In 2014, I bought 25,000 dogecoin as a joke. By 2021, it was briefly worth over $17,000. Problem was, I couldn’t remember the password. Determined to get my coins back, I embarked on a journey that exposed me to online hackers, the mathematics behind passwords, and a lot of frustration.
Although most people don’t have thousands in forgotten cryptocurrency, everyone relies on passwords to manage their digital lives. And as more and more people buy crypto, how can they protect their assets? We talked to a host of experts to figure out how to create the best passwords for your digital accounts, and, if you have crypto, what your basic storage tradeoffs are. Let’s dive in.
How to Hack Your Own Crypto Wallet
There are a few common ways to lose crypto. You might have a wallet on a hard drive you throw away. Your exchange could get hacked. You might lose your password, or you might get personally hacked and have your coins stolen. For those who lose their password, as I did, hackers actually present a silver lining. If you still control your wallet, you can try to hack your own wallet—or find someone who will.
So I contacted Dave Bitcoin, an anonymous hacker famous for cracking crypto wallets. He agreed to help break into the wallet, for his standard 20 percent fee—paid only if he is successful. Dave and other hackers are mostly using brute force techniques. Basically, they’re just guessing passwords—a lot of them.
You can also try to hack your own wallet with apps like Pywallet or Jack the Ripper. But I didn’t want to do it myself, so I sent Dave a list of password possibilities and he got started.
After a little waiting, I received an email from Dave. “I tried over 100 billion passwords on your wallet,” Dave told me over email. I assumed such a mind-boggling amount of tries meant my coins were surely recovered, but alas, we had only scratched the surface. The password was not hacked, and my coins remained lost. But how?
The Math Behind Strong Passwords
Each new digit in a password makes it exponentially harder to crack. Consider a one-digit password that could be a letter or a number. If the password is case-sensitive, there are 52 letters plus 10 numerals. Not very secure. You could simply guess the password by trying 62 times. (A, a, B, b, C, c … and so on).
Now make it a two-digit password. It doesn’t get twice as hard to guess—it gets 62 times harder to guess. There are now 3884 possible passwords to guess (AA, Aa, AB, etc.) A six-digit password with the same rules has around 56 billion possible permutations, assuming we don’t use special characters. A 20-character password with those rules has 62-to-the-20th-power permutations: that is, 704,423,425,546,998,022,968,330,264,616,370,176 possible passwords. That makes 100 billion look pretty small in comparison.
This math was bad news for me, since I’m pretty sure I had some sort of long password, like a few lines of a song lyric. Talk about facing the music.
Password Best Practices
Whether it’s for your email or crypto wallet, how can you balance creating a strong password that’s also memorable? “Choosing passwords is tricky,” says Dave, “If you go out of your way to create an unusual password for your wallet that you wouldn’t typically use, then it makes it quite difficult for you to remember and for me to help.
It’s easier to guess your password if you use consistent patterns. Of course, this is bad for security, and someone who is trying to hack your accounts will have an easier time.” Balancing security with memorability is ultimately a tough task that will depend on the individual’s needs and preferences.
“All I can really suggest is to either record all your passwords on paper (and take the risk that it will be found), or use a password manager,” Dave says. Ironically, the digital age is now making pen and paper a preferred security method. Russia’s state security agency supposedly reverted to typewriters after the Snowden leaks.
Are Coins on Crypto Exchanges Safe?
Losing my password made me a pretty big fan of storing crypto on exchanges. After all, if you forget your Coinbase password, the process is simple. You reset your password, and likely submit identification to verify that you own the account. On the surface, storing on big exchanges seems pretty secure.
Coinbase says they keep “over 98 percent of deposits offline in secure cold storage facilities” in addition to having an “extensive insurance policy.” Thus, it should be difficult or impossible for cybercriminals to access most of the crypto Coinbase controls.
Gemini, another popular US-based exchange, prides itself on its seemingly extensive security measures. At the same time, if your exchange suffers a major hack or goes bankrupt, it could take years to recover your crypto, if you get it back at all. That’s why many analysts recommend users maintain control over their coins…..Continue reading
No matter what you do to protect your business from hackers, cybersecurity will always be a moving target. Increasingly sophisticated hacking techniques mean CEOs always have to stay one step ahead of the latest ploys. A November Inc. survey of CEOs and other senior executives from more than 150 Inc. 5000 companies asked respondents about their level of confidence in the security of both their company and personal data.
The results: 53 percent of respondents said they feel more confident about the security of their company’s data now compared to five years ago, while just 28 percent said the same about their personal data. Matt Singley, founder of Chicago real estate firm Pinnacle Furnished Suites, is concerned about new methods being used by hackers, but feels confident in his company’s defenses against them.
One way the company minimizes the potential impact of a breach is by storing customer information only when necessary. Pinnacle also performs regular audits to purge its system of data it doesn’t need. “The only way to be completely secure with your data,” he says, “is to not store it.”
John Kailunas II, CEO of wealth management firm Regal Financial Group, says that the external threats his company faces have increased in both quantity and complexity. The company has countered this by adding required security awareness training for every employee and hiring cybersecurity consultants to recommend changes.
