Imagine being in a booming bull market, and all your cryptocurrencies are stolen... This was the real-life experience of Andrew Schober from Colorado.

In 2018, Schober accidentally downloaded a tampered version of the Electrum Bitcoin wallet on the /r/BitcoinAirdrops subreddit of Reddit. This fake wallet contained malicious software: a clipboard hijacking program specifically designed to phish for bitcoins. This malware would capture any bitcoin receiving addresses on Schober's machine and impersonate them, replacing the intended recipient's address with the hackers' controlled address.

Schober had been steadily accumulating bitcoins since 2014 and ended up sending 16.5 bitcoins to the hackers due to this phishing program, which accounted for 95% of his net worth. When he was phished, the value of these bitcoins was $180,000, but they reached $1.1 million during bitcoin's all-time high in 2021. Schober considered this to be "life-changing money."

"I found a link to malicious software on Reddit and installed it on my computer, quickly realizing that it wasn't what it claimed to be," Schober said. "So I just removed it from my computer and didn't think about it anymore."

"Unfortunately, once this Trojan was installed on your hard drive, removing the original program wouldn't get rid of it. So it was constantly monitoring my hard drive since then, and it would kick in whenever I copied a bitcoin address."

This malware was pre-programmed with 195,112 different bitcoin addresses. "It not only changed the bitcoin address to some random new addresses," Schober explained. "It would match the first few characters of the address you copied. So visually, it looked very similar, and if you didn't pay close attention to the differences, you wouldn't notice it."

During Schober's attack, four addresses received bitcoins from unaware victims, greatly narrowing down his search range.

Tracking the stolen bitcoins through Monero

The beauty of blockchain lies in its open ledger. Almost all cryptocurrency transactions leave digital traces.

Usually, tracking these paths involves tracing transfers to determine where the currency ultimately ends up.

In Schober's case, he traced the stolen bitcoins to the cryptocurrency atomic swap platform ShapeShift, which had a long-standing service.

ShapeShift once maintained an API that shared the addresses involved in its exchanges. API data shows that the "thief" Schober encountered had exchanged Bitcoin for Monero (XMR) and used the corresponding address.

As a result, Schober posted on Reddit asking if it was possible to trace Monero transactions. On-chain investigator and asset recovery expert Nick Bax responded to his request.

"He received five replies, all saying 'impossible.' I sent him a private message saying, 'This is really difficult to do, but I have done it before. I know a lawyer who has successfully recovered funds,'" said Bax.

Bax ultimately submitted on-chain evidence in May 2021, confirming the hacker's identity in Schober's lawsuit, which happened over two years ago. In the process, he analyzed Monero transactions and with high certainty determined the origin of the stolen Bitcoin for Schober in Monero.

ShapeShift's API makes it easy to track stolen BTC Source: Nick Bax

He personally developed Monero tracking software. "You mark an output (a Monero blockchain instruction to where the transaction is directed), and then look for transactions that may have used that marked output. When you do this, patterns begin to emerge."

This method of cracking Monero's ring signatures, now known as the Eve-Alice-Eve (EAE) attack, emerged in the aftermath of the WannaCry ransomware attack in 2017, which was driven by North Korea.

"Monero's RingCT... hides the exact consumption of UTXOs (unspent transaction outputs), but provides blockchain analysts with a list of plausible 'ring members,' where one is being spent and the rest are 'decoys'," Bax detailed his investigation results in a blog.

The fixed vulnerabilities in Monero may have made it easier at the time to differentiate real UTXOs from decoys and track transactions.

A Divine Move: Knocking on the FBI's Door

Bax confirmed that the so-called hacker Schober converted some BTC stolen from another victim through ShapeShift into Monero and then sent it back through the protocol to convert it back to BTC.

The laundered BTC was directed to a "vanity address" starting with " 1 BeNEdict".(Note by Odaily: A vanity address refers to generating addresses through repeated hash function calculations until the desired string appears in the address, similar to a "fancy number".)

As for Schober's bitcoins, they eventually ended up on Bitfinex. Cryptocurrency exchange hot wallets are essentially black boxes because their balances represent aggregated customer funds.

Once cryptocurrencies enter a hot wallet, it is almost impossible to determine where they have been withdrawn to, unless the amounts are the same and uncommon - and even then the evidence is not definitive.

The investigation of Schober and Bax was stuck there for more than a year, and Schober had summoned Bitfinex to disclose the account owners who received the stolen BTC, but was refused.

"Bitfinex will only respond to law enforcement requests for customer information, not civil requests, because Bitfinex does not get involved in civil matters, especially in the United States where US courts have no jurisdiction over us." Bitfinex legal counsel Sarah Compani replied to Schober's lawyer Ethan Mora via email.

"Cryptocurrency exchanges like FTX and Bitfinex set up companies in the British Virgin Islands or the Cayman Islands precisely for these legal reasons, so they don't have to comply with US or any other laws." Schober said.

"They can stay there and act with impunity. They haven't even given us an answer."

Unable to access Bitfinex directly, Mora launched a so-called Touhy request, requesting the FBI's cyber division to provide files and other information related to their investigation on malicious software. Schober immediately reported to the FBI after losing his bitcoins. "FBI started issuing subpoenas to companies involved with this malware, such as Reddit (where the malware was posted) and GitHub (where the malware was hosted)," Schober said. The subpoenas occurred in late 2018 and early 2019. The FBI even seized his computer for several months during the investigation.

After about 10 months, the Touhy request was successful. Suddenly, Schober's team received internal data from Bitfinex, pinpointing the exact IP and email addresses associated with the accounts that received his stolen bitcoins.

