Hackers keep robbing cryptocurrency YouTubers

hack

#1

@peter is quoted in this article!



via Verge

Ian Balina, a former IBM salesman who became a full-time cryptocurrency trader and pundit, is not known for his modesty. Like many YouTube personalities in the vein of motivational speaker Gary Vaynerchuk, he brands himself as a self-starter-made-good who now wants to teach you how he did it (while clarifying, of course, that his recommendations are not investment advice). He regularly shares screenshots of his extensive portfolio, which was valued at more than $3 million on April 14th, according to an image he posted on Twitter and Instagram. One of his videos is called “Six-Figure Slave to Crypto Millionaire.”

This bravado may have backfired. On Sunday, during one of his marathon live streams, Balina found himself unable to log into the Google Spreadsheet where he tracks initial coin offerings or ICOs, which are crowd sales for new cryptocurrencies. That appears to be because a hacker took control of his accounts, draining a substantial portion of his holdings. The Next Web estimated that the total stolen was equal to almost $2 million on paper.

Cryptocurrency vlogging has exploded on YouTube over the last two years. In the last 90 days, there were 122,000 videos on cryptocurrency or Bitcoin uploaded to YouTube, garnering 328 million views, according to video analytics platform Tubular Labs. As it turns out, YouTubers are juicy targets for hackers because they share so much information about themselves. They often share their screens as they make trades, which can reveal what apps, usernames, and cryptocurrency addresses they use. They may even tell their followers what systems they use to secure their holdings, which can end up being a blueprint for attackers.

“You have to be very careful about that stuff as a YouTuber,” says Peter Saddington, the host of Decentralized TV on YouTube who infamously bought a Lamborghini with his Bitcoin earnings. “In my early days of YouTube, I used to show my trades. I learned that was not a good idea.”

Saddington was hacked in late 2017. He woke up one morning and discovered that his phone number had been transferred to someone else, likely through a social engineering attack via Verizon’s customer service. He declined to say how much money he lost, but said it was a “significant amount that was taken from me.” He also lost much of his online identity. “It fundamentally changed my life,” he said. “I lost everything. I lost 13 years of emails.”

“IT FUNDAMENTALLY CHANGED MY LIFE. I LOST EVERYTHING. I LOST 13 YEARS OF EMAILS.”

Since then, he’s shored up his operational security. He instructed his cellphone carrier not to allow changes to his account unless he shows up in person with an ID. He no longer uses email or social media on his phone. He keeps his Bitcoin in “locations that I can’t access easily.” Because of his high profile, he constantly gets attacked by hackers trying to reset his passwords and “hack my Wi-Fi and my printer and all that.”

Saddington blames only himself for his epic hacking, he told me. This is a common attitude in the cryptocurrency world, where many believe there is no need for banks or governments. “YouTubers kind of have to learn the hard way,” he said. “We no longer have a bank that we can whine to and say, ‘bank, my money was stolen, give it back to me.’ No. We’re not in that economy anymore. If you lost your Bitcoin that is 100 percent your fault.”

Most cryptocurrency theft happens through larger-scale attacks that target a bunch of users at once. Most theft occurs through exchanges, according to Chainalysis, which analyzes the public blockchains for Bitcoin and other cryptocurrencies. The “exit scam,” in which a pseudonymous group collects cryptocurrency as an investment or for some good that never gets delivered, is also more common than attacks that target individual users, ViK, the project lead for the cryptocurrency scam tracking site badbitcoin.org, said in an email. “Countless Bitcoin scammers have disappeared from the face of the earth after saying ‘we were hacked,’ and it seems to be a conventional way of slipping away quietly with the loot,” ViK said. However, YouTubers and other prominent personalities are also popular targets. “These people who make videos about how rich they are, will always attract attention from hackers,” they said.

Even just talking publicly about owning cryptocurrencies is enough to draw criminal attention. In May 2017, New York startup founder Cody Brown fell victim to the same type of SIM-jacking scam that ensnared Saddington. His takeaway: “Don’t talk about Bitcoin Club. Don’t talk publicly online, with your real identity, about your trades or the exchanges.”

But for YouTubers who are trying to build a following and get viewers excited, talking about trades is often a big part of the brand.

“Ian’s a perfect case of what not to do,” said Kenn Bosak, host of the YouTube show Pure Blockchain Wealth. “He posted his portfolio publicly on Twitter, saying he had over $2 million in his portfolio, making himself a public target. That’s like saying ‘I have $2 million in cash under my mattress.’ You’re a walking honey pot.”

Bosak was hacked in September 2017. The attackers deleted his Facebook and deactivated his Twitter and YouTube accounts in addition to stealing about $20,000 worth of cryptocurrencies. “I shut down for months,” he said. “Not from losing the money, but the feeling of having somebody just walk into your house and just take everything out and there was nothing you could do to stop them, but in a digital sense.”

“YOU’RE A WALKING HONEY POT.”

Bosak was sloppy when he first started out on YouTube. He used his real name instead of an alias and his real email, the one he used to register for social media and other services, was public. “Some of my YouTube videos have me walking out of my residence and showing my address,” he said.