Kailunas says cybersecurity is an issue that requires constant examination. “Still,” he adds, “we have seen a significant improvement in our ability to identify potential threats.” Advances in hacking practices aren’t the only factor that have made security more challenging. “More and more, people are working from different devices that companies own,” says Shana Cosgrove, CEO of cloud software firm Nyla Technology Solutions, which provides software and cybersecurity services to the Department of Defense. “It’s a lot harder to handle security when you don’t own the entire platform.”
Jack Wight, CEO of device rebate company Buyback Boss, says his company is under near-constant attack from hackers trying to access bank account information. Scammers will spoof the company’s vendors over email and ask for wire payments, so Buyback Boss has implemented a policy of always calling vendors before sending payments.
“Five years ago there just wasn’t as much of this going on,” he says. “Now we’re dealing with scammers almost on a daily basis.” Claude Burns used to work in data security for the U.S. Navy before founding corporate beverage service Office Libations. He says his knowledge of the cybersecurity field has led him to be constantly on guard.
“I don’t think any information is safe or secure,” he says. “Your personal information is out there. Companies whose whole job is to protect it, like Equifax, are getting breached and hacked repeatedly.” Burns compares being hacked to getting in a car accident: Drive enough miles, and it’s going to happen eventually.
For him, the key is making sure that if something does look weird, his team can detect it quickly. “That way,” he says, “when something does happen, you’re able to mitigate the damage from it. In other words, wear your seat belt.”
One of Ukraine’s major internet providers was hacked twice – once in February just as Russia was invading and again on March 9, a source says. A major Ukrainian internet service provider says it was hacked twice. Sources tell Forbes that the first hack was in February, the second on March 9, and that the hackers managed to reset devices to factory settings.
In the last 24 hours, with Russia continuing its heavy bombardment across Ukraine, parts of the country have seen severe internet outages. One cause appears to be a cyberattack on telecoms provider Triolan, which serves a substantial number of users across the country.
Unverified reports circulated earlier today suggesting Triolan had been hit by an attack. Asked over Facebook if reports of a cyberattack were true, a spokesperson responded, “Yes, unfortunately, there are no details. Engineers are now working on restoring the Internet.”
Three other sources within the company and a former cofounder of the business said a cyberattack had occurred, with one claiming some of Triolan’s internal computers had stopped working because the “attackers reset the settings to the factory level.” They added that recovery was proving difficult because some equipment required physical access to restore, which was not possible due to the risk of life to personnel.
“We haven’t been able to pinpoint the source of the problem and we can’t pinpoint anyone at fault,” the source added. Another added that the attack landed on March 9, when internet outages began.
A post on the company’s Telegram page revealed that the company had, in fact been hacked twice. A source within the company said the first hack hit on February 24 as Russia moved tanks into the country, with the second on March 9, and that they had much the same effect.
Triolan said “key nodes of the network” had been hacked and that some routers couldn’t be recovered. It said 70% of those nodes in Kyiv, Kharkiv, Dnipro, Poltava, Odesa, Rivne and Zaporizhia had been restored today.
There may be other reasons for disruption of telecoms at Triolan, given it is based in Kharkiv, which has been bombarded by Russian shelling. But a cyberattack on the internet service provider represents one of the more damaging hits in what has been a fairly muted cyber side to the Russian invasion of Ukraine.
The effects of the outage will have been felt across its subscriber base. “Triolan is one of the top destinations for internet traffic in Ukraine from our perspective, so it is safe to say that there are likely thousands of Ukrainians that are affected by this outage,” said Doug Madory, director of internet analysis at Kentik, an internet monitoring company.
Data from the Internet Outage Detection and Analysis at the Georgia Institute of Technology showed a sudden drop off in connectivity for Triolan late Wednesday, which has continued throughout Thursday. NetBlocks, another global internet outage tracker, saw similar downtime.
Various outages across Ukraine have been caused by physical destruction of infrastructure. Wednesday saw “major internet disruption” registered across Kherson Oblast, in southern Ukraine, with downtime at providers Ukrtelecom and Volia.
I’m associate editor for Forbes, covering security, surveillance and privacy. I’m also the editor of The Wiretap newsletter, which has exclusive stories on real-world surveillance and all the
Network data from NetBlocks confirm a series of significant disruptions to internet service in Ukraine from Thursday 24 February 2022. Disruptions have subsequently been tracked across much of Ukraine including capital city Kyiv as Russia’s military operation progresses.
On the morning of Thursday 24 February 2022, internet disruptions were registered in Kharkiv, Ukraine’s second largest city. Also on the morning of 24 February, hours prior to the commencement of Ukraine’s invasion of Russia, the Viasat satellite internet network which serves Ukraine and much of Europe was knocked offline in a targeted cyberattack
On Saturday morning as the conflict reached Kyiv, a major disruption was registered to backbone internet provider GigaTrans, which supplies connectivity to several other networks.
While connectivity remained available through other routes and the disruption was brief, the incident is understood to have had significant impact to telecommunications infrastructure.
From 4 March 2022 NetBlocks tracked a loss of connectivity at the Zaporizhzhia nuclear power plant in southeast Ukraine, affecting fixed-lines and mobile services. The loss of communications was subsequently raised as a point of concern by the International Atomic Energy Agency.
On 9 March 2022, internet provider Triolan was targeted by a cyberattack for a second time, with the first instance having been observed on the morning of 24 February when invasion began. Both events have caused significant losses to connectivity at nation scale.
