Using Hacked LastPass Keys to Steal Cryptocurrency

Remember last November, when hackers broke into the network for LastPass—a password database—and stole password vaults with both encrypted and plaintext data for over 25 million users?

Well, they’re now using that data break into crypto wallets and drain them: $35 million and counting, all going into a single wallet.

That’s a really profitable hack. (It’s also bad opsec. The hackers need to move and launder all that money quickly.)

Look, I know that online password databases are more convenient. But they’re also risky. This is why my Password Safe is local only. (I know this sounds like a commercial, but Password Safe is not a commercial product.)

Tags: , , ,

Posted on September 18, 2023 at 7:02 AM28 Comments

Comments

Winter September 18, 2023 9:57 AM

There is something to say for being more careful with the seed to your bitcoin/Ethereum wallet containing millions of dollars of value than with some random utility password.

However, the suggestion to use a “locally” stored password safe is not for everyone. Getting such a password safe to synchronize over the internet is non-trivial[1] and being excluded from an important site after you just set a 36 character random password from home/workplace just because you are currently working from workplace/home can truly ruin your day. So I still stick to an online password safe.

But if you read the example from Brian Kreb’s article of a Lastpass user with more than $3M in cryptocoins, I have to shudder:

Connor said he began using LastPass roughly a decade ago, and that he also stored the seed phrase for his primary cryptocurrency wallet inside of LastPass. Connor chose to protect his LastPass password vault with an eight character master password that included numbers and symbols (~50 bits of entropy).

An 8 character password for $3M+ in value? Please, memorize a nice 30+ character phrase that is not in the internet and that you never searched for [2].

The fault with Lastpass is not so much in their product, but in not getting people to choose better passphrases. Which, BTW, is Brian Kreb’s main criticism of Lastpass, by quoting Wladimir Palant:

In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.

[1] I have tried, and failed several time.

[2] All search phrases are archived and for sale.

Who? September 18, 2023 10:00 AM

Cryptocurrency should be stored in cold wallets only, never being Internet-reachable; whatever you do to protect a hot wallet does not make it safer — same apply to other secrets, never store them online if a compromise has catastrophic consequences.

Matthias U September 18, 2023 10:14 AM

Well, there’s also KeePass that stores stuff locally. And, surprise, there’s a Mac version and an Android app and whatnot.

As for syncing, apparently nobody has ever heard of SyncThing – a piece of code that makes the whole file sync experience reasonably simple, if not trivial.

Winter September 18, 2023 10:54 AM

Re: KeePass, Password Safe

Note that you can also host Bitwarden yourself with only a local safe. Bitwarden is also Open Source with code on Gitbub.

‘https://bitwarden.com/help/install-on-premise-linux/

Jay September 18, 2023 10:56 AM

For those of us who don’t want to give up remote synchronization, it doesn’t have to be all or nothing. LastPass has failed like that because it stored unencrypted vaults remotely, this doesn’t have to be the case. 1password uses a second secret (a 34 character, random, alphanumeric string), and it’s local. The vaults reside encrypted in their servers, even if they were to be stolen, the attacker will be missing the “Secret Key”.

You may argue that a motivated attacker can still get access to one of your devices and steal the local key, but the same applies to a local vault.

I’m all for recommending users against using remote password storage, but in the meantime I think it’d be more effective to “bully” password service providers into adopting better security practices. There are fewer of them and they should be easier to convince, since it’s a matter of business for them.

fib September 18, 2023 11:31 AM

I was born with a special talent for creating and keeping [in my brain] a large set of memorable, long [30-char +] high entropy passwords. Password backups are written on paper and stored in a secure location. For this reason I have never been a big user of password managers.

My needs are escalating and I am now considering a password manager. I would like to honor our generous host by installing Password Safe [which I plan to do in the post-beta – I wish it was primarily Linux (Debian here), but I completely understand Bruce’s reasons].

At the moment I’m inclined to simply use Pass, which lays dormant in my machine. Anyone?