Like Saddington, he blames himself for his hacking. “The whole concept of crypto is to be your own bank,” he said. “You have only you to blame. If the hacker exploits a way of getting your funds, it’s probably an educational process. Most good education ain’t free.” At the same time, he acknowledges that there is a financial and mental cost to securing your cryptocurrency assets and that even John McAfee, who built one of the most recognizable computer security products ever, had his Twitter hacked.

If you want to be a personality in the cryptocurrency space, he suggested creating an alias, using non-public email addresses and phone numbers to register for online accounts, and being discreet about personal finances.

“Talk about the technology, don’t talk about how much you’ve invested,” he said. “That whole aspect of wanting to be known, ‘I want to be popular, I want to talk about this’ — with this specific industry, you may want to dial that down a notch.”

Ian Balina said in a note on his Telegram channel that has now been deleted that he suspects the hackers had compromised his college email account, which was listed as a backup email for his Google account. From there, the hackers were able to crack into his Evernote account, which is where he stored his private keys and passwords.

But while Saddington and Bosak resigned themselves to their losses, in an email Balina says he is working with the FBI to find the perpetrators. “We have identified who did it and this is a lot bigger than me,” he wrote. In the meantime, he also deleted Sunday’s two live stream videos from his YouTube channel.

“I’m not worried about the money. I learned my lesson,” he said on his Telegram channel. “I only care about catching the hacker.” He said he has notified Binance and Kucoin, the exchanges where some of his coins were sent, and is “working diligently with a global team to close in on whoever did this.”

“Looking forward to turning this L into a W,” he said.

Update: This piece has been updated with comment from Ian Balina.


Ian Balina, thoughts?
Ian Balina: Hacked out of $2 million during a livestream
#TheBitcoinLambo is Here! - Start your Bitcoin Engines! The Bitcoin Lamborghini
#2

I believe the part where he put a copy of his private keys in a text file in Evernote, would fall under the consensus algorithm of “Proof of Stupidity”.

Stay Fishy


#3

Personal crypto security service could be a booming business.

But such a successful company will sustain constant attacks or threat from all powers (gangs and nation state).


#4

After reading this article and experiencing the lengths hackers will go through to get World of Warcraft gold I think this makes an even bigger arguement for paying off debts prior to investing in crypto. I was debt free a few years ago and it was the greatest feeling ever. Then my car died bought a new one, then my mothers car died bought her one then the fiance and I wanted a house to start a family so we bought one. She couldn’t understand the stress I was going through as she had never been debt free during her adult life and for me I went from debt free to having a mountain of debt in the span of about a year. I am digging furiously and making great strides, but I am not doing everything I can to get out of debt. So its time to kick it into 4 wheel low and get out of this bog. Going to HODL what I have but not investing anymore horse power into the clouds until I can get out of the bog. I did it once I can do it again.


#5

Same here.

When I got divorced I had the equivalent of $100k of debt. I worked my ass off for 5 years and got rid of it, but then immediately got a surprise tax bill, then car problems etc… bought a new car to remove the stress the car problems were causing - now looking for that good place again where if everything goes to shit - I don’t have a bed of debt to fall on.


#6

This guy is never going to be a spy or undercover agent given that level of OPSEC, he needs a good slapping in my opinion to wake him from his stupidity.

:+1::sunglasses:

Just had mackerel for lunch Mike so I am way way Fishy so much so my co-workers wont come into my office for the rest of the day.


#7

Can never have too much Sushi :smiley:

I will be honest though, as soon as I heard private keys and Evernote, I was just sitting there shaking my head in disbelief.

Stay Fishy


#8

Yes I couldn’t quite believe what I was seeing from someone who is supposed to be so well versed in the Crypto space, I was gob smacked.

Take it easy
:+1::sunglasses:


#9

Very wise my man Peter, I have heard him speak briefly about this in his videos. If anyone ever wants advice on the topic don’t hesitate to ask.

You are onto something here and have just given me a great idea. As a white hat security researcher myself, I would like to thank you for this great idea. People who do business, especially online are constantly under attack or threat from all powers already. The constant attack happens for any server you put online no matter what you do. I’ve null routed the majority of the Internet for some companies as an example to limit the attack vector to only the USA. This is very simple, yet only a partial solution.

A true all encompassing security solution actually requires several layers of complex security solutions. The more complicated for the end user, the more complicated it will be for the attacker in the end. There is also the fact regarding what is referred to as “low hanging fruit”. These low hanging fruit are servers or individual targets (people) who do not use strong security measures to protect themselves or their assets. It is common knowledge that if you raise your security awareness above the level of low hanging fruit around you, there is less chance you will fall victim before the low hanging fruit is picked. This is standard operating procedure when penetrating an Enterprise either physically or by way of social engineering.


#10

He could have used LastPass, and MFA. However I’ve seen YouTuber’s actually pull up their LastPass and show on Live stream their “notes” for LastPass credentials which showed secret question answers, etc. I’m looking at you Linus from Tech Tips. Don’t be a Linus.