On the night of Thursday 10 March, an attack on the Kharkiv Institute of Physics and Technology, which hosts an ADS neutron source facility, was labelled an “act of nuclear terrorism” by the State Nuclear Regulatory Inspectorate of Ukraine. The incident following attacks at Zaporizhzhia and Chernobyl has heightened concerns that Russia might be intentionally targeting nuclear sites.
What’s happening in Ukraine?
Russian leader Vladimir Putin announced military mobilization on the morning of Thursday 24 February 2022 and artillery was fired while as moved into Kharkiv about 25 miles from the Russian border. The security situation deteriorated through subsequent days with Ukrainian authorities advising civilians to get off the streets and seek shelter.
Ethereum, the second biggest crypto network, is worth $360 billion. Its creator, Vitalik Buterin, has more than 3 million Twitter followers, has made videos with Ashton Kutcher and Mila Kunis, and has met with Vladimir Putin. All the most popular trends in crypto over the last several years launched on Ethereum: initial coin offerings (ICOs), decentralized finance (DeFi), non-fungible tokens (NFTs), and decentralized autonomous organizations (DAOs). And it has spawned a whole class of blockchain imitators, often called “Ethereum killers.”
Ethereum is also the subject of a great mystery: who committed the largest theft of ether (Ethereum’s native token) ever, by hacking The DAO? The decentralized venture capital fund had raised $139 million in ether (ETH) by the time its crowd sale ended in 2016, making it the most successful crowdfunding effort to that date. Weeks later, a hacker siphoned 31% of the ETH in The DAO—3.64 million total or about 5% of all ETH then outstanding—out of the main DAO and into what became known as the DarkDAO.
Who hacked The DAO? My exclusive investigation, built on the reporting for my new book, The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze, appears to point to Toby Hoenisch, a 36-year-old programmer who grew up in Austria and was living in Singapore at the time of the hack. Until now, he has been best known for his role as a cofounder and CEO of TenX, which raised $80 million in a 2017 initial coin offering to build a crypto debit card—an effort that failed.
The market cap of those tokens, which spiked at $535 million, now sits at just $11 million.After being sent a document detailing the evidence pointing to him as the hacker, Hoenisch wrote in an email, “Your statement and conclusion is factually inaccurate.” In that email, Hoenisch offered to provide details refuting our findings—but never answered my repeated follow-up messages to him asking for those details.
To put the enormity of this hack in perspective, with ETH now trading around $3,000, 3.64 million ETH would be worth $11 billion. The DAO theft famously and controversially prompted Ethereum to do a hard fork—where the Ethereum network split into two as a way to restore the stolen funds—which ultimately left the DarkDAO holding not ETH, but far less valuable Ethereum Classic (ETC). The proponents of the fork had hoped ETC would die out, but it now trades around $30. That means the descendant wallets of the DarkDAO now hold more than $100 million in ETC—a high dollar monument to the biggest whodunnit in crypto.
Last year, as I was working on my book, my sources and I, utilizing (among other things), a powerful and previously secret forensics tool from crypto tracing firm Chainalysis, came to believe we had figured out who did it. Indeed, the story of The DAO and the six-year quest to identify the hacker, shows a lot about just how far the crypto world and the technology for tracking transactions have both come since the first crypto craze. Today, blockchain technology has gone mainstream. But as new applications arise, one of the first uses of crypto—as an anonymity shield—is in retreat, thanks to both regulatory pressure and the fact that transactions on public blockchains are traceable.
Since Hoenisch won’t talk to me, I can only speculate about his possible motives; back in 2016 he identified technical vulnerabilities in the DAO early and may have decided to strike after concluding his warnings weren’t being taken seriously enough by the creators of the DAO. (One of his TenX cofounders, Julian Hosp, an Austrian medical doctor who now works in blockchain full time, says of Hoenisch:
“He is a person that is super opinionated. Always believed he was right. Always.”) Looked at from that perspective, this is also a tale of the big brains and big egos that drive the crypto world–and of a hacker who may have justified his actions by telling himself he simply did what the faulty code baked into The DAO allowed him to do.
In early 2016, the Ethereum network was not even a year old, and there was only one app on it that people were interested in: The DAO, a decentralized venture fund built with a smart contract that gave its token holders the right to vote on proposals submitted for funding. It had been created by a company named Slock.it, which, instead of seeking traditional venture capital, had decided to create this DAO and then open it up for crowdfunding—with the expectation that its own project would be one of those funded by The DAO. Slock.it’s team thought The DAO might attract $5 million.
Yet when the crowd sale opened on April 30th, it took in $9 million in just the first two days, with participants exchanging one ether for 100 DAO tokens. As the money poured in, some on the team felt queasy, but it was too late to cap the sale. By the time the funding closed a month later, 15,000 to 20,000 individuals had contributed, The DAO held what was then 15% of all ether and the price of the cryptocurrency was steadily rising. At the same time, a variety of security and structural concerns were being raised about The DAO, including one that would, ironically, later prove to be crucial to limiting the hacker’s immediate access to the spoils.
That problem: withdrawing funds was too hard. Someone wanting to retrieve their money had to first create a “child DAO” or “split DAO,” which required not only a high degree of technical knowledge, but also waiting periods after each step and the agreement of anyone else who moved funds into that child DAO.
