TLDR: I got scammed out of 1.4BTC due to imposters and my own stupidity.
Background:
I run the ANI.TRAMX4 node and have done so for about four years. Prior to that I had a node that ran for a couple of years but then had a hardware failure and I lost everything on that node (before good recovery processes existed). My node wasn't a great money maker but it made enough to be better than break even. I believe at one point it was in the top 100 on Terminal Web's ratings but I'm my node is no longer listed. I was active on LN+ both in swaps and pools and I would sell liquidity on Amboss Magma. And that last piece started the downfall of my node due to my stupidity.
Disclaimer:
Amboss and it's admins (Jesse and AP) are not at fault at all. I thank them for what they provide. The only ones that are at fault are the scammers and myself.
How it started:
I had created an offer to sell liquidity on Amboss Magma back in April and I had a few sales in July that were successfully completed and all was good. I got another sales notification on August 22nd or thereabouts but when I went to approve it Amboss failed with a 504. Basically, the CloudFlare middleware was timing out when submitting the invoice for the sale. I reached out to Amboss through their support contact page and I also reached out on the Amboss Telelgram channel. Jesse, one of the admins, responded almost immediately in the channel and started to help troubleshoot. Within about 10 minutes I was DM'd by "Jesse" and I assumed that it was the same person continuing to help troubleshoot off of the main channel. Well I will continue to refer to this individual as "Jesse" in quotes as I found out too late that they were an imposter. Same name and profile image. I had no reason to doubt at the time.
Where I went wrong:
I continued to chat with this person off and on for about 9 hours. There were many times where I didn't quite understand what they were asking and it seemed that they didn't know enough about LND. But then they would ask for lightning/LND specific information and I thought that maybe I just was dealing with someone that had more intimate knowledge that it was above my head. There were also communication issues that I discounted as "Jesse" not being a native English speaker.
During this time I was also reached out by "AP" and "Banof" which are other admins on the Amboss TG channel. They both confirmed that I should continue to work through my issue with "Jesse". I would find out later that those accounts were also imposters. In particular, "Banof" was acting like a human admin BUT it is actually a TG Bot (I found out later) used to boot people from a TG channel.
At some point they said that I needed to connect my wallet to their system in order to authorize and initialize their analysis system. This was the largest red flag and I should have trusted my intuition and should have just shut down the conversation at that point. But I continued and eventually they sent me to a website (I will not post the link here) where I STUPIDLY input the wallet seedphrase for my LND wallet. It never seemed to work and always gave error messages. My guess is that is the goal and it just logs the inputs somewhere so the scammers can retrieve the seed phrase for later use.
I continued to chat with "Jesse" for many hours after this and I was doing my own investigation into my node which seemed to be either out of resources or locked in some sort of bad state. It was not giving any errors in the logs but the Active HTLCs were not getting processed quickly.
I decided to restart my entire node to see if that would do anything and I called it a night as I was extremely frustrated. The very next morning quite early "Jesse" reached out to me. Again, he was pressuring me to connect another wallet in order to validate my node's liquidity or something. They also asked for my Tor address (which should have been a flag as it is easy to look up) and the admin macaroon. I completely refused this request. After restarting my node the Active HTLCs seemed to have been processed and my node seemed to be running normally. I couldn't attempt to reproduce the Amboss Magma issue as I had rejected the sale the previous day. "Jesse" was still stating that my node was probably corrupt and that the Active HTLCs weren't actually processed. I was totally done dealing with this and I was just moving on with my life.
The Theft:
During the morning while I was still chatting with "Jesse" they stole 2.5M Sats from my onchain wallet but I didn't receive any notifications as they did it via an "external" wallet using the seed phrase that I had stupidly provided. During the evening of August 24th, the scammers stole another 1.37 BTC and again I didn't get any notifications. This completely wiped out my onchain wallet. I know it was probably dumb to keep that much in a hot wallet but I never saw a threat as I was, prior to this interaction, very cautious with my node.
The Realization:
My node was behaving properly and routing payments so I had no idea that anything was wrong. I went to participate in a liquidity swap on LN+ and I couldn't open a channel. I kept getting errors that I had to choose a channel size of zero or less. I checked my wallet balance and it was zero. At this point I started to freak out and I looked at my onchain transactions which showed the two transactions that emptied my wallet the day before.
My reaction was to immediately reach out to "Jesse", "AP", and "Banof" and ask them what happened. They denied that there was any way that any of them would have had access to get any funds from my wallet. "Jesse" blamed something they called "bug inflation" that would have caused this and suggested that I start closing my channels so that we can determine the root cause (they did not communicate this as succinctly or as clearly as I have just written). I had so many red flags flying all over. There was a since of urgency to get this resolved when it was actually my issue. They also said that they would attempt to get a reimbursement but they couldn't do that until the "bug inflation" was resolved.
My Action:
I still had about 55 open channels that were still working correctly but I no longer trusted my onchain wallet and anyone that has run an LND node for any amount of time knows that channels close now and then whether cooperatively or not. I didn't want a channel to close and the funds hit my onchain wallet while I wasn't aware and then the scammers had the opportunity to steal those as well. So I started the long and tedious task of closing channels on my node and sending the balance to a wallet that is not associated with anything else. This worked great for cooperatively closed channels as LND provides a way to immediately redirect the closing balance to a Bitcoin address. For the handful of force-closed channels I had to wait for funds to clear the time lock. I monitored this intently and as soon as the funds were available I sent them off to my other wallet. This saved me more funds than I lost even at the expenses related to closing channels.
As I was closing my channels, the scammers kept messaging me. My guess is that they were trying to get more out of me. I put all three of them into the same messaging group. Shortly afterwards, the "Jesse" account became a deleted account. When I asked the "AP" account about this they said that it was a glitch and that "Jesse" would be back shortly. This is when I reached out to the real Jesse and he confirmed that I was chatting with imposters. I did the same confirmation with the real AP. And this is also when I made the realization that the real Banof was a Telegram bot and therefore shouldn't have been chatting with me at all.
Where I could I informed people of the reason for closing the channels as some of the channels had obligations in regards to providing liquidity for a set time period. I'm extremely heartened by the community and the support for my predicament even though it was caused mostly by my stupidity.
I will be keeping my now empty node running for some time just so I can utilize it for testing things. I may turn it into a watchtower so that it is some use to the world. I won't be creating a new routing node anytime soon.
I'm not certain if I'll reach out to authorities as I don't think they would have much to investigate.
Lessons Learned (The REALLY Hard Way):
- Never trust any DMs in regards to Bitcoin/LND on any communications platforms.
- You can confirm someone is not an imposter in Telegram by messaging the real person.
- NEVER EVER relinquish your seed phrase
- Trust your gut
Silver Lining:
In doing research around LND and recovery I thought of the old node that I had that had a hardware failure. I was able to find the information that I used to initialize it way back in the day and I have been restoring it. It had some Sats still in it's onchain wallet. I'm going to recover those as a consolation prize.
Thanks for reading my story and I hope that you learn from it as an example of what not to do.