pull down to refresh

TLDR: I got scammed out of 1.4BTC due to imposters and my own stupidity.
Background: I run the ANI.TRAMX4 node and have done so for about four years. Prior to that I had a node that ran for a couple of years but then had a hardware failure and I lost everything on that node (before good recovery processes existed). My node wasn't a great money maker but it made enough to be better than break even. I believe at one point it was in the top 100 on Terminal Web's ratings but I'm my node is no longer listed. I was active on LN+ both in swaps and pools and I would sell liquidity on Amboss Magma. And that last piece started the downfall of my node due to my stupidity.
Disclaimer: Amboss and it's admins (Jesse and AP) are not at fault at all. I thank them for what they provide. The only ones that are at fault are the scammers and myself.
How it started: I had created an offer to sell liquidity on Amboss Magma back in April and I had a few sales in July that were successfully completed and all was good. I got another sales notification on August 22nd or thereabouts but when I went to approve it Amboss failed with a 504. Basically, the CloudFlare middleware was timing out when submitting the invoice for the sale. I reached out to Amboss through their support contact page and I also reached out on the Amboss Telelgram channel. Jesse, one of the admins, responded almost immediately in the channel and started to help troubleshoot. Within about 10 minutes I was DM'd by "Jesse" and I assumed that it was the same person continuing to help troubleshoot off of the main channel. Well I will continue to refer to this individual as "Jesse" in quotes as I found out too late that they were an imposter. Same name and profile image. I had no reason to doubt at the time.
Where I went wrong: I continued to chat with this person off and on for about 9 hours. There were many times where I didn't quite understand what they were asking and it seemed that they didn't know enough about LND. But then they would ask for lightning/LND specific information and I thought that maybe I just was dealing with someone that had more intimate knowledge that it was above my head. There were also communication issues that I discounted as "Jesse" not being a native English speaker. During this time I was also reached out by "AP" and "Banof" which are other admins on the Amboss TG channel. They both confirmed that I should continue to work through my issue with "Jesse". I would find out later that those accounts were also imposters. In particular, "Banof" was acting like a human admin BUT it is actually a TG Bot (I found out later) used to boot people from a TG channel. At some point they said that I needed to connect my wallet to their system in order to authorize and initialize their analysis system. This was the largest red flag and I should have trusted my intuition and should have just shut down the conversation at that point. But I continued and eventually they sent me to a website (I will not post the link here) where I STUPIDLY input the wallet seedphrase for my LND wallet. It never seemed to work and always gave error messages. My guess is that is the goal and it just logs the inputs somewhere so the scammers can retrieve the seed phrase for later use. I continued to chat with "Jesse" for many hours after this and I was doing my own investigation into my node which seemed to be either out of resources or locked in some sort of bad state. It was not giving any errors in the logs but the Active HTLCs were not getting processed quickly. I decided to restart my entire node to see if that would do anything and I called it a night as I was extremely frustrated. The very next morning quite early "Jesse" reached out to me. Again, he was pressuring me to connect another wallet in order to validate my node's liquidity or something. They also asked for my Tor address (which should have been a flag as it is easy to look up) and the admin macaroon. I completely refused this request. After restarting my node the Active HTLCs seemed to have been processed and my node seemed to be running normally. I couldn't attempt to reproduce the Amboss Magma issue as I had rejected the sale the previous day. "Jesse" was still stating that my node was probably corrupt and that the Active HTLCs weren't actually processed. I was totally done dealing with this and I was just moving on with my life.
The Theft: During the morning while I was still chatting with "Jesse" they stole 2.5M Sats from my onchain wallet but I didn't receive any notifications as they did it via an "external" wallet using the seed phrase that I had stupidly provided. During the evening of August 24th, the scammers stole another 1.37 BTC and again I didn't get any notifications. This completely wiped out my onchain wallet. I know it was probably dumb to keep that much in a hot wallet but I never saw a threat as I was, prior to this interaction, very cautious with my node.
The Realization: My node was behaving properly and routing payments so I had no idea that anything was wrong. I went to participate in a liquidity swap on LN+ and I couldn't open a channel. I kept getting errors that I had to choose a channel size of zero or less. I checked my wallet balance and it was zero. At this point I started to freak out and I looked at my onchain transactions which showed the two transactions that emptied my wallet the day before. My reaction was to immediately reach out to "Jesse", "AP", and "Banof" and ask them what happened. They denied that there was any way that any of them would have had access to get any funds from my wallet. "Jesse" blamed something they called "bug inflation" that would have caused this and suggested that I start closing my channels so that we can determine the root cause (they did not communicate this as succinctly or as clearly as I have just written). I had so many red flags flying all over. There was a since of urgency to get this resolved when it was actually my issue. They also said that they would attempt to get a reimbursement but they couldn't do that until the "bug inflation" was resolved.