On the morning of June 17th, ETH reached a new all-time high of $21.52, making the crypto in The DAO worth $249.6 million. When American Griff Green woke up that morning in Mittweida, Germany (he was staying in the family home of two brothers who were Slock.it cofounders), he had a message on his phone from a DAO Slack community member who said something weird was happening— it looked like funds were being drained.
Green, Slock.it’s first employee and community organizer, checked: there was indeed a stream of 258-ETH (then $5,600) transactions leaving The DAO. By the time the attack stopped a few hours later, 31% of the ETH in The DAO had been siphoned out into the DarkDAO. As awareness of the attack spread, ether had its highest trading day ever, with its price plummeting 33% from $21 to $14.
Split Fortunes
The 2016 DAO crowdfunding sale drove the price of ether (ETH) to a then record high—until the June 17th attack on The DAO sent it plummeting. After the hard fork on July 20th, the old blockchain began trading as ether classic (ETC).
Soon, the Ethereum community pinpointed the vulnerability that enabled this theft: the DAO smart contract had been written so that any time someone withdrew money, the smart contract would send the money first, before updating that person’s balance. The attacker had used a malicious smart contract that withdrew money (258 ETH at a time), then interfered with the updating of the contract, allowing them to withdraw the same ether again and again. It was as if the attacker had $101 in their bank account, withdrew $100 at a bank, then kept the bank teller from updating the balance to $1, and again requested and received another $100.
Even worse, once the vulnerability became public, the remaining 7.3 million ETH in The DAO was at risk of a copycat attack. A team of white hat hackers (that is, hackers acting ethically) formed and used the attacker’s method to divert the remaining funds into a new child DAO. But the attacker still had about 5% of all outstanding ETH, and even the rescued ether was vulnerable, given the flaws in The DAO. Plus, the clock was ticking down to a July 21st deadline—the first date when the original hacker might be able to get at the funds they had diverted into the DarkDao.
If the community wanted to keep the attacker from cashing out, they would need to put tokens in the hacker’s DarkDAO and then in any future “split DAOs” (or child DAOs) the unknown hacker created. (Under the rules of the DAO smart contract, the attacker couldn’t withdraw funds if anyone else in their split DAO objected.) Bottom line: if the white hats ever missed their window to object, the attacker would be able to abscond with the funds—meaning this informal group would have to be constantly vigilant.
Eventually, after much bickering (on Reddit, on a Slack channel, over email and on Skype calls) and Ethereum founder Buterin publicly weighing in, and after it seemed that a majority of the Ethereum community supported the measure, Ethereum did a “hard fork.” On July 20th the Ethereum blockchain was split into two. All the ETH that had been in the DAO was moved to a “withdraw” contract which gave the original contributors the right to send in their DAO tokens and get back ETH on the new blockchain. The old blockchain, which still attracted some supporters and speculators, carried on as Ethereum Classic.
• • •
On Ethereum Classic, The DAO and the attacker’s loot (in the form of 3.64 million ETC) remained. That summer, the attacker moved their ETC a few hops away to a new wallet, which remained dormant until late October, when they began trying to use an exchange called ShapeShift to cash the money out to bitcoin. Because ShapeShift didn’t at that time take personally identifying information, the attacker’s identity was not known even though all their blockchain movements were visible.
Over the next two months, the hacker managed to obtain 282 bitcoins (then worth $232,000, now more than $11 million). And then, perhaps because ShapeShift frequently blocked their attempted trades, they gave up cashing out, leaving behind 3.4 million Ether Classic (ETC), then worth $3.2 million and now more than $100 million.
That might have been the end of the story—an unknown hacker sitting on a fortune he couldn’t cash out. Except last July, one of my sources involved in the DAO rescue, a Brazilian named Alex Van de Sande (aka Avsa) reached out, saying the Brazilian Police had opened an investigation into the attack on The DAO — and whether he might be a victim or even the hacker himself. Van de Sande decided to commission a forensics report from blockchain analytics company Coinfirm to help exonerate himself (though then, the police closed the investigation, he said). In case any similar situations arose in the future, he went forward with the report examining those cash-out attempts in 2016.
Among the early suspects in the hack had been a Swiss businessman and his associates, and in tracing the funds, Van de Sande and I also found another suspect: a Russia-based Ethereum Classic developer. But all these people were in Europe/Russia and the cash-outs mapped onto an Asian-morning-through-evening schedule—from 9 A.M. to midnight Tokyo time—when the Europeans were likely sleeping. (The timing of their social media posts suggested they kept fairly normal hours.) But based on a customer support email the hacker had submitted to ShapeShift in the leadup to the attack, I believed they spoke fluent English.
Jumping off from the Coinfirm analysis, blockchain analytics company Chainalysis saw the presumed attacker had sent 50 BTC to a Wasabi Wallet, a private desktop Bitcoin wallet that aims to anonymize transactions by mixing several together in a so-called CoinJoin. Using a capability that is being disclosed here for the first time, Chainalysis de-mixed the Wasabi transactions and tracked their output to four exchanges. In a final, crucial step, an employee at one of the exchanges confirmed to one of my sources that the funds were swapped for privacy coin Grin and withdrawn to a Grin node called grin.toby.ai. (Due to exchange privacy policies, normally this sort of customer information would not be disclosed.)
