My old physics teacher always said: "It's the dumb criminals who get caught; you never catch the smart ones." He was a really smart guy, and he did live a nice lifestyle, hmmm...
Anyway, so IOTA. As with any digital currency, you need some random information - a passphrase typically - that is used when you create your wallet. In the case of IOTA, which is supposed to be IOT friendly, this means a string of 81 random characters, the generation of which could be pretty easily automated.
That's great, and the OSS world being full of helpful people, someone wrote a handy generator, put the code for all to see on GitHub, and put their generator onto a website where you could easily make use of it. Nice.
Actually, diabolical. The code on the website really was identical to the code on GitHub, except for one tiny, almost insignificant change: at some point, the owner swapped out the random seed to a value that he knew. Not even constant - that would have been too obvious - but known nonetheless.
And for many months, many people used his friendly little service. Until January 19th, when he emptied their IOTA wallets, erased his presence from the Interwebs, and quietly disappeared. $4 million or so richer.
This one won't be caught.
tl;dr for anyone who doesn't get it: The point of having a secret password, secret passphrase, or secret key is that it's secret. Which means that you don't have it generated for you by a public web service.
(Score: 4, Interesting) by zocalo on Thursday February 01 2018, @08:37AM (1 child)
Since we're talking stolen coins here, rather than my cold wallet that had been sat on a USB stick, the perpetators will probably need to launder it though some other crypto currencies that and maybe run them through a tumbling cycle or two for good measure first. Once they've done that to their satisfaction, putting it into a few prominent currency wallets and cashing out via several exchanges probably won't be all that hard to pull off, and very few (read "none") of the exchanges are going to dig too deeply into where your currency came from. In theory, you might still be able to piece together the trail from the various blockchains, but that's going to require a lot of effort and, quite frankly, since we're talking a lot of rubes, "only" $4m, and a lack of understanding in law enforcement I doubt that there would be much of an investigation, let alone a prosecution. The US TLAs might take a quick look at it just in case it was the DPRK, etc., but that's about it.
UNIX? They're not even circumcised! Savages!
(Score: 3, Interesting) by MrGuy on Thursday February 01 2018, @05:18PM
Sure. But the related question is what the exchange rate is, and how stable it is.
Let's say I want to convert $50,000,000 US into Yen. I can do that - there are many markets which offer those exchanges, and the exchange rate is stable because my transaction is (relatively speaking) small compared to the rate of exchange of dollars to yen - there are many, many people who want to exchange these two things.
Now consider if I want to convert $50,000,000 worth of Armenian Dram into Yen. Sure, there are still marketplaces out there that will do the exchange, but not nearly as many. And there's not a huge demand out there for people wanting to "buy in" to Armenian Dram who currently have Yen. If I try to sell that much, I'll likely crash the market - my supply exceeds the demand at the current price, so the price will have to fall (likely significantly) for me to sell this off. Or, I'll have to sell this off over a CONSIDERABLE period of time.
Basically, the fact that two things CAN be exchanged is important, but the liquidity of the instruments will determine how quickly or effectively you can make the exchange.
Your example of shapeshift is relevant - it's one of the bigger cryptocurrency exchanges. And, notably, they don't have a market for Iota - they can exchange about 50 different cryptocurrency flavors, but not that one. The smaller the market you have to go to, the smaller the pool of potential counterparties wanting to buy what you're selling with something you want, and the lower price you'll have to accept to move it.
According to coinmarketcap [coinmarketcap.com], the TOTAL volume of transactions in Iota in a 24 hour period is about $80 million worth. That's compared to $8.5 BILLION worth of bitcoin. Iota isn't a high-demand currency. And that's before you factor in the potential that this story makes people way about Iota, further reducing demand (Iota's value is down about 17% in the last 24 hours - again, per coinmarketcap).
None of this is to say that the thief can't extract some value that they can (eventually) exchange into real money (almost certainly by buying more desirable cryptocurrencies like bitcoin, using a mixer to hide the tracks, and then "cashing out"). But it's very unlikely the amount they eventually get out will be close to the $4 million "value" of the Iota that was originally stolen.