The Anatomy of the Ian Balina Hack of 2 million in cryptocurrency

This week a popular youtuber Ian Balina a cryptocurrency evangelist was hacked of almost 2 million in Ethereum tokens and other alt coins a snapshot of his portfolio is below. This news was quite shocking for many people in this space as Ian does have a reputation as savvy ICO investor reputedly turning an initial investment of $90,000 US dollars into $4 million in under a year. Due to his transparency in showing his methods and showing his success he has built up a large social media following across YouTube , Facebook, twitter and Instagram. People are clearly looking to Ian for guidance, so I and others were quite surprised to discover how weak his defence system was in light of the resources he could deploy to have come up with a better system. Most individuals in the space with large portfolios usually keep their lucrative crypto gains on a hardware wallet such as a Trezor wallet or a ledger blue. Attacking these devices is difficult for an online hacker as they are seldom attached to the network and usually have mechanisms which make it difficult to establish through an infected computer which password the user is typing. I hope the other half of his portfolio is spread on 10 of these and locked away in a bank security vault! I can only assume that he chose to have these items in an online file as he planned to trade the tokens and did not want to carry a hardware wallet around the world with him as that would make him vulnerable to a “wrench attack” or an “evil maid attack”.  

So let’s have a look at how it was done, and inexpensively learn from poor old Ian’s mistakes. Ian kept the private and public keys to his Ethereum wallet in an encrypted file on the Evernote online platform. As long as he remembered the password to evernote.com he would be able to access  the files he created there to store his private keys. The hacker must of picked up a list of Ian’s most commonly used emails by researching his online content. They then must of probed each one by requesting a password reset request which possibly challenged the hacker to state which recovery address or method the email provider should use to perform the request. Even if they only showed a partial address it may have been enough for the hacker to guess the complete email address which turns out to be his old college address. So now they have the recovery address of his main email address but as yet cannot enter it. So, they need to put together a very authentic looking college admin email pretending to be from the college and claim there had been some unusual activity on his account and could he login via a link. Clearly you should be aware that this is spearfishing. This is where you prepare a bespoke email targeting one high net worth individual or a prominent person in a company with a view to get them to compromise their login password. I do feel for Ian Balina here because if the email is put together well and your in a bit of a lazy  mood you might not check the url and login on the link. I have done it myself when Btc-e went down and I received a timely email from WEX.nz admin. Fortunately I had no funds in that trading exchange so my guard was down and I took the bait and they stole my password, but like I said nothing was lost. 

Now here’s where the Hacker must have had patience or Ian neglected to realise the college email was the password recovery email of his main email account and had been compromised. Getting control of his main account would then mean they would have access to the evernote.com account if they initiated the password reset they would then be able to access the files containing the cryptocurrency private keys to his Ethereum wallets and tokens. Now the actual methods used are not disclosed in detail by Ian I have on extrapolated information from the very grey details I was able to pick up from posts online. 

Clearly if he had two factor authentication on all of these accounts and Authy (Password locked) instead of the popular Google authenticator it would of gone a long way to restricting the Hackers and perhaps given him the time to react. For example The hack took place while he was on a live YouTube stream  which seems the popular with hacks against YouTubers. I believe this is more about the victim being distracted and therefore not able to take the necessary steps to lock-down the affected accounts.

Hopefully we can learn from this crime and better protect ourselves and get help in accessing our security systems. If your interested in assessing your computers systems and security methods get in contact with us. We are also given out a free “Recovery email checklist” use the contact us form to request yours free.