Kent Brockman September 18, 2023 4:27 PM

Here’s a silly idea, use two password managers. A local manager(keepass,etc) for critical stuff( financial accounts only, for example) and an online manager for everything else.

Who? September 18, 2023 5:16 PM

@Matthias Urlichs, Winter, Jay and all

The problem with password managers such as KeePassXC is that the file that stores our secrets can be stolen and brute forced (even if being successful in this task is highly difficult and time consuming) when stored on-line. Better having those secrets in a machine never connected to the Internet and reasonably secure. As an additional security feature, KeePassXC allows setting up time-based one-time passwords (TOTPs) that can be read on-screen from the air gapped computer and typed when access to an on-line service is required. This may be an unavoidable step, in addition to using a cold wallet, if buying/selling cryptoactives on an exchange.

There is no perfect answer to this problem, but certainly storing so sensitive information on-line is a bad practice and should be avoided where possible.

@fib

You probably do not want to memorize a wallet’s seed. A single error will make those millions of USD (!) stored on that address unreachable.

I bought a few hundred USDs in bitcoin one year ago. Hope some day it will be worth one hundred thousand dollars (or more!); but even if it does not reach that value, I am learning a lot about how protecting this inversion and listening to advice from people that stores much more valuable assets (an eight-character password to protect $3M? it sounds really crazy). It is an interesting exercise on how protecting a secret in our current completely untrusted world. Even for those small quantities, I would not let my brain store the keys to the wallet.

Certainly, protecting a $3M wallet (as noted by @winter) without reasonable security is dangerous at best.

JonKnowsNothing September 18, 2023 5:57 PM

@Kent, All

re: 2 password managers: local, online

This may not work out well. You double the attack target options. Depending on what passwords are in each puddle, there is likely some overlap between them: A grants B and/or B grants A.

Within the least secure bank, the one easier to crack, whatever is in it is subject to social engineering. One small connection that allows a reset or redirect that leads to another. Eventually it could flow through both sets.

There are several recent cases of break ins using cloud backup services. If the attacker can gain access to the cloud bank, either by social engineering or simply redirecting the login account to a new address and gaining full owner access, you are cooked.

It is probably far safer to expect

  • All your base are belong to us

===

ht tps://arstechnica.c o m/security/2023/09/how-google-authenticator-gave-attackers-one-companys-keys-to-the-kingdom/

How Google Authenticator made one company’s network breach much, much worse

Google’s app for generating MFA codes syncs to user accounts by default.

  • The fact that Google Authenticator syncs to the cloud is a novel attack vector. What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication

(url fractured)

Clive Robinson September 18, 2023 10:41 PM

@ Bruce, ALL,

Re : First identify motive.

“It’s also bad opsec. The hackers need to move and launder all that money quickly.”

That is assuming their intent is to gain that money for themselves or others, it may not be…

If not, and thay might be the case, it does not matter as long as the coin remains locked in the wallet.

Thus a question to ponder,

“How much crypto coin of a particular type has to be knowingly lost to effect the value of the rest of that type of crypto coin?”

Also consider, the equivalent value is not truly lost it’s “tied-up” as a percentage of the total value of the type of coin. Thus the question “who holds the value?” arises

It’s kind of like the question of,

“Who earns the interest on the money in your pocket, that is part of what is called seigniorage[1]?”

Crypto coins are not technically currancy, but as some argue an investment like a share certificate on which dividends in effect get payed…

If the coin is locked up who earns that share of the total dividend?

So there are many reasons why stealing crypto coin may happen and not all are immediately obvious.

