As Russia Invaded, Hackers Broke Into A Ukrainian Internet Provider. Then Did It Again As Bombs Rained Down

One of Ukraine’s major internet providers was hacked twice – once in February just as Russia was invading and again on March 9, a source says. A major Ukrainian internet service provider says it was hacked twice. Sources tell Forbes that the first hack was in February, the second on March 9, and that the hackers managed to reset devices to factory settings.

In the last 24 hours, with Russia continuing its heavy bombardment across Ukraine, parts of the country have seen severe internet outages. One cause appears to be a cyberattack on telecoms provider Triolan, which serves a substantial number of users across the country.

Unverified reports circulated earlier today suggesting Triolan had been hit by an attack. Asked over Facebook if reports of a cyberattack were true, a spokesperson responded, “Yes, unfortunately, there are no details. Engineers are now working on restoring the Internet.”

Three other sources within the company and a former cofounder of the business said a cyberattack had occurred, with one claiming some of Triolan’s internal computers had stopped working because the “attackers reset the settings to the factory level.” They added that recovery was proving difficult because some equipment required physical access to restore, which was not possible due to the risk of life to personnel.

“We haven’t been able to pinpoint the source of the problem and we can’t pinpoint anyone at fault,” the source added. Another added that the attack landed on March 9, when internet outages began.

A post on the company’s Telegram page revealed that the company had, in fact been hacked twice. A source within the company said the first hack hit on February 24 as Russia moved tanks into the country, with the second on March 9, and that they had much the same effect.

Read more:

Triolan said “key nodes of the network” had been hacked and that some routers couldn’t be recovered. It said 70% of those nodes in Kyiv, Kharkiv, Dnipro, Poltava, Odesa, Rivne and Zaporizhia had been restored today.

There may be other reasons for disruption of telecoms at Triolan, given it is based in Kharkiv, which has been bombarded by Russian shelling. But a cyberattack on the internet service provider represents one of the more damaging hits in what has been a fairly muted cyber side to the Russian invasion of Ukraine.

Other attacks on Ukraine included attempts to install malware that would wipe PCs and a number of distributed denial of service attacks, which flooded government and banking websites with traffic to knock them offline.

The effects of the outage will have been felt across its subscriber base. “Triolan is one of the top destinations for internet traffic in Ukraine from our perspective, so it is safe to say that there are likely thousands of Ukrainians that are affected by this outage,” said Doug Madory, director of internet analysis at Kentik, an internet monitoring company.

Data from the Internet Outage Detection and Analysis at the Georgia Institute of Technology showed a sudden drop off in connectivity for Triolan late Wednesday, which has continued throughout Thursday. NetBlocks, another global internet outage tracker, saw similar downtime.

Various outages across Ukraine have been caused by physical destruction of infrastructure. Wednesday saw “major internet disruption” registered across Kherson Oblast, in southern Ukraine, with downtime at providers Ukrtelecom and Volia.

I’m associate editor for Forbes, covering security, surveillance and privacy. I’m also the editor of The Wiretap newsletter, which has exclusive stories on real-world surveillance and all the

Source: As Russia Invaded, Hackers Broke Into A Ukrainian Internet Provider. Then Did It Again As Bombs Rained Down



Network data from NetBlocks confirm a series of significant disruptions to internet service in Ukraine from Thursday 24 February 2022. Disruptions have subsequently been tracked across much of Ukraine including capital city Kyiv as Russia’s military operation progresses.

On the morning of Thursday 24 February 2022, internet disruptions were registered in Kharkiv, Ukraine’s second largest city. Also on the morning of 24 February, hours prior to the commencement of Ukraine’s invasion of Russia, the Viasat satellite internet network which serves Ukraine and much of Europe was knocked offline in a targeted cyberattack

On Saturday morning as the conflict reached Kyiv, a major disruption was registered to backbone internet provider GigaTrans, which supplies connectivity to several other networks.

While connectivity remained available through other routes and the disruption was brief, the incident is understood to have had significant impact to telecommunications infrastructure.

From 4 March 2022 NetBlocks tracked a loss of connectivity at the Zaporizhzhia nuclear power plant in southeast Ukraine, affecting fixed-lines and mobile services. The loss of communications was subsequently raised as a point of concern by the International Atomic Energy Agency.

On 9 March 2022, internet provider Triolan was targeted by a cyberattack for a second time, with the first instance having been observed on the morning of 24 February when invasion began. Both events have caused significant losses to connectivity at nation scale.

Read more:

On the night of Thursday 10 March, an attack on the Kharkiv Institute of Physics and Technology, which hosts an ADS neutron source facility, was labelled an “act of nuclear terrorism” by the State Nuclear Regulatory Inspectorate of Ukraine. The incident following attacks at Zaporizhzhia and Chernobyl has heightened concerns that Russia might be intentionally targeting nuclear sites.

What’s happening in Ukraine?

Russian leader Vladimir Putin announced military mobilization on the morning of Thursday 24 February 2022 and artillery was fired while as moved into Kharkiv about 25 miles from the Russian border. The security situation deteriorated through subsequent days with Ukrainian authorities advising civilians to get off the streets and seek shelter.

Beside the disruptions to telecommunications infrastructure documented in this report, cyber-attacks have disrupted Ukraine’s defence and banking sectors.

