If a hacker stole all the Bitcoins, would you be willing to spend five years chasing him?

After five years of tracking, ordinary people can actually recover their stolen Bitcoins. This article is derived from an article written by David Canellis
Imagine being in the middle of a raging bull market and having all your cryptocurrencies stolen… That’s exactly what happened to Colorado’s Andrew Schober.
In 2018, Schober inadvertently downloaded a doctored version of the Electrum Bitcoin wallet on the /r/BitcoinAirdrops subreddit. Hidden within this fake wallet was malware: a clipboard hijacker specifically designed to phishing for Bitcoin. The malware would take any Bitcoin-accepting address on Schober's machine and masquerade as it, replacing the intended recipient's address with an address controlled by the hacker.
Schober, who had been slowly accumulating Bitcoin since 2014, eventually sent the hacker 16.5 Bitcoins, equivalent to 95% of his net worth, as a result of the phishing program. When he was phished, the Bitcoins were worth $180,000, but reached $1.1 million in 2021, when Bitcoin was at its all-time high. Schober considers it "money that changed his life."
"I found a link to the malware on Reddit, installed it on my computer and quickly realized it was not what it was advertised to be," Schober said. "So I just deleted it from my computer and never thought about it again."
"But unfortunately, once this Trojan is installed on your hard drive, deleting the original program does not get rid of the Trojan. So since then, it has been monitoring my hard drive, and whenever I copy a Bitcoin address, It will work."
The malware was pre-encoded with 195,112 different Bitcoin addresses.
"It's not just changing the Bitcoin address to some random new address," Schober explained. "It will match the first few characters of the address you copied. So it will look very similar visually, and if you don't really notice the difference, you won't notice it."
At the time of Schober's attack, four of the addresses had received Bitcoin from unsuspecting victims, significantly narrowing his scope.
Track Stolen Bitcoin with MoneroThe beauty of blockchain is its open ledger. Almost all cryptocurrency transactions leave a digital trace.
Typically, tracing these paths involves tracking transfers to determine where the money ended up.
In Schober’s case, he traced the flow of Bitcoin stolen by the same malware to long-serving cryptocurrency atomic swap platform ShapeShift.
ShapeShift used to maintain an API that shared addresses participating in its exchange. API data shows that the "thief" Schober encountered had exchanged Bitcoin for Monero (XMR) and used the corresponding address.
Extended reading: What is Monero XMR, the ancestor of privacy coins? Development status, future prospects, market growth, regulatory crisis
So Schober posted on Reddit asking if it was possible to track Monero transactions. On-chain investigator and asset recovery expert Nick Bax responded to his request.
"He got five responses, and they all said 'No way.' I sent him a private message and said, 'This is really hard to do. But I've done it before. I know a lawyer who has successfully recovered money. funding,'" Bax said.
Bax finally submitted on-chain evidence in May 2021 that identified the hackers in Schober’s lawsuit, more than two years ago. In the process, he analyzed Monero transactions and determined with a high degree of certainty the origin of the Monero coins used for Schober’s stolen Bitcoins.
He wrote the Monero tracking software himself.
“You tag an output (instructing the Monero blockchain where to direct transactions) and then look for every transaction that might use that tag output. As you do this, patterns start to emerge.”
This method of breaking Monero ring signatures — now known as the Eve-Alice-Eve (EAE) attack — emerged in the aftermath of WannaCry, the North Korea-driven ransomware campaign that began in 2017.
"Monero's RingCT... hides the exact UTXOs (Unspent Transaction Outputs) being spent, but provides blockchain analysts with a list of trusted 'ring members', one of which is consumed, the rest is 'bait'" Bax detailed his findings in a blog post.
The now-patched bug in Monero may have made it easier at the time to separate the real UTXO from the decoy and thus trace the transaction.
Hand of God: Knocking on the FBI’s DoorBax determined that Schober's alleged hacker converted some BTC stolen from another victim into Monero via ShapeShift, then sent it back through the protocol to convert it into BTC again.
The washed BTC is directed to a "vanity address" starting with "1 BeNEdict". As for Schober’s Bitcoin, it ended up on Bitfinex. Cryptocurrency trading hot wallets are effectively black boxes as their balances represent pooled customer funds.
Once cryptocurrencies are in a hot wallet, it’s nearly impossible to determine where they were withdrawn to, unless the amounts are the same and uncommon — and even that evidence isn’t conclusive.
It was there that the Schober and Bax investigation got stuck for more than a year, with Schober subpoenaing Bitfinex to disclose the account owners who received the stolen BTC, but being rebuffed.
"Bitfinex will only respond to law enforcement requests for customer information, not civil requests, because Bitfinex will not intervene in civil matters, especially in the United States, because U.S. courts have no jurisdiction over us." Bitfinex legal counsel Sarah Compani responded via email said Schober's attorney, Ethan Mora.
"The reason cryptocurrency exchanges like FTX and Bitfinex set up companies in the British Virgin Islands or the Cayman Islands is for these legal reasons, they don't have to comply with U.S. law or any other law." They can stay there, Schober said. Take extrajudicial action. They didn't even give us an answer. "
Unable to gain direct access to Bitfinex, Mora initiated what is known as a Touhy request, asking the FBI's cyber division to provide documents and other information related to the agency's investigation into the malware. Schober immediately reported the case to the FBI after losing his Bitcoin.
"The FBI started issuing subpoenas to companies involved in the malware, such as Reddit (where the malware was released) and GitHub (where the malware was hosted)," Schober said.