My Action: I still had about 55 open channels that were still working correctly but I no longer trusted my onchain wallet and anyone that has run an LND node for any amount of time knows that channels close now and then whether cooperatively or not. I didn't want a channel to close and the funds hit my onchain wallet while I wasn't aware and then the scammers had the opportunity to steal those as well. So I started the long and tedious task of closing channels on my node and sending the balance to a wallet that is not associated with anything else. This worked great for cooperatively closed channels as LND provides a way to immediately redirect the closing balance to a Bitcoin address. For the handful of force-closed channels I had to wait for funds to clear the time lock. I monitored this intently and as soon as the funds were available I sent them off to my other wallet. This saved me more funds than I lost even at the expenses related to closing channels. As I was closing my channels, the scammers kept messaging me. My guess is that they were trying to get more out of me. I put all three of them into the same messaging group. Shortly afterwards, the "Jesse" account became a deleted account. When I asked the "AP" account about this they said that it was a glitch and that "Jesse" would be back shortly. This is when I reached out to the real Jesse and he confirmed that I was chatting with imposters. I did the same confirmation with the real AP. And this is also when I made the realization that the real Banof was a Telegram bot and therefore shouldn't have been chatting with me at all. Where I could I informed people of the reason for closing the channels as some of the channels had obligations in regards to providing liquidity for a set time period. I'm extremely heartened by the community and the support for my predicament even though it was caused mostly by my stupidity. I will be keeping my now empty node running for some time just so I can utilize it for testing things. I may turn it into a watchtower so that it is some use to the world. I won't be creating a new routing node anytime soon. I'm not certain if I'll reach out to authorities as I don't think they would have much to investigate.
Lessons Learned (The REALLY Hard Way):
  1. Never trust any DMs in regards to Bitcoin/LND on any communications platforms.
  2. You can confirm someone is not an imposter in Telegram by messaging the real person.
  3. NEVER EVER relinquish your seed phrase
  4. Trust your gut
Silver Lining: In doing research around LND and recovery I thought of the old node that I had that had a hardware failure. I was able to find the information that I used to initialize it way back in the day and I have been restoring it. It had some Sats still in it's onchain wallet. I'm going to recover those as a consolation prize.
Thanks for reading my story and I hope that you learn from it as an example of what not to do.
100 sats \ 0 replies \ @freetx 1h
Thank you for the write up. Its good that we document these things to help others in the future. It can be very hard to admit these things because its easy to feel embarrassed by what happened.
Adding my own story of caution. In 2021, changelly service "scammed" me out of .33 BTC. At the time that was about $9000, now its much more obviously.
A client had paid me in WBTC (he had ETH or something and didn't have Bitcoin, so he offered to pay in WBTC which I accepted). Obviously I wanted BTC, so I googled WBTC->BTC services and changelly came up.
I did a small test transaction and everything worked fine. So I sent the balance of .33 and got hit with the "We have detected a suspicious transaction" message that changelly does....
They wanted my KYC info which I initially provided (I feel stupid for doing it, I should've walked away there, but I unthinkingly assumed it was just a procedure). After the KYC info they then requested more info....they said that the "background check of my KYC info raised redflags" - at that point I started googling and saw this is a common tactic that changelly does....they require ever increasing and impossible to provide hurdles for you to jump thru.
The real comedy of changelly is that they claim they are doing this to "abide with modern KYC requirements" but they themselves are under no such jurisdiction. Changelly is some eastern european scammers - whose ownership is very opaque with no public info about them. They are registered in an ever changing set of carribean islands. That is they pretend like "we have to require this info because of regulations", but in point of fact they are under no regulatory oversight -- afterall the conversion of WBTC-BTC is just happening on a cloud server someplace. There is nothing touching regulated financial markets.
I no doubt assume that they have sold my KYC info to others in their scammer network, but overall lesson learned.
reply
Thank you for sharing :(
reply
Thanks for sharing! Someone was impersonating @BtcPins on telegram but I believed them and before I sent them bitcoin to help out and I said I have to check with my wife and they pressured me and were teasing me like why do I have to check with my wife?
That’s when I knew the real @BtcPins wouldn’t disrespect my wife like that 🫡
Everyone on Xbox live tho… but really that’s my mom LOL
reply
Brutal. I hope the consolation wallet makes a dent.
Thanks for raising awareness.
reply
Telegram is designed to be a honeypot for scammers.
IMO, any company who conduct business on Telegram are committing gross negligence when their customers get scammed.
reply
Thanks for the write-up.
I hope it does not affect you too much in the long run.
reply
I will be fine but thanks for the concern. This community is great.
reply
I ran a rather successful routing node too, at some point, it was top50 when I closed it. I had hardware and software problems, hitting all at once. But as you say, luckily, the community is great; Nitesh and others spent hours helping me recover locked funds.
I'm not certain if I'll reach out to authorities as I don't think they would have much to investigate.
Imagine explaining lightning liquidity to your local cop~~
reply
Sorry for the lost sats. I can imagine how frustrating that could be.
Lessons Learned (The REALLY Hard Way):
  • Never trust any DMs in regards to Bitcoin/LND on any communications platforms.
  • You can confirm someone is not an imposter in Telegram by messaging the real person.
  • NEVER EVER relinquish your seed phrase
  • Trust your gut
Lessons learned indeed
reply
I had always heard the first one but then I didn't follow it myself. Everything looked too good.
reply