Further reading:


More Remote Working Apps:     Quintex Capital   Genesis Mining   BevTraders  prime stocks  content gorilla  stock rush  forrk  keysearch  gluten free  diet fitness diabetes  writing job  postradamus  stoodaio  profile mate  senuke   asin  appimize  super backdrop  audiencetoolkit  4brandcommercial  talkingfaces  socifeed  gaming jobs   backlink indexer  powrsuite  tubeserp  PR Rage  design beast  commission smasher  MT4Code System  viral dash  coursova  fanpage  forex expert  appointomatic  woocommerce  domainname marketing  maxslides  ada leadz  eyeslick  creaite contentcreator  vidcentric  studioninja  marketingblocks  clipsreel  VideoEnginePro  BarclaysForexExpert  Clientfinda  Talkingfaces  IMSyndicator  SqribbleEbook  superbackdrop  VirtualReel  MarketPresso  voiceBuddy  tubeTargeter  InstantWebsiteBundle  soronity  DFY Suite 3.0 Agency+ information  VideoRobot Enterprise  Klippyo Kreators  ChatterPal Commercial  WP GDPR Fix Elite Unltd Sites  EngagerMate  VidSnatcher Commercial  myMailIt  Storymate Luxury Edition  iTraffic X – Platinum Edition  Content Gorilla One-time  Push Button Traffic 3.0 – Brand New  SociCake Commercial  The Internet Marketing Newsletter PLR Monthly Membership  Designa Suite License  XFUNNELS FE Commercial Drag-n-Drop Page Editor  ShopABot  Inboxr  MediaCloudPro 2.0 – Agency Rights  MyTrafficJacker 2.0 Pro+  AIWA Commercial  Toon Video Maker Premium  Steven Alvey’s Signature Series 3rd Installment  Fade To Black  Adsense Machine  Diddly Pay’s DLCM DFY Club  CourseReel Professional  SociJam System  360Apps Certification Masterclass  LocalAgencyBox  Instant Website Bundle  GMB Magic Content  PlayerNeos VR

Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether

Ethereum, the second biggest crypto network, is worth $360 billion. Its creator, Vitalik Buterin, has more than 3 million Twitter followers, has made videos with Ashton Kutcher and Mila Kunis, and has met with Vladimir Putin. All the most popular trends in crypto over the last several years launched on Ethereum: initial coin offerings (ICOs), decentralized finance (DeFi), non-fungible tokens (NFTs), and decentralized autonomous organizations (DAOs). And it has spawned a whole class of blockchain imitators, often called “Ethereum killers.”

Ethereum is also the subject of a great mystery: who committed the largest theft of ether (Ethereum’s native token) ever, by hacking The DAO? The decentralized venture capital fund had raised $139 million in ether (ETH) by the time its crowd sale ended in 2016, making it the most successful crowdfunding effort to that date. Weeks later, a hacker siphoned 31% of the ETH in The DAO—3.64 million total or about 5% of all ETH then outstanding—out of the main DAO and into what became known as the DarkDAO.

Who hacked The DAO? My exclusive investigation, built on the reporting for my new book, The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze, appears to point to Toby Hoenisch, a 36-year-old programmer who grew up in Austria and was living in Singapore at the time of the hack. Until now, he has been best known for his role as a cofounder and CEO of TenX, which raised $80 million in a 2017 initial coin offering to build a crypto debit card—an effort that failed.

The market cap of those tokens, which spiked at $535 million, now sits at just $11 million.After being sent a document detailing the evidence pointing to him as the hacker, Hoenisch wrote in an email, “Your statement and conclusion is factually inaccurate.” In that email, Hoenisch offered to provide details refuting our findings—but never answered my repeated follow-up messages to him asking for those details.

To put the enormity of this hack in perspective, with ETH now trading around $3,000, 3.64 million ETH would be worth $11 billion. The DAO theft famously and controversially prompted Ethereum to do a hard fork—where the Ethereum network split into two as a way to restore the stolen funds—which ultimately left the DarkDAO holding not ETH, but far less valuable Ethereum Classic (ETC). The proponents of the fork had hoped ETC would die out, but it now trades around $30. That means the descendant wallets of the DarkDAO now hold more than $100 million in ETC—a high dollar monument to the biggest whodunnit in crypto.

Last year, as I was working on my book, my sources and I, utilizing (among other things), a powerful and previously secret forensics tool from crypto tracing firm Chainalysis, came to believe we had figured out who did it. Indeed, the story of The DAO and the six-year quest to identify the hacker, shows a lot about just how far the crypto world and the technology for tracking transactions have both come since the first crypto craze. Today, blockchain technology has gone mainstream. But as new applications arise, one of the first uses of crypto—as an anonymity shield—is in retreat, thanks to both regulatory pressure and the fact that transactions on public blockchains are traceable.

Since Hoenisch won’t talk to me, I can only speculate about his possible motives; back in 2016 he identified technical vulnerabilities in the DAO early and may have decided to strike after concluding his warnings weren’t being taken seriously enough by the creators of the DAO. (One of his TenX cofounders, Julian Hosp, an Austrian medical doctor who now works in blockchain full time, says of Hoenisch:

“He is a person that is super opinionated. Always believed he was right. Always.”) Looked at from that perspective, this is also a tale of the big brains and big egos that drive the crypto world–and of a hacker who may have justified his actions by telling himself he simply did what the faulty code baked into The DAO allowed him to do.

In early 2016, the Ethereum network was not even a year old, and there was only one app on it that people were interested in: The DAO, a decentralized venture fund built with a smart contract that gave its token holders the right to vote on proposals submitted for funding. It had been created by a company named, which, instead of seeking traditional venture capital, had decided to create this DAO and then open it up for crowdfunding—with the expectation that its own project would be one of those funded by The DAO.’s team thought The DAO might attract $5 million.

Yet when the crowd sale opened on April 30th, it took in $9 million in just the first two days, with participants exchanging one ether for 100 DAO tokens. As the money poured in, some on the team felt queasy, but it was too late to cap the sale. By the time the funding closed a month later, 15,000 to 20,000 individuals had contributed, The DAO held what was then 15% of all ether and the price of the cryptocurrency was steadily rising. At the same time, a variety of security and structural concerns were being raised about The DAO, including one that would, ironically, later prove to be crucial to limiting the hacker’s immediate access to the spoils.

That problem: withdrawing funds was too hard. Someone wanting to retrieve their money had to first create a “child DAO” or “split DAO,” which required not only a high degree of technical knowledge, but also waiting periods after each step and the agreement of anyone else who moved funds into that child DAO.