[1] Seigniorage gets it’s name from “the rights of the Lord over his domain” only one tiny part of which is the right/duty to mint coin. In times past coin was made of precious metal that the lord or sovereign actually owned, and effectively loaned out for the purposes of trade. On that basis the direct income for the lord was less than the face value of the coin. However when coinage became debased and notes were printed, the intrinsic value of the currancy was less therefore the lord made profit by issuing it. That is if the cost of making a $1 note is 1c then the issuer makes 99c profit, but also creates inflation. But inflation is not instant it takes time, therefore the issuer is always ahead of the game. But also all money earns interest as part of it’s existance, the only real question is to whom it goes to, and that is a bit complicated when it comes to electronic payment systems.

https://www.economicshelp.org/blog/glossary/seigniorage/

Clive Robinson September 19, 2023 12:09 AM

@ ALL,

For some reason auto-mod has struck for no acceptable reason. So,

Part 1

Re : Multiple protection.

The first question you should ask is,

“What am I actually protecting?”

In most cases of “passwords” it’s a “Shared secret” that you can prove knowledge of thus “title”.

However in the case of electronic wallets it’s not actually a “password” you are protecting but some form of “signing key” used as a transformational “object”.

Clive Robinson September 19, 2023 12:13 AM

@ ALL,

Part 2,

In the case of an wallet you should actually be protecting an “object” not proving “title”.

Thus should you actuall use a “password”, to which the answer is probably “no”, but for those who do… Consider a “Secret Sharing m of n” system. Without going into it there are secret sharing systems around since the “Shamir Secret Sharing” paper of 1979 that give the same proof of protection a “One Time Pad” does.

The problem is that they all reconstruct the “secret” additively when it is needed. Thus if the system has been attacked successfuly then the “secret” can be stolen at that time.

Clive Robinson September 19, 2023 12:24 AM

@ ALL,

Part 3,

It’s one of the reasons people have developed “Multi-Signiture” systems of various types.

This article from 2019 is a little out of date, but it gives you a good point to jump in at,

https://cryptologie.net/article/486/difference-between-shamir-secret-sharing-sss-vs-multisig-vs-aggregated-signatures-bls-vs-distributed-key-generation-dkg-vs-threshold-signatures/

The point is with such m of n share systems, an attacker has two issues,

1, Identify the correct shares.
2, Break the shares to use them.

Providing you take care this will make the attackers go after the fruit that is lower down the tree even if it is less ripe.

andreas September 19, 2023 4:59 AM

@fib

inclined to simply use pass

Been using it as long as can remember. Works perfectly. Each item is actually an encrypted file, so it can hold anything you want e.g. a shell script which you can execute using ‘pass secret_script | bash’. You can organise those files just using the standard system commands.

Clive Robinson September 19, 2023 8:11 AM

@ fib, Andreas, RobertT, All,

“At the moment I’m inclined to simply use Pass, which lays dormant in my machine. Anyone?”

From the pass homepage,

https://www.passwordstore.org

“pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script.”

Which is quite easily changable thus extensible, in many ways including having been able to run on windows (Pass4Win, not past tense as it’s not been worked on since 2016).

However it has a problem, in that it’s flexibility comes at the price of complexity which makes it’s secure use rather more than “plug and play”.

Thus if you are going to use it for anything of “high value to others” you should use it on a properly gapped and physically secure system.

In the past on this blog @NickP, myself and others have discussed how to store computers in low cost safes properly. It came about because of a number of US court decisions that put loosely said anything stored on a computer no matter how was “in plain sight” as far as the US legal system was concerned.

That was back in the days when ‘erasing media securely was possible’ but a pain in the proverbial. These days with “Solid State Drives”(SSDs) securely erasing or overwriting files is at best problematic due to “wear-leveling” algorithms.

