem is that the licences for trading have been handed out to easily. Regulators are now waking up to something that has been compared with "the wild west". Make no mistake: most people involved in the trading know that they are engaged in highly speculative assets but if things continue unchecked the next asset crisis is only a matter of time.
You hear it all the time on the nightly news. Police urge the offender(s) to turn themselves in. It is only a matter of time before we catch up with you.
It rarely works.
In this instance the better threat would be.
"Whilst we present a legitimate business, in reality a majority of our clients are criminal enterprises. You have stolen the ill gotten gains from dozens of drugs cartels and criminal syndicates. Would you prefer the tender mercies of the Chinese government or hunted down by our customers?"
I dunno, $600 mill pays for your own private army, or any number of assassinations of irate gang leaders. It's just business so I'm sure they won't take it personally.
On the other hand it's probably easier to move to a banana republic and pay off the chief of police for your protection - cheaper than the Merc army anyway.
Put it this way, if you'd nicked a few Billion the idea you'd personally be in danger is fairly low as you simply how enough specialists to keep you safe, providing your actually follow their advice and don't start flaunting your ill gotten gains in public places.
Just a thought...
The only problem with that approach is that it's not true and the attackers know it. This isn't going to include funds from powerful criminal organizations. It will mostly include funds from small and pathetic criminal organizations and some actual investors, neither of which is usually willing to spend extra money on a mission of revenge. The places that perform acts like ransomware which result in crypto payments are made up of criminals, and they are large enough that they could attack someone who was getting in the way, but they don't have private armies or the assets to perform that kind of investigations. The large drug distribution groups are large enough that they don't need to bother with cryptocurrency unless they want to invest in it--they already use a more rigorous array of financial systems for handling their loot because they have so much of it and because they operate in such a large area that they can commandeer large chunks of the infrastructure that exists there.
The only large organization that I know of that uses a lot of crypto is North Korea. If this was used by North Korea for international storage, the thieves may have an issue. However, based on the way North Korea usually stores the money we know about, it would seem much more likely that, if they're involved, they're the ones who stole the coins. They have a history of large thefts so it is in character.
It's not every time. There are a lot of exit scams, but there are also a lot of real hacks. Investors who invest without learning how the thing they're investing in works don't seem to realize that cryptocurrencies function a lot like cash. They then act surprised when someone breaks into the inadequately secured storage and takes it and they don't have an automatic backout ability. That makes thieves quite eager to go steal from wallets or exchanges that didn't do their homework, especially if they think everybody will assume it's an exit scam.
Merkle graphs have plenty of applications, including in filesystems and change-tracking mechanisms. Like, say, git. I'm not a fan of git myself, but it's pretty popular.
Rebranding (degenerate1) Merkle trees as "blockchain" and using them for funny money may be a daft idea, but that doesn't make them an inherently bad idea.
General Merkle DAGs are really popular in some industry sectors right now, such as IoT with IOTA and the Tangle, which for some reason many commentators are treating as something wildly innovative when it's Just Another Merkle Graph. But in any case it's being wide adopted and standardized, and arguably is a pretty good fit for the problem domain (unlike cryptocurrency, which in pretty much all of its diverse forms is full of stupid drawbacks).
1A blockchain is just a Merkle tree (i.e. a Merkle graph, which is always a DAG, with a single root node) where all branches but one favored one are periodically pruned, converting it back into a singly-linked list.
No, that's not it. They have learned (hopefully) that if you put all your money in a central place, then you've drilled a hole through all the benefits that decentralization brings with it so you might as well use something that was designed to be centralized. You can keep your own crypto in a decentralized manner and it's usually more secure if you're careful, but a lot of people are too lazy to do so.
Oh, lord, yes. I don't know why financial criminals are wasting their time with anything else.
Let's take ETH as an example. As of 7 July 2021, approximately 31% of ETH was tied up in smart contracts1, for a total of around 9M ETH.
At the moment 1 ETH has a nominal price on exchanges of around $3200.
So we have Ether smart contracts holding the nominal equivalent of about $3B USD. Three. Billion. Dollars.
The DAO was a "leaderless organization" created with Ether smart contracts. In 2016 a bug in those contracts let someone steal 3.6M ETH, worth around $60M at the time, by forking the DAO. That led to a hard fork in Ethereum and its split into the current Ethereum and Ethereum Classic (ETC). The DAO attacker was able to keep about $8.5M worth of ETC.
Writing safe, correct smart contracts appears to be extremely difficult. A 2018 paper found that around 95% of the smart contracts studied had exploitable vulnerabilities.
Assuming the situation hasn't improved by more than 10% in the following three years (and I wouldn't be surprised if it hasn't improved at all), that suggests around $2.5B is there for the taking, with some degree of effort.
While the largest bank robbery on record netted $282M, that was an inside job and an extreme outlier. In the US, at least, bank robberies average a few thousand dollars (e.g.$9521 in 2012), and a large portion are unsuccessful.
1Which are neither.
Digital bank robberies are likely even more difficult to pull off, at least at any large scale. I'm sure all kinds of red flags will pop up if some account that isn't normally transacting in 100's of millions suddenly gets 600 million transferred into it and then someone immediately tries to cash out or transfer the money elsewhere.
From the Bangladesh Bank bank robbery, all you need to do is make sure you can spell. Only $81m i think it was got stolen, but only because they needed to check the spelling of a transfer as it was incorrect. Otherwise close to $1B would have been stolen.
Focus on fraud has been on cards, not account to account transfers originating from within the bank, that is now changing (I work at a company that one of the things it does is fraud detection).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