On the morning of June 17th, ETH reached a new all-time high of $21.52, making the crypto in The DAO worth $249.6 million. When American Griff Green woke up that morning in Mittweida, Germany (he was staying in the family home of two brothers who were cofounders), he had a message on his phone from a DAO Slack community member who said something weird was happening— it looked like funds were being drained.

Green,’s first employee and community organizer, checked: there was indeed a stream of 258-ETH (then $5,600) transactions leaving The DAO.  By the time the attack stopped a few hours later, 31% of the ETH in The DAO had been siphoned out into the DarkDAO. As awareness of the attack spread, ether had its highest trading day ever, with its price plummeting 33% from $21 to $14.

Split Fortunes

The 2016 DAO crowdfunding sale drove the price of ether (ETH) to a then record high—until the June 17th attack on The DAO sent it plummeting. After the hard fork on July 20th, the old blockchain began trading as ether classic (ETC).

Soon, the Ethereum community pinpointed the vulnerability that enabled this theft: the DAO smart contract had been written so that any time someone withdrew money, the smart contract would send the money first, before updating that person’s balance. The attacker had used a malicious smart contract that withdrew money (258 ETH at a time), then interfered with the updating of the contract, allowing them to withdraw the same ether again and again. It was as if the attacker had $101 in their bank account, withdrew $100 at a bank, then kept the bank teller from updating the balance to $1, and again requested and received another $100.

Even worse, once the vulnerability became public, the remaining 7.3 million ETH in The DAO was at risk of a copycat attack. A team of white hat hackers (that is, hackers acting ethically) formed and used the attacker’s method to divert the remaining funds into a new child DAO. But the attacker still had about 5% of all outstanding ETH, and even the rescued ether was vulnerable, given the flaws in The DAO. Plus, the clock was ticking down to a July 21st deadline—the first date when the original hacker might be able to get at the funds they had diverted into the DarkDao.

If the community wanted to keep the attacker from cashing out, they would need to put tokens in the hacker’s DarkDAO and then in any future “split DAOs” (or child DAOs) the unknown hacker created. (Under the rules of the DAO smart contract, the attacker couldn’t withdraw funds if anyone else in their split DAO objected.) Bottom line: if the white hats ever missed their window to object, the attacker would be able to abscond with the funds—meaning this informal group would have to be constantly vigilant.

Eventually, after much bickering (on Reddit, on a Slack channel, over email and on Skype calls) and Ethereum founder Buterin publicly weighing in, and after it seemed that a majority of the Ethereum community supported the measure, Ethereum did a “hard fork.” On July 20th the Ethereum blockchain was split into two. All the ETH that had been in the DAO was moved to a “withdraw” contract which gave the original contributors the right to send in their DAO tokens and get back ETH on the new blockchain. The old blockchain, which still attracted some supporters and speculators, carried on as Ethereum Classic.

• • •

On Ethereum Classic, The DAO and the attacker’s loot (in the form of 3.64 million ETC) remained. That summer, the attacker moved their ETC a few hops away to a new wallet, which remained dormant until late October, when they began trying to use an exchange called ShapeShift to cash the money out to bitcoin. Because ShapeShift didn’t at that time take personally identifying information, the attacker’s identity was not known even though all their blockchain movements were visible.

Over the next two months, the hacker managed to obtain 282 bitcoins (then worth $232,000, now more than $11 million). And then, perhaps because ShapeShift frequently blocked their attempted trades, they gave up cashing out, leaving behind 3.4 million Ether Classic (ETC), then worth $3.2 million and now more than $100 million.

That might have been the end of the story—an unknown hacker sitting on a fortune he couldn’t cash out. Except last July, one of my sources involved in the DAO rescue, a Brazilian named Alex Van de Sande (aka Avsa) reached out, saying the Brazilian Police had opened an investigation into the attack on The DAO — and whether he might be a victim or even the hacker himself.  Van de Sande decided to commission a forensics report from blockchain analytics company Coinfirm to help exonerate himself (though then, the police closed the investigation, he said). In case any similar situations arose in the future, he went forward with the report examining those cash-out attempts in 2016.

Among the early suspects in the hack had been a Swiss businessman and his associates, and in tracing the funds, Van de Sande and I also found another suspect: a Russia-based Ethereum Classic developer. But all these people were in Europe/Russia and the cash-outs mapped onto an Asian-morning-through-evening schedule—from 9 A.M. to midnight Tokyo time—when the Europeans were likely sleeping. (The timing of their social media posts suggested they kept fairly normal hours.) But based on a customer support email the hacker had submitted to ShapeShift in the leadup to the attack, I believed they spoke fluent English.

Jumping off from the Coinfirm analysis, blockchain analytics company Chainalysis saw the presumed attacker had sent 50 BTC to a Wasabi Wallet, a private desktop Bitcoin wallet that aims to anonymize transactions by mixing several together in a so-called CoinJoin. Using a capability that is being disclosed here for the first time, Chainalysis de-mixed the Wasabi transactions and tracked their output to four exchanges. In a final, crucial step, an employee at one of the exchanges confirmed to one of my sources that the funds were swapped for privacy coin Grin and withdrawn to a Grin node called (Due to exchange privacy policies, normally this sort of customer information would not be disclosed.)

The IP address for that node also hosted Bitcoin Lightning nodes:,, etc., and was consistent for over a year; it was not a VPN.

It was hosted on Amazon Singapore. Lightning explorer 1ML showed a node at that IP called TenX.

For anyone who was into crypto in June 2017, this name may ring a bell. That month, as the ICO craze was reaching its initial peak, there was an $80 million ICO named TenX. The CEO and cofounder used the handle @tobyai on AngelList, Betalist, GitHub, Keybase, LinkedIn, Medium, Pinterest, Reddit, StackOverflow, and Twitter. His name was Toby Hoenisch.

Where was he based? In Singapore.

Although he was German-born and raised in Austria, Hoenisch is fluent in English.

The cash-out transactions occurred mainly from 8 A.M. until 11 P.M. Singapore time.