@RobertT has in the past given a description of the issues involved with destroying chips[1]…

Because storage chips are inherently tough, as they can amoungst other things survive being fired out of the highest of velocity artillery “fires” and aircraft going on full burn into the side of a mountain from nine miles up (45,000ft) because they are routinely used in “Smart Shells” and “Black Box Recorders”…

It makes you pine for the good old days of floppy drives and magnetic tape which could be put beyond recovery fairly easily because they could be “de-gaused” with the push of a button or burt with a pocket lighter…

[1] To give you an idea of just how tough, the military and inteligence community had developed chips with built in shaped charges mounted against the actual chip surface. Apparently they gave up on this as it was found to be insufficiently effective… Apparently someone suggested “Chlorine trifluoride”(CIF3) which can cause even sand and concrete to combust and is exothermaly exciting enough to have been tested for rocket fuels later considered to dangerous to use. Oh and Germany started making it for military use as N-stoff but had so many issues… What is known from the semiconductor industry is that usez chlorine trifluoride as a cleaning agent to remove silicon deposits. Famously it’s been mentioned in Derek Lowe’s “Things I won’t work with”,

https://www.science.org/content/blog-post/things-i-won-t-work-dioxygen-difluoride

And perhaps more famously the subject of a passage in rocket scientist John D. Clark’s little memoir book “Ignition! An Informal History of Liquid Rocket Propellants” (which he dedicated to his wife Inga),

http://www.sciencemadness.org/library/books/ignition.pdf

In it he says of chlorine trifluoride,

“It is, of course, extremely toxic, but that’s the least of the problem. It is hypergolic with every known fuel, and so rapidly hypergolic that no ignition delay has ever been measured. It is also hypergolic with such things as cloth, wood, and test engineers, not to mention asbestos, sand, and water with which it reacts explosively. It can be kept in some of the ordinary structural metals—steel, copper, aluminum, etc.—because of the formation of a thin film of insoluble metal fluoride that protects the bulk of the metal, just as the invisible coat of oxide on aluminum keeps it from burning up in the atmosphere. If, however, this coat is melted or scrubbed off, and has no chance to reform, the operator is confronted with the problem of coping with a metal-fluorine fire. For dealing with this situation, I have always recommended a good pair of running shoes.”

There is apparently only one way to control a fire based around Chlorine trifluoride and that is to flood it with nitrogen… Oh and Chlorine pentafluoride is likewise “bad news”.

fib September 19, 2023 10:14 AM

@Clive Robinson

However it has a problem, in that it’s flexibility comes at the price of complexity which makes it’s secure use rather more than “plug and play”.

Thus if you are going to use it for anything of “high value to others” you should use it on a properly gapped and physically secure system.

Point taken, well observed.

But, you see, my threat model is a very simplified one – in which nation-states are not a part. I believe – or want to believe – that for these cases Pass is quite well suited, I think you would agree? Also consider that I’m parsimonious with communications, almost pathologically obsessed with simplicity and lightness [sometimes to the point of taking risks by trying to make things too simple – or simpler than they should be].

@Who’s

You probably do not want to memorize a wallet’s seed. A single error will make those millions of USD (!) stored on that address unreachable.

Dad always said I’m a little too sloppy with money. 🙂

But seriously, your considerations are important. In fact, it would be foolish to act in the way you point out. But then my use case does not include the management of financial assets, which I try to keep properly compartmentalized – as @Clive says – using very primitive means. And I’m not into Bitcoin.

@andreas

Been using it as long as can remember. Works perfectly. Each item is actually an encrypted file, so it can hold anything you want e.g. a shell script which you can execute using ‘pass secret_script | bash’. You can organise those files just using the standard system commands.

Thanks for the feedback, my friend. Much appreciated.

MrC September 19, 2023 10:31 AM

@fib:

I’ve been using pwsafe on debian for several years. Works fine. The only issue is that I had to wrap it in script to delay it on system start-up because it sometimes finished before the icon tray had loaded, resulting in no icon.

@all:

Seeing a bunch of crypto bros get LassPass’d up the… kneecaps has put me in mind to think about password managers and cloud storage for the past week or so. Methinks the bottom line is that a wholly offline password manager is the only safe option. But people really, really like being able access their passwords remotely. So, if people are going to do it anyway, what’s the least unsafe way to do a cloud-connected password manager?