The IP address for that node also hosted Bitcoin Lightning nodes: ln.toby.ai, lnd.ln.toby.ai, etc., and was consistent for over a year; it was not a VPN.
It was hosted on Amazon Singapore. Lightning explorer 1ML showed a node at that IP called TenX.
For anyone who was into crypto in June 2017, this name may ring a bell. That month, as the ICO craze was reaching its initial peak, there was an $80 million ICO named TenX. The CEO and cofounder used the handle @tobyai on AngelList, Betalist, GitHub, Keybase, LinkedIn, Medium, Pinterest, Reddit, StackOverflow, and Twitter. His name was Toby Hoenisch.
Where was he based? In Singapore.
Although he was German-born and raised in Austria, Hoenisch is fluent in English.
The cash-out transactions occurred mainly from 8 A.M. until 11 P.M. Singapore time.
And the email address used on that account at the exchange was [name of exchange]@toby.ai.
In May 2016, as it was finishing up its historic fundraise, Hoenisch was intensely interested in The DAO. On May 12, he emailed Hosp a tip (“Profitable crypto trade coming up”) to short ETH once the DAO crowdfunding period ended. On May 17th and 18th, in the DAO Slack channel, he engaged in a long conversation in which he made, depending on how you count, 52 comments, minimum, about vulnerabilities in The DAO, getting into various aspects of the code and nitpicking over exactly what was possible given the way the code was structured.
One issue spurred him to email Slock.it’s chief technology officer, Christoph Jentzsch, its lead technical engineer, Lefteris Karapetsas, and community manager Griff Green. In his email, he said he was writing a proposal for funding from The DAO for a crypto card product called DAO.PAY, and added, “For our due diligence, we went through the DAO code and found a few things that are worrisome.” He outlined three possible attack vectors and later emailed with a fourth. Jentzsch, a German who had been working on a PhD in physics before dropping out to focus on Ethereum, responded point by point, conceding some of Hoenisch’s assertions but saying others were “false” or “don’t work.” The back and forth ended with Hoenisch writing; “I’ll keep you in the loop if we find anything else.”
But instead of further email exchanges, on May 28th, Hoenish wrote four posts on Medium, beginning with, “TheDAO—risk free voting.” The second, “TheDAO—blackmailing withdrawals,” foreshadowed the main issue with The DAO and why Ethereum ultimately chose to hard fork: if it did not, the only other options were to let the attacker cash out his ill-gotten gains or for some group of DAO token holders to follow him forever into new split DAOs he created as he attempted to cash out. “TLDR: If you end upon in a DAO contract without majority voting power, then an attacker can block all withdrawals indefinitely,” he wrote. The third showed how an attacker could do this cheaply.
To put the enormity of this hack in perspective, with ETH now trading around $3,000, 3.64 million ETH would be worth $11 billion.
His last, most telling post for the day, “TheDAO—a $150m lesson in decentralized governance,” said DAO.PAY decided against making a proposal after uncovering “major security flaws” and that “Slockit down-played the severity of the attack vectors.” He wrote, “TheDAO is live … and we are still waiting for Slockit to put out a warning that THERE IS NO SAFE WAY TO WITHDRAW!”
On June 3, his last Medium post, “Announcing BlockOps: Blockchain Hack Challenges” said, “BlockOps is your playground to break encryption, steal bitcoin, break smart contracts and simply test your security knowledge.” Although he promised to “post new challenges in the field of bitcoin, ethereum and web security every 2 weeks,” I could find no record that he did so.
Two weeks later came the DAO attack. The morning after the attack, at 7:18 A.M. Singapore time, Hoenisch trolled Ethereum creator Vitalik Buterin by retweeting something Buterin had said before The DAO was attacked, but after it was known that the vulnerability used in the attack was evident in the DAO’s code. In the two-week old tweet, Buterin had said that he’d been buying DAO tokens since the security news. Over the following weeks, Hoenisch tweeted anti-hard fork posts like one titled, “Too Big to Fail is Failure Guaranteed.”
Curiously, on July 5, a couple weeks after the attack, Hoenisch and Karapetsas exchanged Reddit DMs titled “DarkDAO counter attack” — though the substance of the messages is unclear because Hoensich has deleted all his Reddit posts. (Hosp recalls that Hoenisch told him he had deleted his Reddit account after an altercation with an “idiot” on Reddit over The DAO.) Hoenisch wrote, “Sorry for not contacting first. I got carried away from finding it and telling the community that there is a way to fight back. In any case, I don’t see any way the attacker can use this.”
After Karapetsas told Hoenisch of the white hats’ plans to protect what was left in The DAO, Hoenisch replied, “I took down the post.” Karapetsas responded, “I will keep you up to date with what we do from now on.” Hoenisch’s last message in that exchange: “I’m sorry if I messed up the plan.”
On July 24th, the day after the Ethereum Classic chain revived and began trading on Poloniex, Hoenisch tweeted, “ethereum drama escalating: from #daowars to #chainwars. Ethereum classic now traded on poloniex as $ETC and miners planning attacks.” On July 26th, he retweeted Barry Silbert, the founder and CEO of the powerful and well-respected Digital Currency Group, who had tweeted, “Bought my first non-bitcoin digital currency…Ethereum Classic (ETC).”
“He (the DAO hacker) really screwed the pooch. Reputation is way more valuable than money.”
