zlacker

>>mikeyo+(OP)
> “After the execution of court-authorized search warrants of online accounts controlled by Lichtenstein and Morgan, special agents obtained access to files within an online account controlled by Lichtenstein,” the press release said. “Those files contained the private keys required to access the digital wallet that directly received the funds stolen from Bitfinex, and allowed special agents to lawfully seize and recover more than 94,000 bitcoin that had been stolen from Bitfinex. The recovered bitcoin was valued at over $3.6 billion at the time of seizure.”

So most likely,

1) they didn't launder it properly, leading to police being able to trace it to their bank accounts. I wonder if tornado.cash was used.

2) then police had their names, leading to warrants for all online accounts - google account, apple account, etc.

3) they made the big blunder of keeping their private keys in their online account. Most likely a txt file in google drive. That is such a silly blunder. Without the private keys, the police has zero proof of anything. They could have made a hundred excuses for how they got money in their bank account, as long as the police didn't have the private keys. Who keeps their private keys in an online account?

Apparently the biggest criminals make too many silly mistakes. The old saying applies here: "you don't have to be smart, just don't be an idiot"

>>Alexan+Ub
Well you don't want to lose those keys ... there is a bit of a conundrum there (granted you don't have to do it the way they did either).

As far as how exactly they got caught, there was a reward offered by the company it was stolen from. It may have been someone tipped the feds off for the reward.

>>duxup+oc
I'm not invested in crypto or really at all interested in it. That said, my mentor seems pretty excited about it and is pretty heavily invested as of the past few months. I advised him to do something like https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing and distribute it across a wide number of storage mechanisms, physical, digital, and custodial. For instance, in google drive, in drop box, in a bank safety deposit box, engraved in a gold bar buried in your yard, in your house safe, etc.

Why anyone with a significant amount of crypto assets isn't going to insane extremes in terms of secrecy and durability is beyond me.

>>rjbwor+ae
I don't understand the math but I think I have seen that style of secret management where any 3 of say 10 secrets can access something but no 2 or any 1 secret can do it.

It would seem to solve a lot of just organizational problems where "jan is out of the office today" and nobody can do the thing ... but if access is spread out among 10 people ... 3 probably are in the office when needed.

Granted I've never seen it used in production personally, not / seen it on a granular level.

>>duxup+wf
I have used it. It works. Tooling is still pretty poor. Every use, we ended up bringing the necessary people into a room, booting up an offline laptop from a sha-summed live USB, QR code scanning each of our secrets, combining them, then using the key to sign whatever we needed to sign, photographing the signature as a QR code. We use software from 2008 because an OS stack contains code from tens of thousands of developers, and we felt old software was less likely to have an active 'steal these keys and exfiltrate them via open wifi' malware.

We would first go through the process with 'dummy' keys to check everyone was happy with the process and what we were going to do (ie. which commands, what software, what exactly will be signed). We would then do it again with the real thing. And then we'd power off the computer till next time it needed to be used.

"Clunky" would be a good way to describe it... But it's hard to make it better without relying on a bunch of software we don't have the resources to audit.