I have a couple thoughts:

  1. Break up the passwords into multiple tranches — offline, short-lived online with automatic deletion (for vacations and such), and long-lived online (for living dangerously). Hopefully this would keep at least sensitive stuff off the server.
  2. Encrypt every password under a unique key. Use the initial output of the KDF on master password to unpredictably tweak the KDF parameters for spitting out the per-password encryption keys.

And a question: Is the root of all this really just low iterations on the KDF? It seems odd that so many supposedly very sophisticated users had master passwords that were readily crackable. One would think these people would choose master passwords with enough entropy to be secure even at one iteration. Are crypto bros really just that dumb? Or is there maybe some kind of cryptoanalytic weakness at work here — padding oracle, IV reuse screw up, etc.?

JonKnowsNothing September 19, 2023 11:29 AM

@MrC, Clive, All

re: Encrypt every password under a unique key

As @Clive and others have mentioned previously, exactly what are you keeping secret?

You can of course encrypt lots of times, it doesn’t necessarily made the plain text version safer. For each iteration you need to keep the “seed(s)” safe. If I read your suggestion correctly, every password would have its own master seed. Current common implementations are 1 Master for N-Passwords. In this other interpretation if you have 100 passwords, you have 100 Masters.

If you cannot remember 1,2,3,…100 plain text passwords are you going to really be able to recall the decryption key for each?

re:But people really, really like being able access their passwords remotely

So, as others have often pointed out the pertinent questions is: Why?

Of course, we all know that Everyone+Dog has shifted to doing all their “online” business from a smartphone, so they have to have all their passwords for everything on that device or even the multiple devices that they carry around with them.

It was an excellent advertising campaign to get people to do that. Lots of NUDGE and a whole lot of PUSH too. However, the reality can be seen by asking “How often do you do X” or “How infrequent do you do Y”.

The streamlining demand is not for the benefit of the consumer, it is solely for the benefit of the company.

  • When was the last time you got a “stamp cost refund” for opting to take documents electronically which “saves the company postage costs, printing costs, material costs, handling costs”?

There are actually few items people use day to day and only a basic set of passwords needed for those few items, if any.

  • I still need my electronic library card to check out electronic books

Do I need all 100 passwords available On Demand 24×7? Probably not, maybe only 3-6 are used daily.

The main problem with the whole situation is that “people really, really like [it]”. This is really a psychological issue, an issue of power, control, ego, self image, role, position, culture, gender and more.

A password manager is just a bunch of code. To do the defined job, it needs to be carefully written. To be useful it has have Ease of Use features so Everyone+Dog can install it and use it without compromise (see: Glen Greenwald fail at installing encryption). Advertising has made it attractive. The premise being that password managers provide an alternative to common password failures.

  • Encrypting 123456 is maybe the best we can do with this tool.

Consider:

Computer generated passwords, maybe perfectly secure, but humans do not remember them. You might have 100 such passwords in a manager, but the Master Code is still 123456.

Clive Robinson September 19, 2023 12:10 PM

@ MrC, ALL,

Re : Crypto bros are divergent in major ways.

“Are crypto bros really just that dumb?”

Some very obviously are, others not so much and some are quite smart con artists.

“It seems odd that so many supposedly very sophisticated users had master passwords that were readily crackable.”

This is not a new issue as far as emptying wallets goes, look up “Brain Wallets”.

But simply, anything an average human can accurately remember can now be found by computer in quite a short time on average, as increasingly successful password attacks shows (passwords were known to be insecure back in the 1960’s six decades ago, and we still use them…).

Now add that there is real value in a single crypto coin in some types of crypto currancy. Oh and the fact that wallet held value is in effect a matter of public record, and the fact that you can find all the information to attack a wallet without the wallet holder knowing…

The odds are very much stacked against holders of visable wallets.

Oh a question for people to think about,

“How difficult would it be to repurpose a coin mining rig into a password cracking rig?”

I think the answer might shock many people.