And the email address used on that account at the exchange was [name of exchange]

In May 2016, as it was finishing up its historic fundraise, Hoenisch was intensely interested in The DAO. On May 12, he emailed Hosp a tip (“Profitable crypto trade coming up”) to short ETH once the DAO crowdfunding period ended. On May 17th and 18th, in the DAO Slack channel, he engaged in a long conversation in which he made, depending on how you count, 52 comments, minimum, about vulnerabilities in The DAO, getting into various aspects of the code and nitpicking over exactly what was possible given the way the code was structured.

One issue spurred him to email’s chief technology officer, Christoph Jentzsch, its lead technical engineer, Lefteris Karapetsas, and community manager Griff Green. In his email, he said he was writing a proposal for funding from The DAO for a crypto card product called DAO.PAY, and added, “For our due diligence, we went through the DAO code and found a few things that are worrisome.” He outlined three possible attack vectors and later emailed with a fourth. Jentzsch, a German who had been working on a PhD in physics before dropping out to focus on Ethereum, responded point by point, conceding some of Hoenisch’s assertions but saying others were “false” or “don’t work.” The back and forth ended with Hoenisch writing; “I’ll keep you in the loop if we find anything else.”

But instead of further email exchanges, on May 28th, Hoenish wrote four posts on Medium, beginning with, “TheDAO—risk free voting.” The second, “TheDAO—blackmailing withdrawals,” foreshadowed the main issue with The DAO and why Ethereum ultimately chose to hard fork: if it did not, the only other options were to let the attacker cash out his ill-gotten gains or for some group of DAO token holders to follow him forever into new split DAOs he created as he attempted to cash out. “TLDR: If you end upon in a DAO contract without majority voting power, then an attacker can block all withdrawals indefinitely,” he wrote. The third showed how an attacker could do this cheaply.

To put the enormity of this hack in perspective, with ETH now trading around $3,000, 3.64 million ETH would be worth $11 billion.

His last, most telling post for the day, “TheDAO—a $150m lesson in decentralized governance,” said DAO.PAY decided against making a proposal after uncovering “major security flaws” and that “Slockit down-played the severity of the attack vectors.” He wrote, “TheDAO is live … and we are still waiting for Slockit to put out a warning that THERE IS NO SAFE WAY TO WITHDRAW!”

On June 3, his last Medium post, “Announcing BlockOps: Blockchain Hack Challenges” said, “BlockOps is your playground to break encryption, steal bitcoin, break smart contracts and simply test your security knowledge.” Although he promised to “post new challenges in the field of bitcoin, ethereum and web security every 2 weeks,” I could find no record that he did so.

Two weeks later came the DAO attack. The morning after the attack, at 7:18 A.M. Singapore time, Hoenisch trolled Ethereum creator Vitalik Buterin by retweeting something Buterin had said before The DAO was attacked, but after it was known that the vulnerability used in the attack was evident in the DAO’s code. In the two-week old tweet, Buterin had said that he’d been buying DAO tokens since the security news. Over the following weeks, Hoenisch tweeted anti-hard fork posts like one titled, “Too Big to Fail is Failure Guaranteed.”

Curiously, on July 5, a couple weeks after the attack, Hoenisch and Karapetsas exchanged Reddit DMs titled “DarkDAO counter attack” — though the substance of the messages is unclear because Hoensich has deleted all his Reddit posts. (Hosp recalls that Hoenisch told him he had deleted his Reddit account after an altercation with an “idiot” on Reddit over The DAO.) Hoenisch wrote, “Sorry for not contacting first. I got carried away from finding it and telling the community that there is a way to fight back. In any case, I don’t see any way the attacker can use this.”

After Karapetsas told Hoenisch of the white hats’ plans to protect what was left in The DAO, Hoenisch replied, “I took down the post.” Karapetsas responded, “I will keep you up to date with what we do from now on.” Hoenisch’s last message in that exchange: “I’m sorry if I messed up the plan.”

On July 24th, the day after the Ethereum Classic chain revived and began trading on Poloniex, Hoenisch tweeted, “ethereum drama escalating: from #daowars to #chainwars. Ethereum classic now traded on poloniex as $ETC and miners planning attacks.” On July 26th, he retweeted Barry Silbert, the founder and CEO of the powerful and well-respected Digital Currency Group, who had tweeted, “Bought my first non-bitcoin digital currency…Ethereum Classic (ETC).”

“He (the DAO hacker) really screwed the pooch. Reputation is way more valuable than money.”

Upon hearing the name Toby Hoenisch, without knowing evidence indicated he was the DAO attacker, Karapetsas, a usually good-humored Greek software developer who was one of the DAO creators and had engaged with him by email and on Reddit, said: “He was obnoxious…. he was quite insistent on having found a lot of problems.”

After hearing that the DarkDAO ETC had been cashed out to a Grin node with Hoenisch’s alias, Karapetsas observed that if Hoenisch had instead remedied the situation while the DarkDao funds were frozen, the Ethereum community would have given him “huge kudos” for finding the weakness and then returning the ETH. Similarly, Griff Green, whose current projects lean towards helping non-profit and public causes grow in the digital world, believes the hacker missed the chance to “be a hero.” Says Green: “He really screwed the pooch…Reputation is way more valuable than money.”

Ironically, in a 2016 blog post, Hoenisch wrote, “I’m a white hat hacker by heart.’’ Twenty days later came the DAO attack.

As I noted earlier, after being sent a document laying out the evidence that he was the hacker and asking for comment for my book, Hoenisch wrote that my conclusion is “factually inaccurate.” He said in that email he could give me more details—and then did not respond to four requests for those details, nor to additional fact checking queries for this article. In addition, after receiving the first document detailing the facts I’d gathered, he deleted almost all his Twitter history (though I’ve saved the relevant tweets).