Upon hearing the name Toby Hoenisch, without knowing evidence indicated he was the DAO attacker, Karapetsas, a usually good-humored Greek software developer who was one of the DAO creators and had engaged with him by email and on Reddit, said: “He was obnoxious…. he was quite insistent on having found a lot of problems.”
After hearing that the DarkDAO ETC had been cashed out to a Grin node with Hoenisch’s alias, Karapetsas observed that if Hoenisch had instead remedied the situation while the DarkDao funds were frozen, the Ethereum community would have given him “huge kudos” for finding the weakness and then returning the ETH. Similarly, Griff Green, whose current projects lean towards helping non-profit and public causes grow in the digital world, believes the hacker missed the chance to “be a hero.” Says Green: “He really screwed the pooch…Reputation is way more valuable than money.”
Ironically, in a 2016 blog post, Hoenisch wrote, “I’m a white hat hacker by heart.’’ Twenty days later came the DAO attack.
As I noted earlier, after being sent a document laying out the evidence that he was the hacker and asking for comment for my book, Hoenisch wrote that my conclusion is “factually inaccurate.” He said in that email he could give me more details—and then did not respond to four requests for those details, nor to additional fact checking queries for this article. In addition, after receiving the first document detailing the facts I’d gathered, he deleted almost all his Twitter history (though I’ve saved the relevant tweets).
In May 2015, Hoenisch and the cofounders of his crypto debit card venture—first known as OneBit—had some success at a Mastercard Masters of Code hackathon in Singapore. They started making the card available that year on an invitation-only basis, because, as Hoenisch explained on Reddit, “We don’t want to launch a half-assed Bitcoin wallet that gets us in trouble for violating KYC (know your customer) laws. And yes, legal is the main reason we can’t just ship it.” A Bitcoin Magazine article at the time said Hoenisch had a background in AI, IT security and cryptography.
In early 2017, just months after the presumed DAO attacker stopped trying to cash out their ETC, Hoenisch’s team—by then operating as TenX—announced it had received $1 million in seed funding from (among others) Fenbushi Capital, where Ethereum founder Buterin was a general partner. Then came the $80 million ICO. In early 2018, things started to go south for TenX when its card issuer, Wavecrest, was booted from the Visa network, meaning that TenX’s users could no longer use their debit cards.
On Oct. 1, 2020, TenX announced it was sunsetting its services because its new card issuer, Wirecard SG, had been directed by the Monetary Authority of Singapore to cease operations. On April 9, 2021, TenX posted a blog called “TenX, Meet Mimo.” It outlined a new business that would offer a euro-pegged stablecoin, which kept its value pegged to a fiat currency such as US dollars or euros or Japanese Yen. The market cap of TenX tokens, which spiked at $535 million, now sits at just $11 million. TenX has rebranded itself as Mimo Capital and is offering holders of TenX tokens mostly worthless MIMO tokens instead at a rate of 0.37 MIMO for each TenX.
Hosp, who was the public face of the company while there, was booted by Hoenisch and another cofounder in January 2019. This occurred a couple months after some crypto publications reported on Hosp’s past affiliation with an Austrian multi-level marketing scheme. However, before hearing that evidence indicated Hoenisch was the DAO attacker, Hosp said his feeling had been that Hoenisch had perhaps pushed him out over jealousy that Hosp had sold bitcoin at the top of the bubble in late 2017, netting himself $20 million. Meanwhile, Hoenisch had kept all his crypto as the bubble – and his personal net worth – deflated.
“He came from a very poor family, he had no experience in investing, and he was in crypto in 2010 but he had literally no money, nothing, when we were in Las Vegas together [in the summer of 2016] he had nothing, and I was doing really well with my investments… he would always push for getting more salary, for having something nicer.” Hosp also mentioned Hoenisch had to send money home to his mother, who had raised him, as well as his sister and brother, as a single parent.
As new blockchain applications arise, one of the first uses of crypto—as an anonymity shield—is in retreat.
Upon hearing that Hoenisch was the likely DAO attacker, Hosp said he was “getting goose bumps” and begin recalling details from his interactions with his former partner that now seemed to take on new significance. For example, when asked if Hoenisch was into Grin (the privacy coins to which the hacker had cashed out) Hosp said, “Yes! Yes, he was. He was fascinated by that…I lost money because of those stupid coins! I invested in them because of him, because he was so fascinated by them.”
He said that Hoenisch was also obsessed with building a Bitcoin/Monero “atomic swap” – or a way to use smart contracts to swap between Bitcoin and the privacy coin Monero. At the time, Hosp was confused by that, because he felt there was no market for such a product. Later, Hosp pulled up chats from August 2016, in which Hoenisch seemed excited about the price of ETC, the coin held by the hacker after the ethereum fork.
When trying to recall the incident that he believed prompted Hoenisch to close his Reddit, Hosp began searching on his computer and muttered to himself, “He always used tobyai.” He confirmed that one of Toby’s regular email addresses ended in @toby.ai.
Recalled a still astounded Hosp: “For some weird reason, he was quite well aware of what was happening…He understood more of the DAO hack when I asked him what had happened…than I had found on the internet or anywhere.”