Then ask the question,

“Which would be more profitable currently, mining for increasingly hard to find coins, or to find wallet passwords?”

Remember that currently mining rigs are according to “trade figures” loosing money mining so not only not making profit, or paying the bills.

Look up crypto “coin burning” which is in effect making coins unavailable and the reasons why people might do it,

https://www.fool.com/terms/c/coin-burn/

It’s why I mentioned “seigniorage” further up this thread,

https://www.economicshelp.org/blog/glossary/seigniorage/

If view crypto coins not as the equivalent of currancy but as an investment like shares, a burn can have the same advantage as a “share buy back”. But think of the advantage you would have by burning other peoples coins, you get the advantage without any loss which falls disproportionately on others…

Remember I regard crypto currancy as a mixture of “short cons” and “long cons” by the miners and exchanges. Much as I do “Venture Capatilists”(VCs) and their pump-n-dump type activities around the blockchain and NFT’s and Smart Contract “Start-ups”. They all create “faux-markets” and draw in “sucker money” to their advantage. Whilst what the miners and exchanges do in the way of cons is probably illegal in many jurisdictions, the activities of VCs might not be lawfull but it is not technically illegal either (experienced buyer beware get out).

fib September 19, 2023 3:19 PM

@MrC

I’ve been using pwsafe on debian for several years. Works fine. The only issue is that I had to wrap it in script to delay it on system start-up because it sometimes finished before the icon tray had loaded, resulting in no icon.

Thanks for the heads up. I’m surely giving it a try.

m'Howell September 19, 2023 7:43 PM

Kent et al.:

Are people here really storing important financial passwords in password managers? If so, why? An unusual number of bank accounts? A worse-than-average memory?

Hypothetically, I might store part of such a password, or a hint about it—written so as to be unintelligible to others. But never the full password itself, unless I knew I didn’t have any significant risk there and never would. For example, if I used PayPal, I might be willing to store that password in a manager, given that I’d have to mitigate the risk of PayPal itself stealing that money anyway. In reality, I’ve never dealt with more than 2 banks at a time, and haven’t seen any need for written password/PIN records or hints. (I’m also curious whether people actually use words for their PINs. Some ATM keypads do have little letters written there, as telephone keypads do, but I’d never even noticed that till I saw a Seinfeld episode portraying word-based PINs as normal.)

I believe Bruce once advised just writing passwords down on paper and keeping them in a safe place. Personally, I’d try to omit a few words or digits from the important ones even then, and to not write which password is for which thing. Either way, it seems safer than keeping them on a general-purpose networked computer.

As for the cryptocurrency thing, that’s kind of a mystery to me. Maybe it’s related to the Dunning–Kruger effect? What else could cause someone to mistakenly think their own OpSec, and their online wallet provider’s, are so good that it’d be worth having a bunch of “money” protected by nothing else?

lurker September 19, 2023 9:35 PM

@m’Howell

re, written down passwords:

I add 2 or 3 characters in carefully chosen positions, that identify to me the site for which this is the password.

As for Paypal, they were harassing me to change my password, “because.” So I concatenated a few expletives, entered all lower case ascii, and they accepted. Until one day they wouldn’t let me login until I gave a mobile phone Nr. Now I cannot login with my password, even clicking the button saying “Please let me …” I have to wait for a TXT of magic code. I rate my phone as a significantly greater risk than a written down password. There’s a lot of banks won’t accept that.

MrC September 20, 2023 12:33 AM

@JonKnowsNothing:
No, that’s not it at all. You have one master password. The first “key” out of the KDF using default parameters is used to alter the KDF’s parameters for deriving the other keys. The overall goal is to lower the attacker’s yield from one account per successful crack to one password per successful crack. The goal of the hankypanky with the KDF parameters is to prevent the attacker who has obtained one entry’s key from using that key as an intermediate KDF state in the derivation of other keys.