In May 2015, Hoenisch and the cofounders of his crypto debit card venture—first known as OneBit—had some success at a Mastercard Masters of Code hackathon in Singapore. They started making the card available that year on an invitation-only basis, because, as Hoenisch explained on Reddit, “We don’t want to launch a half-assed Bitcoin wallet that gets us in trouble for violating KYC (know your customer) laws. And yes, legal is the main reason we can’t just ship it.” A Bitcoin Magazine article at the time said Hoenisch had a background in AI, IT security and cryptography.

In early 2017, just months after the presumed DAO attacker stopped trying to cash out their ETC, Hoenisch’s team—by then operating as TenX—announced it had received $1 million in seed funding from (among others) Fenbushi Capital, where Ethereum founder Buterin was a general partner. Then came the $80 million ICO. In early 2018, things started to go south for TenX when its card issuer, Wavecrest, was booted from the Visa network, meaning that TenX’s users could no longer use their debit cards.

On Oct. 1, 2020, TenX announced it was sunsetting its services because its new card issuer, Wirecard SG, had been directed by the Monetary Authority of Singapore to cease operations. On April 9, 2021, TenX posted a blog called “TenX, Meet Mimo.” It outlined a new business that would offer a euro-pegged stablecoin, which kept its value pegged to a fiat currency such as US dollars or euros or Japanese Yen. The market cap of TenX tokens, which spiked at $535 million, now sits at just $11 million. TenX has rebranded itself as Mimo Capital and is offering holders of TenX tokens mostly worthless MIMO tokens instead at a rate of 0.37 MIMO for each TenX.

Hosp, who was the public face of the company while there, was booted by Hoenisch and another cofounder in January 2019. This occurred a couple months after some crypto publications reported on Hosp’s past affiliation with an Austrian multi-level marketing scheme. However, before hearing that evidence indicated Hoenisch was the DAO attacker, Hosp said his feeling had been that Hoenisch had perhaps pushed him out over jealousy that Hosp had sold bitcoin at the top of the bubble in late 2017, netting himself $20 million. Meanwhile, Hoenisch had kept all his crypto as the bubble – and his personal net worth – deflated.

“He came from a very poor family, he had no experience in investing, and he was in crypto in 2010 but he had literally no money, nothing, when we were in Las Vegas together [in the summer of 2016] he had nothing, and I was doing really well with my investments… he would always push for getting more salary, for having something nicer.” Hosp also mentioned Hoenisch had to send money home to his mother, who had raised him, as well as his sister and brother, as a single parent.

As new blockchain applications arise, one of the first uses of crypto—as an anonymity shield—is in retreat.

Upon hearing that Hoenisch was the likely DAO attacker, Hosp said he was “getting goose bumps” and begin recalling details from his interactions with his former partner that now seemed to take on new significance. For example, when asked if Hoenisch was into Grin (the privacy coins to which the hacker had cashed out) Hosp said, “Yes! Yes, he was. He was fascinated by that…I lost money because of those stupid coins! I invested in them because of him, because he was so fascinated by them.”

He said that Hoenisch was also obsessed with building a Bitcoin/Monero “atomic swap” – or a way to use smart contracts to swap between Bitcoin and the privacy coin Monero. At the time, Hosp was confused by that, because he felt there was no market for such a product. Later, Hosp pulled up chats from August 2016, in which Hoenisch seemed excited about the price of ETC, the coin held by the hacker after the ethereum fork.

When trying to recall the incident that he believed prompted Hoenisch to close his Reddit, Hosp began searching on his computer and muttered to himself, “He always used tobyai.” He confirmed that one of Toby’s regular email addresses ended in

Recalled a still astounded Hosp: “For some weird reason, he was quite well aware of what was happening…He understood more of the DAO hack when I asked him what had happened…than I had found on the internet or anywhere.”


MORE FROM FORBESHow An NFT Pivot Turned A Tiny Mobile Game Company Into Multibillion-Dollar Powerhouse MORE FROM FORBESHow Azukis Suddenly Became The World’s Best-Selling NFT Collection MORE FROM FORBESHow Crypto’s Original Bubble Boy Rode Ethereum And Is Now Pulling The Strings Of The DeFi Boom MORE FROM FORBESForbes Blockchain 50 2022 MORE FROM FORBESDAOs Aren’t A Fad – They’re A Platform

Follow me on Twitter or LinkedIn. Check out my website.

A former senior editor of Forbes, I’m a crypto journalist, host of the Unchained podcasts, and author of The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze.

Source: Exclusive: Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether


Recent News

Securing Your Digital Life The Finale Debunking Worthless Security Practices

Information security and privacy suffer from the same phenomenon we see in fighting COVID-19: “I’ve done my own research” syndrome. Many security and privacy practices are things learned second- or third-hand, based on ancient tomes or stuff we’ve seen on TV—or they are the result of learning the wrong lessons from a personal experience.

I call these things “cyber folk medicine.” And over the past few years, I’ve found myself trying to undo these habits in friends, family, and random members of the public. Some cyber folkways are harmless or may even provide a small amount of incidental protection. Others give you a false sense of protection while actively weakening your privacy and security. Yet some of these beliefs have become so widespread that they’ve actually become company policy.

I brought this question to some friends on InfoSec Twitter: “What’s the dumbest security advice you’ve ever heard?” Many of the replies were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or not even considered. And apparently, some people (or companies… or even vendors!) have decided these bad ideas are canon.

If I’m repeating myself from previous articles, it’s only because I keep hearing these bad pieces of advice. This article won’t eradicate these practices, sadly—they’re so embedded in culture that they will continue to be passed down and practiced religiously until the technological weaknesses that allow them to exist have faded into antiquity. But together we can at least try to end the madness for those in our circles of influence.

Myth: Thou shalt change thy password every 30 days

Passwords have been part of computer security since 1960, when Fernando Corbató added passwords for personal files to MIT’s Compatible Time-Sharing System (CTSS). And almost immediately, they became, as Corbató himself admitted, “a nightmare.” Since then, all sorts of bad advice (and bad corporate policy) has been disseminated about how to use, manage, and change passwords.