A former senior editor of Forbes, I’m a crypto journalist, host of the Unchained podcasts, and author of The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze. https://bit.ly/cryptopians
Information security and privacy suffer from the same phenomenon we see in fighting COVID-19: “I’ve done my own research” syndrome. Many security and privacy practices are things learned second- or third-hand, based on ancient tomes or stuff we’ve seen on TV—or they are the result of learning the wrong lessons from a personal experience.
I call these things “cyber folk medicine.” And over the past few years, I’ve found myself trying to undo these habits in friends, family, and random members of the public. Some cyber folkways are harmless or may even provide a small amount of incidental protection. Others give you a false sense of protection while actively weakening your privacy and security. Yet some of these beliefs have become so widespread that they’ve actually become company policy.
I brought this question to some friends on InfoSec Twitter: “What’s the dumbest security advice you’ve ever heard?” Many of the replies were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or not even considered. And apparently, some people (or companies… or even vendors!) have decided these bad ideas are canon.
If I’m repeating myself from previous articles, it’s only because I keep hearing these bad pieces of advice. This article won’t eradicate these practices, sadly—they’re so embedded in culture that they will continue to be passed down and practiced religiously until the technological weaknesses that allow them to exist have faded into antiquity. But together we can at least try to end the madness for those in our circles of influence.
Myth: Thou shalt change thy password every 30 days
Passwords have been part of computer security since 1960, when Fernando Corbató added passwords for personal files to MIT’s Compatible Time-Sharing System (CTSS). And almost immediately, they became, as Corbató himself admitted, “a nightmare.” Since then, all sorts of bad advice (and bad corporate policy) has been disseminated about how to use, manage, and change passwords.
Technology limits have in the past been the main thing dictating password policy—limits on the number and type of characters, for example. The low security of short passwords led to policies that required that passwords be frequently changed. But modern operating systems and security systems have made the whole short-password-versus-frequent-password-change dance obsolete, right?
Apparently not. Not only have these folkways continued to be used to log in to personal computers at work, but they’ve been integrated into consumer services on the web—some banking and e-commerce sites have hard maximum sizes for passwords. And—likely because of poor software design and fear of cross-site scripting or SQL injection attacks—some services also limit the types of characters that can be used in passwords. I guess that’s just in case someone wants to use the password “password’); DROP TABLE users;–” or something.
Regardless of whether we’re talking about a password or a PIN, policies that limit length or characters weaken complexity and security. Long passwords with characters such as spaces and punctuation marks are more memorable than arbitrary numbers or leetspeak morphs of words. Microsoft’s definition of a PIN is, essentially, a hardware-specific password that controls device access and login credentials based on Trusted Platform Module black magic; a four-digit PIN for device access is not more secure than one based on letters and numbers if someone has stolen your computer and is banging away on it at their leisure.
Pick a sufficiently long and complex password for a personal or work computer, and you should only have to change it if it’s been shared with or stolen by someone else. Changing passwords every 30 days only makes passwords harder to remember and can cause people to develop bad password-creation workarounds that result in weaker passwords—for example, by incrementing numbers at the end of them:
Pa55w0rd1
Pa55w0rd2
Pa55w0rd3
…you can see where this madness leads
So pick one complex but memorable password for your computer login or your phone, like XKCD suggests (though don’t use the one in the comic—maybe generate one with Diceware!). Don’t reuse it anywhere else. And don’t change it unless you have to.
Myth: Don’t write it down!
Many of us have seen the worst-case scenario in password management: passwords on Post-it notes stuck to monitors in cubicle-land, just waiting to be abused. This habit has led many a would-be security mentor to cry out, “Don’t write down your passwords!”
Except you probably should write them down—just not on a Post-it in your cubicle. Many two-factor authentication services actually promote printing and saving recovery codes in the event you lose access to your second-factor app or device, for example. And you can’t save device passwords in a password manager, can you?
Some people insist on writing passwords in a notebook (Hi, Mom!). Never tell these people they’re wrong, but do encourage them to do this only for passwords that can’t be stored in a password manager or might be needed to recover backups and services if a device is damaged or lost—for example, if you have an Apple ID. You want these high-value passwords to be complex and memorable, but they’re used infrequently, so they may be more easily forgotten. Go ahead, write them down. And then put the written passwords (and your 2FA recovery codes!) in a nonpublic, safe place you can access when things go awry.
There is something you should not do with passwords, however, and that is keeping them in a text file or other unencrypted format. In a recent intrusion incident I was reviewing, one of the first things the criminals managed to do was find a file called Password List.xlsx. You can imagine how things went from there. And apparently this happens on the regular at some companies:
Now, if these files were password-protected Office documents, there’d at least be some hope—since Office uses AES encryption and does some serious SHA-1 shuffling of passwords to generate the keys in more recent versions. In instances when you can’t keep passwords in a password manager but need to keep track of them, this is an acceptable level of security in most cases.
Myth: 2FA is 2 scary 4 me
I’m a major proponent of two-factor authentication (“2FA”) as a way to protect login credentials; it has saved me a few times from having accounts hacked after provider breaches revealed my passwords. (There was also the one time when I lost access to an email account because a domain-name provider decided not to auto-renew my personal domain and instead sold it to a scam blog operator. I’ll leave it to you to guess which registrar did me dirty that way.) But I frequently see people deciding not to use 2FA because they saw somewhere that 2FA via text message is less secure, but they didn’t see the other part about using an authenticator app or other method instead if possible. And then they erroneously reached the conclusion that foregoing 2FA is more secure than 2FA with SMS.