@Clive:
“Token burning” is new to me, but the concept makes sense. The attacker here might be trying to inflate the value of their own holdings by reducing the “money supply,” rather than cashing out the stolen tokens. (Since cashing out would likely create a trail leading back to them personally.) Is that right?

And I agree 110% that everything to do with cryptocurrency is a scam wrapped in a fraud wrapped in a boondoggle. It’s all con men trying to con other con men. Turns out that the era of peak honesty and integrity for the crytocurrency industry was back when people used it to buy drugs on silk road.

Clive Robinson September 20, 2023 8:11 AM

@ MrC, ALL,

Re : Crypto coin tracability and it’s side effects.

“Since cashing out would likely create a trail leading back to them personally.) Is that right?”

The issue originates from stoping “Double Spend”.

If you think about it a crypto coin is just a string of bits or very long integer that has certain mathmatical properties. As long as I have a valid coin integer I have the coin, and the cost of duplicating that integer is about as close to zero as you can realistically get with computers as that is what they are designed to do.

So how do you stop me duplicating the integer for the purposes of counterfiting, or “double spend”?

The simple answer is you can not, you have to impose some other control mechanism over the top that audits the life of that integer from first creation ever onwards, so such counterfiting can be easily seen and stopped.

Traditionaly such auditing mechanisms are called a ledger, and that is what the blockchain is all about. And it carries a very hefty cost tag with it.

Now in simple notions the ledger is anonymous, as names and other personal details are not part of it just “wallet adresses”. But in reality it’s like a simple substitution cipher where the statistics break the code.

To get value out of the ledger the transaction will be recorded in the ledger as a transfer of a coins ownership. So it’s simply a matter of “rolling it back” and analysis of the activities of wallets give away their usage intent etc. Eventually a “real world transaction” like buying a pizza or gold brick will in some way de-anonymize the wallet back to an individual entity.

The wallet only remains anonymous as long as there are no statistics to tie it to an actual “person legal or natural” entity and “exchanges” are now legaly required to “know their customers” so cashing out or exchanging one currancy for another currancy is supposadly “known” to an entity.

The only trick left is to create a race effect, where you create thousands of wallets that are not registered and you run them with respect to each of the others such that you get the value out before the actual owner it was stolen from gets the coins marked as stolen. The theory being enough confusion and diffusion makes it possible to get value out and launder it in other ways, thus make tracability to individual people impossible, only it does not these days…

That is having built a delay in to get intangible value out, you then have to launder “physical value” such as buying valuable commodities that are untracable. Not so long ago this was the “Gems and Precious metals” way. But gems of any value these days have serial numbers laser etched in so are now increasingly tracable. Likewise bank notes have numbers and cash counting machines now have OCR cameras in them that increasingly make the high value notes tracable. Which kind of left precious metal coins… Which in the past few weeks dealers of, have started having their bank accounts and credit card accounts frozen or closed putting them out of business in the US at least…

So laundering crypto currency is now not as easy as many mistakenly once thought. Thus getting caught for both current and past crimes is just a matter of authorities putting the leg work in…

However one trick is still left open which is “any person legal” that is companies and corporations shell companies and Limited Liability Partberships(LLPs). Their legal requirments for record keeping are shall we say inadequate for variois reasons (that the Panama Papers revealed). That is they don’t have to verify their customers ID’s or record them in transactions of moderate value. In part because VAT on every transaction for goods and services makes all but leaf transactions identifiable (though not all transactions carry VAT).

For those watching what is happening, the authorities are “stoppering down” and making tracable all but small transactions. Thus rolling all but petty crime back up the tree to where “the big boys” can do money laundering via intangible objects such as renting or leasing of “Intellectual Propperty” and similar through multiple countries. Such entities like the mobile phone companies and Alphabet etc get away with it because like “to big to fail” banks, they are seen as vital to “National Security” as they keep the economy churning and above the “flat line”…

People will tell you a country can not go bankrupt if they only use their own currency. So the argument is the US could just keep printing money…

In simplistic theory that is true, but in practice it’s not. If some other entity controls a resource or resources needed and won’t sell to you because of your monetary policy… You have a problem because whilst technically you are not bankrupt your economy effectively stops and drops you back into the agrarian barter economy of a thousand years or so ago. Times when dirt had real value as you could atleast grow limited amounts of food, building materials and fire wood, if… you still had water and fertilizer of some form.