Technology limits have in the past been the main thing dictating password policy—limits on the number and type of characters, for example. The low security of short passwords led to policies that required that passwords be frequently changed. But modern operating systems and security systems have made the whole short-password-versus-frequent-password-change dance obsolete, right?

Apparently not. Not only have these folkways continued to be used to log in to personal computers at work, but they’ve been integrated into consumer services on the web—some banking and e-commerce sites have hard maximum sizes for passwords. And—likely because of poor software design and fear of cross-site scripting or SQL injection attacks—some services also limit the types of characters that can be used in passwords. I guess that’s just in case someone wants to use the password “password’); DROP TABLE users;–” or something.

Regardless of whether we’re talking about a password or a PIN, policies that limit length or characters weaken complexity and security. Long passwords with characters such as spaces and punctuation marks are more memorable than arbitrary numbers or leetspeak morphs of words. Microsoft’s definition of a PIN is, essentially, a hardware-specific password that controls device access and login credentials based on Trusted Platform Module black magic; a four-digit PIN for device access is not more secure than one based on letters and numbers if someone has stolen your computer and is banging away on it at their leisure.

Pick a sufficiently long and complex password for a personal or work computer, and you should only have to change it if it’s been shared with or stolen by someone else. Changing passwords every 30 days only makes passwords harder to remember and can cause people to develop bad password-creation workarounds that result in weaker passwords—for example, by incrementing numbers at the end of them:

  • Pa55w0rd1
  • Pa55w0rd2
  • Pa55w0rd3
  • …you can see where this madness leads

So pick one complex but memorable password for your computer login or your phone, like XKCD suggests (though don’t use the one in the comic—maybe generate one with Diceware!). Don’t reuse it anywhere else. And don’t change it unless you have to.

Myth: Don’t write it down!

Many of us have seen the worst-case scenario in password management: passwords on Post-it notes stuck to monitors in cubicle-land, just waiting to be abused. This habit has led many a would-be security mentor to cry out, “Don’t write down your passwords!”

Except you probably should write them down—just not on a Post-it in your cubicle. Many two-factor authentication services actually promote printing and saving recovery codes in the event you lose access to your second-factor app or device, for example. And you can’t save device passwords in a password manager, can you?

Some people insist on writing passwords in a notebook (Hi, Mom!). Never tell these people they’re wrong, but do encourage them to do this only for passwords that can’t be stored in a password manager or might be needed to recover backups and services if a device is damaged or lost—for example, if you have an Apple ID. You want these high-value passwords to be complex and memorable, but they’re used infrequently, so they may be more easily forgotten. Go ahead, write them down. And then put the written passwords (and your 2FA recovery codes!) in a nonpublic, safe place you can access when things go awry.

There is something you should not do with passwords, however, and that is keeping them in a text file or other unencrypted format. In a recent intrusion incident I was reviewing, one of the first things the criminals managed to do was find a file called Password List.xlsx. You can imagine how things went from there. And apparently this happens on the regular at some companies:

Now, if these files were password-protected Office documents, there’d at least be some hope—since Office uses AES encryption and does some serious SHA-1 shuffling of passwords to generate the keys in more recent versions. In instances when you can’t keep passwords in a password manager but need to keep track of them, this is an acceptable level of security in most cases.

Myth: 2FA is 2 scary 4 me

I’m a major proponent of two-factor authentication (“2FA”) as a way to protect login credentials; it has saved me a few times from having accounts hacked after provider breaches revealed my passwords. (There was also the one time when I lost access to an email account because a domain-name provider decided not to auto-renew my personal domain and instead sold it to a scam blog operator. I’ll leave it to you to guess which registrar did me dirty that way.) But I frequently see people deciding not to use 2FA because they saw somewhere that 2FA via text message is less secure, but they didn’t see the other part about using an authenticator app or other method instead if possible. And then they erroneously reached the conclusion that foregoing 2FA is more secure than 2FA with SMS.

Let me be clear: any 2FA is better than no 2FA. And with the usual types of brute-force attempts attackers make against common cloud services, any 2FA will render about 90 percent of these attempts totally unsuccessful (and the other 10 percent of the time will just result in a potentially recoverable denial of service). You definitely want some form of 2FA on an Amazon account or anything that has any ties to your purchasing information, no matter what kind of 2FA it is.

But just having 2FA is not a guarantee that someone won’t succeed in getting what they want. Some phishing attacks are now managing to get around two-factor authentication by using 2FA “passthrough” attacks:

If you receive an email with a link that takes you to a website requesting your credentials, and you then get a 2FA alert for your login, that does not necessarily mean that the link was legitimate and that you should give the code or tap the “approve” button. This could be an attempt to simply have you assist the attacker. Take a hard look at that link. Then call your security team, maybe. (My current employer’s security team attempts to 2FA phish me two or three times a month these days.)

So use 2FA. But be mindful of your login requests, and don’t approve weird ones.

Myth: My VPN protects me!

A few weeks ago I mentioned that, for most normal Internet usage, virtual private networks are kind of pointless now. All they really do (when properly configured) is hide the Domain Name Service requests you make and the resulting IP addresses you visit from your Internet Service Provider. This (mostly) prevents your ISP from collecting data about your Internet habits—and instead passes that privilege on to the VPN provider you’re using.

VPNs are good for some situations:

  • If you’re working from home and you need to access resources on the corporate LAN, you probably need to use the corporate VPN
  • If you’re stealing BBC content from Great Britain by watching it in the US without paying TV tax—assuming the Beeb has not yet blocked your VPN provider
  • If you’re pretending to be in another country to fool Google or other sites into giving you localized results for that geographic location, or otherwise working around some form of geoblocking

That’s about it. Otherwise, VPNs aren’t much more effective in protecting your privacy than what you already get from visiting sites that use modern Secure HTTP (HTTPS).