Let me be clear: any 2FA is better than no 2FA. And with the usual types of brute-force attempts attackers make against common cloud services, any 2FA will render about 90 percent of these attempts totally unsuccessful (and the other 10 percent of the time will just result in a potentially recoverable denial of service). You definitely want some form of 2FA on an Amazon account or anything that has any ties to your purchasing information, no matter what kind of 2FA it is.
But just having 2FA is not a guarantee that someone won’t succeed in getting what they want. Some phishing attacks are now managing to get around two-factor authentication by using 2FA “passthrough” attacks:
If you receive an email with a link that takes you to a website requesting your credentials, and you then get a 2FA alert for your login, that does not necessarily mean that the link was legitimate and that you should give the code or tap the “approve” button. This could be an attempt to simply have you assist the attacker. Take a hard look at that link. Then call your security team, maybe. (My current employer’s security team attempts to 2FA phish me two or three times a month these days.)
So use 2FA. But be mindful of your login requests, and don’t approve weird ones.
Myth: My VPN protects me!
A few weeks ago I mentioned that, for most normal Internet usage, virtual private networks are kind of pointless now. All they really do (when properly configured) is hide the Domain Name Service requests you make and the resulting IP addresses you visit from your Internet Service Provider. This (mostly) prevents your ISP from collecting data about your Internet habits—and instead passes that privilege on to the VPN provider you’re using.
VPNs are good for some situations:
If you’re working from home and you need to access resources on the corporate LAN, you probably need to use the corporate VPN
If you’re stealing BBC content from Great Britain by watching it in the US without paying TV tax—assuming the Beeb has not yet blocked your VPN provider
If you’re pretending to be in another country to fool Google or other sites into giving you localized results for that geographic location, or otherwise working around some form of geoblocking
That’s about it. Otherwise, VPNs aren’t much more effective in protecting your privacy than what you already get from visiting sites that use modern Secure HTTP (HTTPS).
This doesn’t prevent VPN providers from using scare-tactic advertising (or in some cases, actually using fake alerts and other sorts of manipulative and illegal “advertising”) to drive you toward downloading VPNs for your computer or phone. If a friend or relative tells you they got a notification saying they had 1,000 viruses on their iPhone and that they needed to install a VPN right away, make sure you walk them through how to remove that app immediately (and also how to report a fraudulent application to Apple, Google, and the Federal Trade Commission).
Now, if your goal in life is to make sure that Comcast, AT&T, Verizon, Spectrum, T-Mobile, and all the rest know as little about your Internetting as possible and you’ve done due diligence on your VPN provider’s privacy disclosure, then go right ahead and VPN. Just don’t freak out too much when you have to go through a thousand CAPTCHAs to visit a site because some denial of service bro has been using the same VPN exit point as you. (It’s also important to understand that, unless you can actually audit your VPN provider’s privacy policy yourself, you can’t do effective due diligence.)
Myth: You don’t need antivirus on that
Just like fear of 2FA, some people swear that antivirus software is unnecessary, because:
“I have a firewall that blocks all that stuff”
“I don’t visit porn sites”
“We don’t need antivirus on the servers, just the desktops”
… and variations of these.
Microsoft Defender, up to date on a properly configured Windows 10 or Windows 11 system, is pretty good for blocking known threats. Microsoft’s security team has done a lot to raise the bar of its malware protection. But the number of improperly configured, half-disabled, non-updated systems I have had the privilege to examine forensically does not indicate to me that the majority of computers connected to Internet-adjacent networks are “properly configured Windows” for any number of reasons.
If a piece of software tells you that you need to disable the antivirus software for a folder in order for it to work, my advice is to just not use that software. There have been plenty of examples of how bad not following this advice can turn out—I lost most of my Independence Day weekend thanks to one in particular.
Stopping the madness
If there’s one cyber folkway that drives me the most nuts, it’s the widely held belief that people can achieve security through obscurity. “Why would they hack me? I’m not anyone special” are famous last words before a ransomware attack.
True fact: I’m proud of my parents for remembering all the things I’ve told them about identifying digital scams, and I lose much less sleep since my parents started doing most of their Internetting on iPads. The less time they spend reading email or browsing the web on their desktops, the better, because using up-to-date iOS devices significantly reduces their attack surface (at least from malware). But all cell phones have some security risk associated with them, and it’s not just smartphones.
It may not be possible through your own singular efforts to get your company to change its password policy. But if enough people gently persuade others to stop following flawed advice (advice they’ve received from people who probably haven’t exactly done themselves any privacy or security favors), then maybe we can avoid a few million dollars’ worth of cybercrime. (And if you’re an IT decision-maker or you sit on your company’s IT steering committee, then it’s time to weigh in and do your part!)
If you’ve seen or heard any particularly flawed information security or privacy advice, please share it in the comments here. The only way we can stop these sorts of bad security memes from propagating further and end cyber quackery is by pointing out instances every time we hear or see them.
Sean Gallagher is a former IT editor and national security editor at Ars Technica. A University of Wisconsin grad, he wrote his first program in high school on a DEC PDP-10, and his first database app on a dual-floppy Apple II.
Illustration: Yazmin Monet Butcher