One of the reasons the US is so upset with China, is the US assumed China would always give then the US dollar back for near worthless intangibles. That is China supplied real physical tangibles for USD and the US got the dollars back for intangibles. Thus bleeding China dry of resources for worthless baubles. Well the US over played the intangibles game, so China spent it’s US dollars not in the US but in other parts of the world for real tangible goods and political power, thus gaining an even stronger hand against the US who’s dollars effrctively vanished into crime like politicians bribes etc.

Part of the visable part of this in the MSM untill recently was as I’ve indicated before the war on 5G… The valuable intagables in 5G are not US but mostly Chinese… The US therefore are trying to force their way into 6G to get the ball back… but it does not appear to be working out. Likewise this nonsense with semiconductors that is also failing the US, and upseting other traditional US allies. Increasingly US sanctions are getting ignored in one way or another and the amount of tangible resources heading to the US is decreasing and with it the US standard of living is dropping bit by bit. As I’ve indicated in the past the US is only kept afloat by the fact that the US dollar is still a major trading currency, but that is changing bit by bit as China builds it’s trade roads to carry real resourse wealth back and trinkets out…something I was warning about on this blog more than a decade ago, if you want to look it up.

Thus the US is finding it’s self more and more boxed in, and thus in the position of needing a sufficiently major enemy to go to war with. That is it has a realistic chance of defeating in a crippling manner thus using it to get back it’s “Strong Man” “bomb then back to the stone ages” authority by fear.

The big problem for such “Strong Man” politicians is that the US citizens are sick of seeing their children get slaughtered in pointless wars, and the brighter ones have realised that the US is not “far enough away to be safe” any longer. That is the low tec Chinese ballon, and their, North Korea, and India’s, high tec “space programs” along with the fact they are also all Nuclear and other Weapons of Mass Destruction nations, has caused an awakening that certain political parties have apparently not realised yet…

It might not be an ancient Chinese curse, but we are now “living in interesting times”.

Truely a mess of our own making, but two things arise,

1, How to get out with mininal harm.
2, How to stop it all happening again.

History might have some answers, but are politicians willing to honestly look?

Savita September 22, 2023 3:08 AM

Protonmail have just launched an encrypted password safe. Apparently it was a most-requested product. I have not looked at the details but Proton seem to be very grounded and thorough in their approach to things. And seem to be keen to be a few steps ahead of their competitors.

Savita September 22, 2023 3:15 AM

I use two password managers.
One to protect my diary from my kid sister.
The other, for NSA to break

Phil September 22, 2023 5:24 PM

I’ll agree that password safe, given that it has a local only database, is more secure. But services like 1Password are orders of magnitude improved over the nothing My family members would do if it weren’t for the convenience.

Non-technical users will never be convinced to use low usability tools for password management.

weenie November 29, 2023 3:50 PM

Whether you’re a seasoned trader or a novice, we equip you with the tools you need to stay ahead in the crypto market.Gain insights into Bitcoin’s historical price trends, market sentiment, and real-time data.The recent drop in price of bitcoins and other alt coins is influenced by various issues like rising inflation, the Russia-Ukraine War, an energy crisis, and the downfall of platforms like Terra and FTX.An early prediction into the first quarters of 2024 is that there will be a boom in bitcoin price and other coins, our investors has doubled their coins for a flourish ROI ,using this as a means of keeping you informed and making your financial burdens becomes less worrisome, we are here to guide you on how to trade with caution as you begin your crypto trip with Generationxweenie@Gmail.Com ,feel free to ask for help.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.