This doesn’t prevent VPN providers from using scare-tactic advertising (or in some cases, actually using fake alerts and other sorts of manipulative and illegal “advertising”) to drive you toward downloading VPNs for your computer or phone. If a friend or relative tells you they got a notification saying they had 1,000 viruses on their iPhone and that they needed to install a VPN right away, make sure you walk them through how to remove that app immediately (and also how to report a fraudulent application to Apple, Google, and the Federal Trade Commission).

Now, if your goal in life is to make sure that Comcast, AT&T, Verizon, Spectrum, T-Mobile, and all the rest know as little about your Internetting as possible and you’ve done due diligence on your VPN provider’s privacy disclosure, then go right ahead and VPN. Just don’t freak out too much when you have to go through a thousand CAPTCHAs to visit a site because some denial of service bro has been using the same VPN exit point as you. (It’s also important to understand that, unless you can actually audit your VPN provider’s privacy policy yourself, you can’t do effective due diligence.)

Myth: You don’t need antivirus on that

Just like fear of 2FA, some people swear that antivirus software is unnecessary, because:

  • “I have a firewall that blocks all that stuff”
  • “I don’t visit porn sites”
  • “We don’t need antivirus on the servers, just the desktops”

… and variations of these.

Microsoft Defender, up to date on a properly configured Windows 10 or Windows 11 system, is pretty good for blocking known threats. Microsoft’s security team has done a lot to raise the bar of its malware protection. But the number of improperly configured, half-disabled, non-updated systems I have had the privilege to examine forensically does not indicate to me that the majority of computers connected to Internet-adjacent networks are “properly configured Windows” for any number of reasons.

If a piece of software tells you that you need to disable the antivirus software for a folder in order for it to work, my advice is to just not use that software. There have been plenty of examples of how bad not following this advice can turn out—I lost most of my Independence Day weekend thanks to one in particular.

Stopping the madness

If there’s one cyber folkway that drives me the most nuts, it’s the widely held belief that people can achieve security through obscurity. “Why would they hack me? I’m not anyone special” are famous last words before a ransomware attack.

True fact: I’m proud of my parents for remembering all the things I’ve told them about identifying digital scams, and I lose much less sleep since my parents started doing most of their Internetting on iPads. The less time they spend reading email or browsing the web on their desktops, the better, because using up-to-date iOS devices significantly reduces their attack surface (at least from malware). But all cell phones have some security risk associated with them, and it’s not just smartphones.

It may not be possible through your own singular efforts to get your company to change its password policy. But if enough people gently persuade others to stop following flawed advice (advice they’ve received from people who probably haven’t exactly done themselves any privacy or security favors), then maybe we can avoid a few million dollars’ worth of cybercrime. (And if you’re an IT decision-maker or you sit on your company’s IT steering committee, then it’s time to weigh in and do your part!)

If you’ve seen or heard any particularly flawed information security or privacy advice, please share it in the comments here. The only way we can stop these sorts of bad security memes from propagating further and end cyber quackery is by pointing out instances every time we hear or see them.

Sean Gallagher is a former IT editor and national security editor at Ars Technica. A University of Wisconsin grad, he wrote his first program in high school on a DEC PDP-10, and his first database app on a dual-floppy Apple II.

Source: Securing your digital life, the finale: Debunking worthless “security” practices | Ars Technica


More Contents:

Samsung Galaxy S21 Smartphone Hacked During $1 Million, 61 Zero-Days, Hacking Romp

Just weeks after hackers managed to breach iOS 15 security measures and hack an Apple iPhone 13 Pro, now it’s the turn of Samsung’s current flagship smartphone, the Galaxy S21, to feel the hacking heat.

Unfortunately, like the iPhone 13 Pro before it, the Galaxy S21 has been hacked not once but twice. Indeed, within just a few days, hackers were able to demonstrate a total of 61 unique zero-day security flaws across a range of products and make themselves a whopping $1,081,250 in the process. Here’s how it all went down.

Over the weekend of 16-17 October, Chinese hackers taking part in the annual Tianfu Cup hacking challenge were able to bypass Safari security protections and achieve remote code execution on an iPhone 13 Pro running the fully patched iOS 15.0.2 at the time. What’s more, a different team of hackers went on to jailbreak the same flagship device by way of a ‘one-click’ attack.

The Tianfu Cup came about after China’s elite ethical hackers were banned by the Chinese government from taking part in international competitive hacking events where zero-day exploits are demonstrated. Zero-day exploits target a vulnerability that is unknown to the vendor and, therefore, cannot be stopped immediately.

The most popular hacking event is Pwn2Own (pronounce the ‘pwn’ bit like the ‘own’ bit, you’re welcome), organized by Trend Micro’s Zero Day Initiative, ZDI, and held twice a year in North America.

Pwn2Own hackers use exploit chains to hack Samsung Galaxy S21

The latest Pwn2Own event took place in Austin, Texas, between 2-5 November, and it was here that the Samsung Galaxy S21 smartphone fell to hackers. Twice.

It would have been three times, but one of the hacking teams was unable to successfully execute their zero-day exploit in the allotted timeframe.

However, on Wednesday, 3 November, the STARLabs team used an exploit chain to successfully attack the Samsung Galaxy S21. Officially, this was categorized as a ‘collision’ rather than an outright success as that attack chain included a vulnerability that was already known to Samsung rather than being a full zero-day chain.

On Thursday, 4 November, Sam Thomas, director of research at Pentest Limited, was able to get code execution on the Samsung Galaxy S21 using a three-bug chain that earned a full success label. It also earned the Pentest Limited team a $50,000 cash prize. The STARLabs team were awarded $25,000 for their hacking efforts. The successful hackers also get to keep the devices concerned in what ZDI called ‘the shipping of everything pwned to those who owned.’

Considering that this is the second Pwn2Own hacking event this year, if you combine the two, more than $2 million has been awarded. As far as Pwn2Own Austin was concerned, there could be only one winner. Well, two if you count security in general. It was a close call between the top three hacking teams, with STARLabs third on 12 ‘Master of Pwn’ points and a cash haul of $112,500. However, the top two were neck and neck, with DEVCORE in second on 18 points and $180,000 earned, just behind the Synacktiv team with 20 points and $197,500.