The subpoenas occurred in late 2018 and early 2019. The FBI even seized his computer for several months during the investigation.
After about 10 months, Touhy's request was successful. Suddenly, Schober's team had access to internal Bitfinex material pointing to the exact IP and email address associated with the account that received his stolen Bitcoins.
"Until we get answers from the Department of Justice on Touhy's questions, we really won't know what the FBI investigation uncovered," Mora said.
Vanity addresses are backThanks to the FBI subpoena, Schober's team was able to identify the hacker's accounts across a range of online services: Gmail, Keybase, Reddit, Twitter and Github. The code required for the malware, including the Bitcoin address generator it relies on, was discovered in the alleged hacker's public GitHub code repository.
Through some accounts, 1 BeNedict address used to launder money through ShapeShift was verified, which Bax viewed as evidence of the hacker's identity (the vanity address matched his name).
In an apparent money laundering effort, the return address registered by the attackers with ShapeShift (to which the protocol transfers cryptocurrencies in the event of issues with a transaction) was identical to the Bitfinex hot wallet from which the Bitcoin stolen from Schober was stored.
There's even a post on the Bitcoin developers mailing list where the sender's email address matches the alleged hacker's real name, describing how to easily generate an address that is very similar to the provided Bitcoin address. This post is completely consistent with the Electrum malware’s modus operandi.
After conducting sufficient diagnostics, Bax discovered that "every Bitcoin transaction sent by the Electrum Atom malware operators was sent to a target address associated with the alleged hackers investigated by the FBI." A total of 17 Bitcoins (valued at $501,000) were received by addresses associated with the malware, 97% of which belonged to Schober. He made contact with another victim through the long-running Bitcoin forum BitcoinTalk.
That means Schober could file a civil lawsuit against the alleged perpetrator, as well as another individual who allegedly peddled the same malware on Reddit. Both were minors at the time of the crimes, so the lawsuit also names their parents as defendants. All parties deny any wrongdoing.
This happened in May 2021, more than three years after Schober’s BTC was phished. The price of Bitcoin has more than doubled in that time.
To further complicate matters, the alleged hacker resides in the United Kingdom. The FBI handed the case over to British law enforcement and a joint investigation was launched. Both suspects were arrested, questioned and their devices confiscated and a forensic investigation conducted, Schober said.
But before they could be arrested, desperation (and perhaps a touch of naivety) led Schober to contact them and their parents to let them know they had been found.
"I was hoping they would come clean and return the stolen property to me because all I did was ask them to return the stolen property and they didn't do that," Schober said.
"The Crown Prosecution Service eventually told me after I contacted them that they may have destroyed their device because they had a brand new one and there was insufficient forensic evidence to prosecute."
Bax said he would do what Schober did - they thought the parents were probably decent people because they worked in banks and the National Health Service. "They should give the money back and I think this will all be over."
Schober's civil lawsuit may now be his only chance to pursue justice. But the case is moving slowly, with lawyers arguing over which jurisdiction the trial should take place.
Lawyers for the hackers said the lawsuit should be dismissed because Schober was in the United States and had no authority to exercise jurisdiction over a person in the United Kingdom. They also argued that he had exceeded the legal time limit for filing a complaint.
"But from our perspective, that's not true because it took so much time, effort and investigation to determine that it was a human being on the other end," Schober said.
Considering he had to wait 10 months to obtain an FBI subpoena after being denied key information by Bitfinex, he feels he should not be punished by the statutory time limit argument.
unprecedented caseA situation like Schober's may be unique because it spans the entire Atlantic.
"There are actually very few cases like this, in fact I don't know of any case where an individual was tracked down, legally subpoenaed (under international law), and prosecuted for a hacker like this... let alone stealing encryption Currency hackers," Mora said.
"I have been involved in cases where some individual plaintiffs sued domestic scammers/hackers from other states in the United States, but those defendants were arrested in the United States."
Mora cited cases where governments have brought criminal charges against domestic and foreign hackers, as well as tech giants like Amazon and Google suing hackers, some of whom have demanded ransom payments in cryptocurrency.
Schober isn't a multinational, he's just a regular guy who isn't suing his attackers like some of the high-profile and wealthy victims of cryptocurrency theft.
"I believe this case is unprecedented in many ways... I don't know how long this case will last," Mora said.
How to solve this problem, no one can say for sure. If a US court rules that the hackers owe Schober money, a UK court will still need to recognize the judgment before it can be enforced in the UK. Ultimately, debt collection, liens, and even wage garnishments may be involved.
Schober said they were able to trace a large sum of Bitcoins to addresses obtained from an FBI subpoena, so it appears the alleged hackers did have the funds to repay Schober.
This situation is particularly frustrating considering that Schober appears to know exactly who stole his cryptocurrency.
Despite everything that has happened, including legal fees and the loss of $500,000 in Bitcoin, Schober remains supportive of Bitcoin.
“I still believe in the promise of Bitcoin. That’s what attracted me to join in the first place. But there’s no doubt that my advantage as an early participant has gone away, and that’s painful.”
"But I still have a positive attitude towards it. And I'm proud of being able to advance this case to this point, knowing that the chance of success is very small."
He is optimistic that U.S. courts will recognize that he was a victim of theft. If the attacker comes from a country like Russia or North Korea, he has few avenues for redress.
"It's been five years and I want to end this as quickly as possible," Schober said. "But on the other hand, I've put in a lot of effort and time, and I have people like Bax and others who support me because they heard the story and thought it was amazing. So I was determined to see it through."