"We had no idea what the FBI's investigation had uncovered until we received the Department of Justice's response regarding the Touhy issue," Mora said.

Vanity addresses reemerged

Thanks to the FBI's subpoenas, Schober's team was able to identify the hacker's accounts across a range of online services: Gmail, Keybase, Reddit, Twitter, and GitHub. The malicious software's required code, including its dependency on a Bitcoin address generator, was found in the hacker's public GitHub code repository.

Through some accounts, the evidence of the hacker's identity was confirmed by validating the 1 BeNedict address used for money laundering through ShapeShift, which Bax considered as vanity address (matching his name).

In a blatant money laundering process, the attacker's return address registered with ShapeShift (where cryptocurrency is sent in case of transaction issues) was identical to the Bitfinex hot wallet from which bitcoins were stolen from Schober.

There was even a post on the Bitcoin developer mailing list, with the sender's email address matching the true name of the alleged hacker, describing how to easily generate an address very similar to the provided Bitcoin address. This post entirely matched the modus operandi of the Electrum malicious software.

After conducting sufficient diagnostics, Bax discovered that "every Bitcoin transaction sent by the operator of the Electrum Atom malware was sent to a target address associated with a hacker under investigation by the FBI." A total of 17 bitcoins (worth $501,000) were received by addresses associated with the malware, of which 97% belonged to Schober. He contacted another victim through the long-running Bitcoin forum BitcoinTalk.

Since Schober's wallet was stolen, Bitcoin has gone through a complete bull market cycle, chart by David Canellis

This means that Schober can file a civil lawsuit against the individuals suspected of the crime, as well as another individual who allegedly sold the same malware on Reddit. Both were minors at the time of the crime, so the lawsuit also names their parents as defendants. All parties deny any wrongdoing.

This occurred in May 2021, more than three years after Schober's BTC was phished. The price of Bitcoin had more than doubled by then.

Making things even more complicated, the accused hacker resides in the UK. The FBI transferred the case to the UK law enforcement agencies and launched a joint investigation. Schober said that both suspects were arrested, interrogated, and their devices were seized and subjected to court investigation.

But prior to their arrest, desperation (and perhaps a hint of naiveté) led Schober to contact them and their parents, letting them know they had been discovered. "I hoped they would come clean and return what was stolen from me because all I wanted was for them to return what was stolen, but they didn't," Schober said.

"The UK Crown Prosecution Service eventually told me that they might have destroyed their devices after I contacted them because they got new ones and there wasn't enough evidence for a prosecution."

(Bax said he would do the same as Schober - they believed that the parents may be honest people because they worked in banks and the UK National Health Service. "They should return the money, I think all of this will end.")

Schober's civil lawsuit may now be his only chance to seek justice. But the case is progressing slowly, and lawyers argue over which jurisdiction the trial should take place.

The hackers' lawyers argue that the lawsuit should be dismissed because Schober is in the US and has no jurisdiction over someone in the UK. They also argue that he has exceeded the statutory time limit for filing complaints.

"But from our perspective, this is incorrect because it took so much time, effort, and investigation to determine that the other end is a person." Schober said.

Considering that he had to wait 10 months to receive a subpoena from the FBI after being denied critical information by Bitfinex, he feels that he should not be punished by the argument of the statutory time limit.

An unprecedented case

Cases like Schober's are likely unique because they span the entire Atlantic.

"There are actually very few cases like this, in fact, I don't know of any cases where an individual is tracking and legally serving subpoenas (under international law), and prosecuting hackers like this... let alone hackers who stole cryptocurrencies." Mora said.

"I have been involved in some cases where individual plaintiffs have sued domestic fraudsters/hackers from other states in the US, but those defendants have already been arrested in the US."

Mora mentioned cases where the government filed criminal lawsuits against domestic and foreign hackers, as well as cases where tech giants like Amazon and Google sued hackers, some of whom demanded ransom payments in cryptocurrencies.

Schober is not a multinational corporation, he is just an ordinary person, not suing his attackers like some high-profile and wealthy cryptocurrency theft victims.

"I believe this case is unprecedented in many ways... I don't know how long this case will last," Mora said.

GitHub cannot let Schober know whether the law enforcement agency has conducted an investigation, making Touhy's request a gamble for a return.

Ultimately, no one knows how to solve this problem. If a US court rules that the hacker owes Schober, then a UK court would still need to recognize this judgment before it can be enforced in the UK. In the end, it may involve debt recovery, lien rights, or even wage garnishment.

Schober states that they are able to trace a large amount of Bitcoin, with the addresses of these Bitcoin obtained from an FBI subpoena, indicating that the accused hacker does indeed have funds to repay Schober.

Considering that Schober seems to know exactly who stole his cryptocurrency, this situation is particularly frustrating.

Despite all of this, including legal fees and the loss of 500,000 bitcoins, Schober still supports Bitcoin. "I still believe in the future of Bitcoin. That was the original reason that attracted me to join. But there is no doubt that my advantage as an early participant has disappeared, which is painful."

"But I still maintain a positive attitude about it. Moreover, I am proud to have been able to push this case to where it is now, knowing that the likelihood of success is very small."

He remains optimistic that the US court will recognize him as a victim of theft. If the attacker came from countries like Russia or North Korea, he would have almost no recourse.

"It has been five years, and I hope to resolve this issue as soon as possible," Schober said. "But on the other hand, I have put in a lot of effort and time, and I have people like Bax and others supporting me because they heard this story and found it remarkable."

"So I am determined to see it through to the end."