Where were all the ‘wow factor’ hacking targets?

It’s true to say that Pwn2Own Austin lacked wow factor targets, if not wow factor money, at least when compared to the Tianfu Cup. Alongside the Samsung Galaxy S21 smartphone, Pwn2Own also saw a Sonos One Speaker fall (earning the Synacktiv team a cool $60,000 in the process), but otherwise, it was a bunch of routers and printers.

Not that these aren’t worthy products to target, and once the impacted vendors have patched the vulnerabilities exposed (they have 120 days before the methodologies are publicly disclosed), users will be that bit more secure. However, the Chinese event went full out for dramatic impact with Microsoft Windows 10 and Google Chrome getting pwned.

Indeed, it was disappointing not to see any of the new iPhone 13 range running iOS 15.1, or the latest Google Pixel 6, up for hacker inspection. I asked Brian Gorenc, senior director of vulnerability research and head of the ZDI program at Trend Micro, why this was.

“When we announced the contest, we included the latest handsets available from each vendor,” Gorenc says. Since that time, although Apple and Google both released new smartphones, “these new models weren’t available to all of our researchers,” he explains, “so we continued with the hardware versions we initially announced.” It’s still something of a shame to see only the Samsung Galaxy S21 being put to the test, it has to be said.

While I had the opportunity, I also asked Gorenc about his view of the Tianfu Cup and how the withdrawal of the hugely successful Chinese hacking teams had impacted Pwn2Own?

“When Chinese teams withdrew from our competition, we did see an initial drop in participation,” Gorenc says, “however, their exclusion has actually opened the door for other researchers.” Indeed, he says that Pwn2Own Austin is the largest Pwn2Own event ever with “more than double the number of entries than we are used to seeing.”

If anything, he adds, “the lack of teams from China has allowed independent researchers and other teams to have their own success and grow the contest to heights we never expected.” Indeed, the discovery of no less than 61 unique zero-days would appear to be a testament to that.

Gorenc wouldn’t be drawn into the more political debate surrounding China and how it is putting a ringfence around the domestic hacking community when it comes to discovering and disclosing zero-days. “We can’t speak to other contests, but at Pwn2Own, vendors are provided full details of the exploit minutes after the bug was demonstrated on stage,” he says. “Pwn2Own seeks to harden platforms by revealing vulnerabilities and providing that research to the vendors,” Gorenc says, concluding, “the goal is always to get these bugs fixed before they’re actively exploited by attackers.”

I have reached out to Samsung to get an idea when Galaxy S21 users can expect to see these vulnerabilities patched and will update this article in due course.

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.

Davey is a three-decade veteran technology journalist and has been a contributing editor at PC Pro magazine since the first issue in 1994. A co-founder of the Forbes Straight Talking Cyber video project, which has been named ‘Most Educational Content’ at the 2021 European Cybersecurity Blogger Awards, Davey also won the 2020 Security Serious ‘Cyber Writer of the Year’ title. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at if you have a story to reveal or research to share.

Source: Samsung Galaxy S21 Hack, $1 Million Hackers, Pwn2Own, 61 Security Bugs


Related Contents:

“Samsung Galaxy Neo announced, headed to Korea”. GSMArena. 3 April 2011. Archived from the original on 22 May 2011. Retrieved 22 May 2011.

iPhone 13 Pro Hacked, Tianfu Cup, China Hackers, iOS 15 jailbreak

Ever since the Chinese government invoked regulations to prevent security researchers from taking part in international hacking competitions such as Pwn2Own, the annual Tianfu Cup, held in Chengdu, has been the place for the best hackers in China to demonstrate their collective prowess.

This past weekend saw the latest competition take place and the newest iPhone, the iPhone 13 Pro running the latest and fully patched version of iOS 15.0.2 to be precise, was hacked in record time. Twice.

The Kunlun Lab team, whose CEO is a former CTO of Qihoo 360, was able to hack the iPhone 13 Pro live on stage using a remote code execution exploit of the mobile Safari web browser. And do so in just 15 seconds flat.

Of course, months of preparation were likely involved in getting to this point, but the result was devastating and devastatingly fast. However, full details of the vulnerability or vulnerabilities exploited have yet to be revealed.

Kunlun Lab wasn’t the only team to hack the iPhone 13 Pro, though. Team Pangu, which has a history of Apple device jailbreaking, cemented its reputation in this regard by claiming the top $300,000 cash reward for remotely jailbreaking a fully patched iPhone 13 Pro running iOS 15.

While, again, the full detail of how this was achieved has not been made public, reports suggest it involved a one-click link triggering a remote code exploit that bypassed Safari security mechanisms.

The good news is that hacking is not a crime, as I have repeated time and time again.

Indeed, these hacking teams will turn the details of their exploits over to Apple so that it can release patches for these vulnerabilities. I would expect to see these in either iOS 15.1 or a forthcoming iOS 15.0 security update.

The not so good news is that there have been reports in the past of Chinese state actors using some of these exploits for espionage or surveillance purposes before patches can be released.

It should also be said that Apple products weren’t the only target at the Tianfu Cup 2021 event. Security researchers also successfully launched exploits against Windows 10, Microsoft Exchange and Google Chrome, among others. I’ll bring you more news of those as detail emerges.

I have reached out to Apple for comment and will update this article in due course.

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.

Davey is a three-decade veteran technology journalist and has been a contributing editor at PC Pro magazine since the first issue in 1994. A co-founder of the Forbes Straight Talking Cyber video project, which has been named ‘Most Educational Content’ at the 2021 European Cybersecurity Blogger Awards, Davey also won the 2020 Security Serious ‘Cyber Writer of the Year’ title. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at if you have a story to reveal or research to share.

Source: iPhone 13 Pro Hacked, Tianfu Cup, China Hackers, iOS 15 jailbreak..


Related Contents:

%d bloggers like this: