This first-person account of a cryptocurrency hack was verified by Forkast. The writer requested not to be identified due to repeated phishing attacks.
First, let me tell you about the cockroaches.
The worst holiday I ever had started in Thailand, Phuket Island to be exact, more than two decades ago. I’d rented a motorbike, wasn’t paying attention, skidded on a patch of loose gravel — broke a collarbone and gashed up most of my left arm.
A doctor on the island dressed the scrapes and cuts, put me in a sling, but I didn’t need him to tell me the next week of what was a scuba diving holiday wouldn’t involve any time underwater. Still, I was traveling alone and had rented a bungalow on a beach at a nearby island for the next leg and decided I’d go there anyway and rest up.
The bungalow was basic, electricity fed from a garden generator, which was temperamental, said the lady at the reception hut, assuring me when the power went off, it would (eventually) come back on.
Sure enough, that night the power went out while I was reading in the room, so I dug out a dive flashlight.
The Phuket doctor had told me to change the dressing on the gashed arm and also give the cuts time to breathe, so on the second night I took off the dressing, washed the gashes, put the sling back on and went to sleep planning to dress the injury again in the morning.
I woke up in the dark and realized something was moving and rustling under the bed sheet on my left side. I reached for the bedside light, but the power was out. I groped for the flashlight on the side table, turned it on, peeled back the bedsheet and saw a swarm of cockroaches feasting on my scraped and bloodied arm.
I reacted like I assume most people would by shouting something unprintable, jumping up and swiping and swatting at the arm. In the flashlight, roaches ran across the bed and careened across the floor.
I spent the rest of the night in a chair by the door, dog-tired but sweeping the floor with the light every now and then to pick out roaches zipping across the room — whacking whatever came near with the sheet I pulled from the bed. The power never did come back, but when the sun eventually came up, I checked out.
In May this year — just two days before the worst birthday I ever had — two Bitcoin and a little more than two Ether I had spent about four years accumulating was stolen from a cold wallet through a phishing attack.
Several more phishing emails and phone calls followed over the next several days. Sitting at home and shell shocked I found myself remembering that night in Thailand. Then the penny dropped: Hackers are like cockroaches. Once you are targeted, they stay in the dark, but come after you in swarms.
I wrote this account to try and put down observations of how these hackers came at me and how I reacted (badly) to hopefully provide some red flag reminders for others. I claim no particular expertise in blockchain or cryptocurrency, but we all know the behavior of cockroaches.
After the collapse of the FTX crypto exchange last November I did what a lot of investors did and moved tokens into a cold wallet, in my case a Trezor.
I also advised my daughter to move her Bitcoin being saved for university fees to my Trezor, thinking it would be safer.
After that, I didn’t really do anything with it — except to occasionally think how weird it was to have thousands of dollars sitting in a desk drawer. (Is this what financial freedom looks like? Should I put it in a bank safe deposit box?)
But in December last year, I pulled the Trezor out to explore other functions and in the process, the crypto disappeared.
That was freaky, but I messaged support at Satoshi Labs, the Trezor maker, with screenshots and they emailed back after a few days to walk me through what to do. This is the email from Satoshi Labs.
Apparently I had moved the tokens into a hidden wallet. After a reset, the missing crypto funds appeared again. I didn’t take this further, though being told by Trezor support they had “never seen wallet window” like in the screenshot I sent was troubling.
I didn’t touch the Trezor for months after that, though I still had the occasional niggles about the crypto laying around as Bitcoin’s price jumped from the start of the year.
Here is the phishing mail that arrived in my inbox in mid-May. It was sent to the email I used for Trezor communications, had the Trezor logo at the top, even seemed to mimic some of the lowercase lettering from Satoshi Labs. And while it has a new ticket ID, it referenced the “missing funds” which was the topic of my mail to Trezor in December.
The email arrived in the evening. I was tired, distracted, doing four things at once online. I looked at it, saw the reference to the missing funds, remembered I hadn’t opened the Trezor since the Ethereum hard fork, and did the thing we know to never, never do, clicked the link and it opened what looked like the Trezor site, I entered the seed phrase. I then watched in disbelief as the crypto was pumped out.
Beside loss of assets, theft is an act of psychological violence that leaves you in deep shock and in that state you become disoriented and in denial about what has happened. In other words, you are desperate and vulnerable, and a prime target for a second hack.
(Binance has a link on that which I wish I’d seen at the time: How Not to Fall for a Scam Twice)
You also feel enormously stupid. Yes, “even monkeys fall from trees” but I imagine that the monkeys feel pretty stupid, too.
I immediately messaged Trezor support in a panic, but the response was to expect a response in three days, not that they could have done anything. I went on Telegram — for reasons I still don’t understand other than desperation — seeking help and advice.
One Telegram user was sympathetic and offered to help, wanted the transfer IDs for the hack and then asked for the seed phrase for another wallet I had, proposing to get back the stolen crypto and transfer it there.
Of course, it was another cockroach (or maybe the same one) but I was in the state of wanting to believe there was help from the crypto community and that there was a way to get the stolen crypto back. As a result, I almost got taken a second time.
(Telegram seems to host whole nests of these roaches. I messaged Telegram at abuse@telegram.org to flag this hacker and never heard back from them. Trezor later confirmed they do not have any support groups on Telegram. Neither does Binance.)
I continued looking online for other help and found a cybersecurity company that claimed to have teams of ethical hackers that can track and expose online thieves to law enforcement and then get the crypto back.
Problem with those services is they want thousands of dollars upfront and, of course, there is no guarantee of any success. (See above on being in shock, vulnerable and getting scammed twice.)
Using the transaction IDs for the hack, I could see the cockroach’s wallet and that it had interacted with a Binance wallet. I got online with Binance support, gave them the transaction IDs to ask if they could freeze the wallet. They checked and were very helpful, but it wasn’t a Binance wallet and they could do nothing.
However, I did follow Binance support’s advice not to pay thousands of dollars up front to companies offering to get the crypto back. The only real option is file a report to law enforcement — search Google, “Report a Cyber Crime + (Your country)” — and hope.
More phishing attacks followed. I received an automated voicemail telling me I needed to call the Singapore immigration department immediately at a U.S. area code number because my details were inaccurate. I don’t live in either country.
In early June, I noticed a story online detailing the huge extent of the cryptocurrency hacking and theft that took place in May alone.
Beside the major hacks of exchanges that result in millions of dollars of losses spread across thousands of individuals, the story says hackers are shifting their attention to ordinary users.
So how many more hundreds or thousands of individuals are being targeted and ripped off every day in other scams? Are the roaches at the gates?
Along with the financial devastation, one of the other damaging aspects of being hacked is blaming it on blockchain and cryptocurrencies per se. Confusing the technology, and its potential, with the thieves who exploit it.
Because of the transparency of transactions, I can track where the crypto stolen from my Trezor is, but it’s problematic to keep looking because it’s difficult to not see a cockroach with a grin staring back.
Phishing attacks on Trezor users are nothing new as the company’s customer emails were hacked in April last year and Trezor put out warnings about it.
Because of widespread and ever more sophisticated phishing attacks, some crypto platforms have introduced specific codes for customers – usually a set of numbers chosen by the customer – so any email that arrives claiming to be from the company but lacks the code can be immediately identified as fake.
I think it would be a good idea for Satoshi Labs and other exchanges and platforms to adopt that policy to better protect customers. However, the bottom line is I did the thing Satoshi Labs warns over and over again to never do: Punch a seed phrase into a computer.
I’ve rebooted the Trezor to start rebuilding again, but I’m also looking at other storage options. We cannot let the roaches win.
