pull down to refresh

Just a bit about me

I'm Hugo Ramos, a Portuguese guy in his late 40s. I heard about Bitcoin for the first time in late 2015. I bought my first BTC in late 2016, if I remember correctly, the price was around $1000. Yes it took me around 1+ years to fully understand the genius of Satoshi. In 2017 I quit my job and decided to get into the Bitcoin world full time. First by just studying and HODLing, then trying to evangelise family and friends and later by creating a YouTube channel and evangelise more people.
In 2022 I decided to move to El Salvador, together with my wife, and embrace the freedom of living in Bitcoin country. The goal was to buy some land and create a true Bitcoin Citadel where people sharing the same ideals could live together with us.
Today I run my own Bitcoin core full node, 2 lightning nodes (1 mainly for routing and 1 for small payments by family and friends), LNbits for wallets/accounting, 1 BTCPay server for onboarding merchants, 1 Nostr relay to help the network and several other Bitcoin related websites. All this at my own expense.

But what happened?

About 3 months ago, wanting to give back to the community even more, I decided to run a BTCPay server with the goal of onboarding merchants mainly in El Salvador but also other countries. I connected this server to the main Lightning node (the routing one) that, at the time, had 4+ BTC of liquidity.
Recently I was running version 1.11.1 of BTCPay server with LNbank v1.6.2 extension to allow merchants to receive Lightning payments.
On December 6th I woke up and noticed most of my LN node balance had been drained out. I started to investigate and realised this happened because 998 Lightning payments were made to the same LN wallet Bitlifi and all these payments, although going out through different channels and nodes, were all converging on the same node at the end: ln-1.anycoin.cz (pub key: 02ec20f34bb94460f3d63780dfc24a4d4a1ddabc3bd86c09e1830c5b5db08953e5).
Not knowing exactly what was happening, I decided to DM my good friend @DarthCoin (the most Bitcoin/Lightning knowledgeable person I know) and ask him if he knew about some exploit or something else that could explain these outgoing payments. Not knowing exactly what was happening and not even being able to see what I was seeing, he said "probably some people are making payments using their LNbits wallets". "Nothing to worry about". The problem is... I was really getting worried!
At this point (about 20 minutes after I woke up) 407.361.805 SATS had been drained out. I decided to shutdown the node.

First steps after being robbed

The first thing I did after shutting down the node was to email the guys at Bitlifi wallet. This App belongs to the regulated exchange Anycoin that belongs to the group 21M. All of these companies are located in Czech Republic.
Here's what I wrote:
Dear Sir/Madam,
I'm writing to you because we, at F You Money! / MAXIMA Citadel, detected a fraud involving our lightning node (F You Money! 01) and BTCPay server being exploited for not authorised payments that ended up on a Bitlifi wallet (which was connected to your node ln-1.anycoin.cz). At this point in time we already identified and created a list of all the transactions made by this dishonest person but we need your help identifying the person and trying to recover the BTC. The attack occurred on December 6th, between 16:21h and 22:02h (Prague time). The total amount of BTC stolen was ~4BTC. I'm sure you will be able to find the big number of transactions on your logs, in between these times, originating from our node to your node and then to a Bitlifi wallet.
All the documentation containing the transactions, emails used to register on our BTCPay server, and the specific amount for each transaction will be supplied to you as soon as needed for your verification and confirmation. We just need to be pointed to the right person in your company to further discuss this matter.
Surely we can count on you and your collaboration to help us find and possibly recover the stolen funds. It would be a matter of urgency to freeze the Bitlifi wallet in question so that the funds are not transferred out of your node. For this reason we would appreciate if you could contact us asap.
Looking forward to hearing from you, Best regards
Here's their reply (~6 hours later):
Hi,
we register higher amount of transaction in specified time frame. Can you please provide more information about this case? ID of transactions, LN addresses etc?
Can you also share the version of BTCPay your are using?
Unfortunately it seems all the deposits have been forwarded to other LN nodes. One of the destination LN nodes is also yours (3rd row)
021294fff596e497ad2902cd5f19673e9020953d90625d68c22e91b51a45c032d3 1.02326007 0260fab633066ed7b1d9b9b8a0fac87e1579d1709e874d28a0d171a1f5c43bb877 0.37778463 02758d961750972030292701d85c90e332bc1b7d8db0e705df3f087d285f9caf06 1.10696326 031df8ea711416b52d33c2f4a9b2a41d82f1da3c7672ffef2c24b0751cbdb75404 0.22228289 0324ba2392e25bff76abd0b1f7e4b53b5f82aa53fddc3419b051b6c801db9e2247 0.32877441 035e4ff418fc8b5554c5d9eea66396c227bd429a3251c8cbc711002ba215bfc226 0.35888885 0366faf9b8693d5ca2278f6a93c393a6ca0f25ab033d13703339037bb4ee845a5b 0.06666666 037f990e61acee8a7697966afd29dd88f3b1f8a7b14d625c4f8742bd952003a590 0.57444938
S pozdravem Tým Bitlifi.com
Although they got it wrong (none of the stolen BTC came back to my node and also the amounts are not correct), I wrote back and sent them the files with my complete investigation, all the logs and records I got from the servers.
Here's my reply:
Hi S Pozdravem,
I'm going to provide a short description of what happened and also send you all the files with the information related to the attack.
On December 6th at 15:20h UTC (16:20h Prague) 5 new accounts were created on our BTCPay server (v1.11.1) that were involved in the attack. From the BTCPay server the attackers were able to send payments to your Bitlifi wallet using the LNbank API (this is under investigation with the BTCPay server developers). The BTCPay server is connected to our LN node F You Money! 01 which sent all the payments using different routes/channels but always ending the transaction on your node ln-1.anycoin.cz. The attack stopped at 21:02h UTC (22:02h Prague) when we understood what was happening and shutdown the servers where BTCPay server and the LN node are running. The final amount of BTC transferred from our node to your node was evaluated to be ~4BTC.
All the files with transactions registered on the database of BTCPay server, NGINX logs, node records and accounts/IP addresses used to do this attack are attached.
List of accounts created at the BTCPay server and all the information related to the attackers (also attached):
========================================================================= dekajulimoro@proton.me (btcpay id: 25d18e23-6e74-4507-8432-154ead7a9a91) 82.79.98.45 - COUNTRY: Romania; REGION: Bucuresti; CITY: Cluj-Napoca; ISP: RCS & RDS S.A.
olgahargraveuoy.34@gmail.com (btcpay id: 61f40a8f-9259-4a0f-882d-4c02f0e8d253) 82.79.98.45 - COUNTRY: Romania; REGION: Bucuresti; CITY: Cluj-Napoca; ISP: RCS & RDS S.A.
olgahargraveuoy34@gmail.com (btcpay id: b5f4ec8a-0448-487b-be0a-361730af00d5) 178.175.141.216 - COUNTRY: Moldova; REGION: Chișinău Municipality; CITY: Chisinau; ISP: Trabia SRL 212.0.195.102 - COUNTRY: Moldova; REGION: Chisinau; CITY: Chisinau; ISP: Moldtelecom SA
huxype@imagepoet.net (btcpay id: eef512d2-6fb8-494f-bf41-c7e058e68003) 82.79.98.45 - COUNTRY: Romania; REGION: Bucuresti; CITY: Cluj-Napoca; ISP: RCS & RDS S.A.
goomoogle1@proton.me (btcpay id: fa4d6bd1-bcb7-43c9-a93a-313f7ac1cf7d) 178.175.141.212 - COUNTRY: Moldova; REGION: Chișinău Municipality; CITY: Chisinau; ISP: Trabia SRL
=========================================================================
The above accounts and IPs are all related to this attack. Please compare the above IPs with your own records for validation. When checking our NGINX logs also search for the above IPs and email accounts. These lines will show all transactions made. When checking the DB records you will find all transactions and hashes related to the attack and invoice IDs, etc.
We will appreciate your collaboration in identifying these people and also providing us and the authorities with all the information about who was using the wallet and where they sent the BTC. Also we will appreciate that you URGENTLY freeze any funds related to the transactions in the attached files that are related to this attack.
We will be happy to hear from you ASAP. This is a very urgent situation.
Best regards
Here are the files I sent them in this email. They contain all the information about this hack:
Here's their reply (~21 hours later):
Hi, sorry for a delayed response. We were crunching through the data you sent and we have bit more work to do, but from what we already know the BTC sent from these accounts was immediately forwarded to other nodes (with the exception of some residual amounts left). We sent you the node IDs and amounts in the previous message so that you can try to find those LN node owners and see if they have the funds. If there is any more information we can give you to increase the chances of recovering at least some of the funds lost, we will do our best, however our options are limited.
So far, based on your data we identified just one more account on our side that we didn't previously find but it was probably only used for a test, there is only few euros worth of bitcoin now. All other accounts used are unfortunately empty.
Is there anything we can help you with right now?
Kinds regards, Bitlifi team
Clearly this email was written in that "We're sorry but there's nothing else we can do" tone... They sent me the nodes where some of the BTC might have gone but, considering that my own node was on that list and none of the BTC was returned to my node and also they didn't even mention if some of the BTC was exchanged for FIAT and withdrawn on their exchange I can't do much. The amounts were also not correct, for fuck sake... How can I contact other nodes with incorrect information?!
So I sent this email in reply (the last one so far because days later I have no reply from them):
Hi,
Thank you very much for your reply. The list of nodes in your previous email is incorrect as no amount of the stolen Bitcoin was ever rerouted to my node. All the correct information is in the files I sent over to you. Also I would like to know if you were able to identify any more information based on the files I sent in my previous email?
But anyway, as I understand from your website legal information, you are a regulated and 100% KYC exchange. Taking this into account, I again ask you for your collaboration in identifying the person (your customer) that used your LN node and wallet to do this attack and also all the routes used to transfer the Bitcoin out from your node, to other nodes or even L1 wallets or exchange fiat currency to withdraw in any bank. Also there's a need to know exactly what was done after the Bitcoin arrived in your node and exchange.
I'm preparing all the information to contact the authorities in Czech Republic, Moldava and Romania on Monday. The legal procedures will obviously require all the correct KYC information on this customer of yours.
I very much appreciate having your collaboration and trying to identify the person(s) associated with this.
Looking forward to receiving your reply, Best regards
Two days later... SILENCE. No more emails were received by me.

In the meantime, while I was GETTING FORGOTTEN by Bitlifi, Anycoin and 21M...

While this was going on, @DarthCoin also helped me getting into contact with 2 core developers of BTCPay server: Pavlenex and Rockstardev that had so far not replied my DMs.
Pavlenex and I spoke on Telegram and, while we were messaging, he also pressed the CEO of Anycoin a bit to help me. As far as I was told by Pavlenex, the CEO said they can't do much. But Pavlenex said that he would continue to follow this case and would get back to me if some new information was discovered... I'm still waiting... No new information from the CEO of Anycoin or Pavlenex.
As to the developer of LNbank, Dennis Reimann, I replied to him on Nostr when he FINALLY AND PUBLICLY ADMITTED that there was a bug on his code and everyone should upgrade the LNbank extension. This was 2 days after my BTCPay server was exploited!
You know what happened? HE DIDN'T EVEN COMMENT MY POST. NOT EVEN A FUCKING APOLOGY! Just another person that added me to the "forgotten ones" list...

My investigation

I don't want to bother you with 2 days of not sleeping and just digging up all this shit from the server logs, database records and many other things I had to do to connect the dots.
I started by isolating all possible things that were connect to my Lightning node. Only 2 platforms: LNbits and BTCPay server.
On LNbits nothing was out of the ordinary. All the wallets were normal and the balances were correct. No suspicious transactions were recorded on Postgres.
When I went to investigate BTCPay server the story was a completely different one. Immediately I found 5 newly created accounts on the server. Created precisely on the same day of the attack just a few minutes before the exploit started.
From there I went to investigate the Postgres database. And surely there they were... Hundreds and hundreds of payments made to invoices created at the ln-1.anycoin.cz node in the space of a few hours. All of them with the description "Payment to Bitlifi wallet".
From there I went on to investigate the NGINX logs to check for the login of those 5 accounts newly created on that unforgettable day Dec 6th 2023. It was a horrible show of thousands and thousands of lines with IP addresses, LNbank API calls, account logins and a shit show of other stuff that I crossed with other data from the node, Postgres DB and BTCPay server to conclude 5 accounts (emails) were created to exploit LNbank and all the satoshis that were stolen amounted to exactly 407.361.805 SATS.
In the end I also checked the Lightning node to cross reference the transactions and they are correct with the transactions registered in the database.
All this information can be checked by you guys on the links above.

What next?

As I wrote to Anycoin in my last email, I'm preparing a case to deliver to the authorities in Czech Republic and also Romania and Moldova because the IPs associated to this attack are from Internet Service Providers in those countries.
In the process of talking to Anycoin, I also found out that this exchange is regulated by the EU and 100% KYC. You can check it here in their own terms of service that I saved before anything could happen to their website... Read closely points 3 and 4. They must have all the information of the clients to provide the service.
IF KYC IS NOT TO AVOID CASES LIKE THIS OR PUNISH CRIMINALS THEN WHAT THE FUCK IS IT FOR?
I don't know if the authorities or the exchange are going to collaborate in finding the person that conducted the attack on my server but I can't do anything else. Just hope that they identify this person or persons and some of what was stolen can be retrieved.
I will also talk to some people as soon as I can calm down a bit more. I'll try to get some ideas about what my options are.

Broken dreams

As I described above, me and my wife's dream was to move to Bitcoin country and build a community of Bitcoiners that also want to move and live here. We were going to build our own house and a few others so that Bitcoiners can live together in the same land and share the same honest and morally correct principles.
I never stole from anyone in my entire life! I'm a libertarian that respects life and private property. These are the principles that unite the big majority of Bitcoiners! And those are the ones that would be sharing our space. To live off the land and get some affordable rent from the other small houses was our future income.
Now the dream is broken and possibly over. Most of the Bitcoin is gone and I don't even know how I will be able to continue to live here and help El Salvador to become the dream everyone wants it to be. Our only income is a few bucks /month from YouTube, Lightning fees from the hacked node and a few thousand sats /day from Bitcoin mining. We were mainly living very humbly on our own Bitcoin waiting for the next halving to start building this project.

Message to whom it may concern

If you are the one who did this attack, please return the Bitcoins and all will be forgotten. Please read next point.
If you are, in any way, connected to this case, help me in any way you can (tracing the Bitcoin, identifying the person(s) or any other way you can think of). I'm addressing Anycoin and 21M, BTCPay server and LNbank developers, and any other person that feels they should help. Please read next point.
If you are just a random person that happens to be reading this and you feel you can help in any way, please read the next point.

How you can help

I've setup a new wallet that will be publicly exposed so that anyone can send what they want/can and check its balance over time. If by any chance or miracle this wallet gets more than 4BTC, I will donate the surplus to help other Bitcoin projects in El Salvador:
bc1qz8dxk6h8gha5qvsnw67rjzz3xn6t4k0wmafqz3
If you just want to send an email with a kind word of support:
Thank you!
As someone who has been robbed multiple times because of software bugs while running a service trying to be helpful and not make any money from it, I understand your feelings completely. In my case too the attackers knew what they were doing and sent the money to other wallets like Bitrefill or WoS and from there they quickly vanished with the money, I'd say it's impossible to track even if everybody cooperates. I toyed with the idea of creating a federation of bona fide wallet providers that would be able to automatically and immediately track and halt the accounts of thieves in these cases, but ultimately I think this would be too hard to make work, so we're left with emails and 6-hour-late responses.
In many of my cases, too, the people responsible for the bugs that caused money loss never apologized, which would have been a nice gesture at least. On the other hand I understand that bugs are unavoidable and it would be mentally overwhelming for them if they were to feel responsible for every satoshi lost due to their bugs.
reply
As I said in a previous reply, an apology costs nothing and starting a crowdfund using their influence in the community would be greatly appreciated. They're known all over the world after all...
reply
Pavlenex here. I've apologies to you, I've spent multiple hours chatting with your and connecting you with an exchange. Your claims here aren't true. We have processes for security vulnerabilities, and nostr is definetly not the best way to reach out to me, as soon as I was made aware, I've reached out to you on Telegram. I understand you're frustration but you can't just fabricate things to fit the narrative.
Once again, I apologise for your loss and pain this has caused.
reply
Hey Pavlenex, I hope you understand I never met you before and didn't know the best way to contact you. It was @DarthCoin that helped me on how to contact you. Also I never said you didn't apologise. On my article, I said @d11n (the extension developer) never did. And my first contact with him was AFTER he published the patched version of LNbank as you can see by the Nostr screenshot.
Also I want to be clear! NOTHING in my article is a fabrication. All that I describe there really happened.
reply
0 sats \ 0 replies \ @nym 22 Oct
I'm so sorry to hear about this.
reply
deleted by author
reply
As someone who has been robbed multiple times because of software bugs while running a service trying to be helpful and not make any money from it, I understand your feelings completely. In my case too the attackers knew what they were doing and sent the money to other wallets like Bitrefill or WoS and from there they quickly vanished with the money, I'd say it's impossible to track even if everybody cooperates. I toyed with the idea of creating a federation of bona fide wallet providers that would be able to automatically and immediately track and halt the accounts of thieves in these cases, but ultimately I think this would be too hard to make work, so we're left with emails and 6-hour-late responses.
In many of my cases, too, the people responsible for the bugs that caused money loss never apologized, which would have been a nice gesture at least. On the other hand I understand that bugs are unavoidable and it would be mentally overwhelming for them if they were to feel responsible for every satoshi lost due to their bugs.
Funny to see fiatjaf saying such kind words. The same guy who magically disappeared a few thousand satoshis from my property in his infamous telegram bot and blamed me for putting money in his stupid code. I hope you get robbed a lot more asshole.
reply
Hey, how many satoshis have disappeared? What is your Telegram username? The withdrawals from lntxbot have been happening for many months now and are still ongoing. You have probably gotten a message from the bot notifying you of that. Please join https://t.me/lntxbot_dev and tag me so we can fix this.
reply
Can confirm, I got my withdrawal from lntxbot recently.
reply
Can confirm this to. Was able to withdraw all sats that I had there. Vere recently, after receivong message to do so.
reply
In my case too the attackers knew what they were doing and sent the money to other wallets like Bitrefill or WoS and from there they quickly vanished with the money, I'd say it's impossible to track even if everybody cooperates.
I feel like I should mention here that attackers most of the times know exactly who they should target. They are not going to waste their time with a target that may be too hard if there are tons of other targets that are easier to exploit.
For example, many people ask other people who got scammed:
How could you get scammed by someone like this? Wasn't it obvious?
It's selection bias: Most people who got scammed will think in hindsight: Why didn't I see all the red flags?
For example, scammers are using errors in their scam emails on purpose.
These errors are there to filter out exactly the people that are too smart anyway to get scammed. So only the "less smart" people actually contact the scammer so the scammer doesn't waste his time with people who are just going to waste his time.
Knowing stuff like this is the reason why I am very hesitant to connect https://delphi.market to mainnet since I might have to say one day: I wasn't smart enough myself to not get my funds drained, lol
Or I will at least put only very little funds first to see if there are some script kiddies who can already exploit my code - since I don't really know how secure my code is until it's live and ready to get exploited by real attackers.
But then again, can't be sure if I put more funds into it, if I am now going to attract new, more sophisticated attackers ...
we really need more security around LND nodes, lol
reply
federation of bona fide wallet providers This seems to be a great idea. How would this work? We are open to discuss about this, even privately if needed.
reply
I didn't think about the details, but it could be a simple thing based on Nostr.
You would make a list of other wallet providers you trust and listen to some specific Nostr relays for a specific kind.
Whenever there was some suspicious activity in any wallet provider they would publish payment hashes of transactions made by the suspicious people. You would then check your internal database for those hashes and temporarily freeze the involved accounts immediately, then try to hash it out with the other providers manually and understand the situation.
reply
This is an interesting idea, but it could quickly be adapted into a kind of industry best practice in the same way that many exchanges are using Chainalysis to screen incoming onchain transactions.
Lets say this gets built and Chainalysis offers up a free service that you can point to in order to freeze lightning payments on a best effort based on payment hashes of transactions made by suspecious people. Now every regulated wallet provider or exchange would be pressured into using such a service.
reply
There is a pattern on most of these hacks. Hackers move the funds from one wallet (node) to another just to hide their trace. Hard to follow the money. Probably the easiest way to reduce these hacks is a temporary hold of the funds for a certain period of time. For example, if a wallet / account receives 1M Sats in a transaction, you would only allow out max 20% of this amount in the next 24 hours. If in 24 hours you receive information from other wallets concerning suspicious transactions, you can still return 80% of the funds. Yes, I know, it can be a inconvenience for legitimate wallets / accounts, but for safety reasons it could be acceptable.
reply
First of all, sorry about loosing that much. I would also be devastated and angry if it happened to me.
That said I think we need to add some context to all of this. All the software you use is open source and free of charge. Developers want to build tools to help others to make their lifes easier and in the case of the Bitcoin ecosystem to even change the world and make everyone more free and independent.
You seem to be angry because d11n did not apologise to you on nostr. Reading the reply you wrote, you claim to have lost 4 BTC, you lost your life savings and ask for any help. Anyone could make that claim, there was no context how credible your reply was. Could have been any random troll to react on the alert to bash an already extremely stressed developer, no?
I believe you that you lost the BTC but the blame game here seems a bit off.
Some questions and strange datapoints randomly thrown together, your slogan is don't trust, verify - so here we go.
Sounds like you did not yet have any merchants onboarded, even if you had - putting 4 BTC on the line seems a bit much to make first steps in onboarding merchants?
Software versions: You say 3 months ago you setup btcpay and lnbits:
  • btcpay 1.11.1 was released in July (5 months ago), latest version is 1.11.7 released 18th October
  • lnbank 1.6.2 was released 20th July, latest version (before the vuln fix) 1.8.8 from 20th Nov.
  • lnbits of you site is running v 10.9 from 4th July, latest version 11.2 from 27th Nov.
The reality is even if the vulnerability was disclosed responsibly and a fix was in place for some versions already, you very likely would not have it installed when you were hacked. In comments you and darthcoin say you are technical and very security aware. Sorry, but first thing is to not run outdated software.
Timeline of events: You say 20 mins after you woke up December 6th, noticed 998 outgoing transactions, contacted darthcoin and 20 minutes later you shut down the server when 4 btc were gone.
  • Timestamp in UTC of your last transaction in the sheet is "2023-12-06T21:02:02.150Z", El Salvador is UTC-6, so about 15:00 afternoon.
  • The sum of BTC drained the last 20 minutes is 0,01645517 BTC
  • Draining of funds started 15:00 UTC which is 09:00 El Salvador time, so ongoing for 6 hours (you said you shut down server 20 mins after waking up at 15:00 local time?)
  • in your nginx log there is lnbank call even on Dec 7: [07/Dec/2023:02:05:35 +0000] "POST /plugins/lnbank/wallets/7c996caf-e08a-4b7b-b570-7e5a53eb7aea/receive HTTP/2.0" 200 9532 "https://btcpay.maximacitadel.org/plugins/lnbank/wallets/7c996caf-e08a-4b7b-b570-7e5a53eb7aea/receive" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
The story that you noticed it after you woke up does not quite match to the transaction table nginx logs you provided.
Also the table shows only draining of funds so either you cleaned up 1700 transactions manually from that table or it is a sign that there really where 0 merchants on your node. The Nginx logs show 15k entries for lnbank /send/confirm endpoint so I would expect many more entries in the transactions table.
Don't want to beat an already down man but like your podcasts slogan we are in bitcoin and we don't trust but verify. Certainly the vulnerability in lnbank did not help but running outdated software also is a receipe for trouble and even a fix would not have saved you if you don't update your software stack. Wish you all the best and keep the head up.
reply
Brother, thank you verifying all the data I posted. I can assure you all is true and I was completely drained. This was already confirmed by Bitlifi, BTCPay Server and @C_Otto.
Yes some timings may not match exactly but who's looking at the watch while getting completely fucked? I can't remember exactly what time I got to the computer but I can assure you it was very late because I work on my projects all night long.
Regarding the NGINX log crossing over to Dec 7th: I restarted the node and BTCPay server after disabling the hacker accounts on BTCPay so that people using the server could move their sats to other wallets. I personally told them to do so. During that period there were a few other attempts to continue the attack but the accounts were already disabled.
reply
The reality is even if the vulnerability was disclosed responsibly and a fix was in place for some versions already, you very likely would not have it installed when you were hacked.
This is highly speculative.
One thing is to update to the newest shining version. Another is to do that after a critical security flaw has been found.
How many security vulnerabilities have been found on btcpayserver/lnbank on these three months?
The story that you noticed it after you woke up does not quite match to the transaction table nginx logs you provided.
Everything can be explained if he woke up afternoon. He didn't say he woke up in the morning.
in your nginx log there is lnbank call even on Dec 7
Maybe some testing during the investigation period?
But anyway it's good that you took the time to double check everything that has been said. We indeed should not blindly trust random people on Internet.
reply
I know Hugo personally and he's pretty much a night owl and goes to bed at the very early hours of the morning, so the waking up in the afternoon part is totally normal for him.
reply
Thanks for vouching for that. It's absolutely true!
reply
I'm sorry for your lost, I really am.
but I'm not understanding well.
so I have one question... did you put your lifetime savings (4 BTC), into a ultra hot BTCpay server LN wallet?
reply
I guess you didn't read the complete article. I've been running 2 LN nodes for almost 2 years. Gradually I increased the liquidity in the main one to facilitate onboarding of people into Bitcoin. They have been absolutely secure and always running the latest versions. Also liquidity in channels means multisig layer1. I had nothing in the node hot wallet or BTCPay server hot wallet.
Only after I decided to run BTCPay server, which started only 3 months ago, this happened because of a bug in LNbank which allowed hackers to make payments from the node's channels using the Lightning network.
reply
I'm so sorry to hear this, it's tragic when things like this happen with folks that are just trying to help out.
Also liquidity in channels means multisig layer1. I had nothing in the node hot wallet or BTCPay server hot wallet.
Just to clarify one point though for anyone else reading too, funds in lightning channels are absolutely spendable hot funds, and running things like LNBank in BTCPay, or LNBits, or LNDHub, on top of a node gives that software full access to hot funds in the node, or in this case whatever local-balance-liquidity you had on the routing node you connected to BTCPay (why @iguano said "ultra hot").
The fact that a lightning channel is a 2-of-2 multisig is an implementation detail. Channel updates are blindly signed by both channel parties whenever the lightning balance changes when you send or receive.
I'm mentioning this only in case this was the case here and in case anyone else also has a setup with similar assumptions, and I apologize in advance if I misunderstood anything about the details of your specific setup from what I could tell from reading and re-reading your article.
reply
I fully understand that having funds in a LN node is not the same as having a singlesig layer1 wallet. I also appreciate you explaining it clearly in your comment for others to understand. However I want to focus on the really important thing here: I've been running 2 LN nodes for almost 2 years and they were absolutely secure until the point I connected BTCPay server to one of the nodes.
The important point here is: IF I had never installed a buggy platform like BTCPay + LNbank, the 4 BTC would still be there.
reply
That might not be true. We always have to keep in mind that there could be unknown vulnerabilities in the software we use. Any hot wallet is risky.
reply
Exactly. Sometimes they like to wait until the right time to withdraw your funds. They could have had an exploit in your software long before this happened.
reply
Thanks for clarifying what I wanted to say, my intention is not to argue in this difficult time for @ramosh, my intention was to clarify to the reader that having funds on LN no matter if those are non-custodial are not the safe way to store or savings, our savings should be on a properly setup cold wallet like a hardware wallet.
reply
I understand, I read the whole thing, same as this reply. I hope you recover from this. best of luck.
reply
Thank you, bro!
reply
Hard lesson to learn, but it was no one else's responsibility but your own. Try and get back on your feet. Stop pointing fingers. You alone are to blame. Sorry.
reply
Blaming is not helpful either way. A bug was found and fixed. A lesson was learned. KYC exchanges that the funds flowed through hopefully help to find the hacker.
In the end, the hacker also was one of OPs customers as LNBank also works with accounts and clearly somebody was granted an account. Or is the flaw exploitable for anybody without an account, too?
reply
My BTCPay server was configured to accept new accounts as I was using it to try to onboard merchants.
reply
It fucking sucks.. Look, sorry to come across as an asshole. My language could have been a bit more considerate, I agree. Good luck getting back on your feet.
reply
Thank you.
reply
Sorry for your loss, still thats a lot of btc on an hot wallet.
reply
deleted by author
reply
I explained that the node has been online for almost 2 years and only when I decided to help onboard merchants the liquidity was increased over time. This increase of liquidity happened over a long time when I was pretty sure the node by itself was secure.
The BTCPay server was installed much later, only 3 months ago.
reply
I am curious, how do you measure the security of your node? You explicitly say, "my node was running for 2 years and was absolutely secure. Then I installed X and bad things happened." I am sorry, but this means nothing. The vulnerability is the human factor here... All systems are secure until they aren't. Look eg. at ACINQ, how they try to secure their nodes with ledgers. Hard work.
Anyway, with respect to your loss, I believe that the more interesting thing here now is the vulnerability itself. I've looked at the source code (https://github.com/dennisreimann/btcpayserver-plugin-lnbank/commits/master), there should be the fix in the 1.8.9 release. However, it is very difficult to figure out anything about it. There is no description. Am I blind or is it intentional? Can somebody explain what was the issue? Or is it a secret?
There is no mention of any critical vulnerability fix in the release notes: https://github.com/dennisreimann/btcpayserver-plugin-lnbank/releases/tag/v1.8.9. Like, seriously?
Here is a pretty new issue to start doing CI/CD: https://github.com/dennisreimann/btcpayserver-plugin-lnbank/issues/57 in the project. Great! But wait, hey, this project is intended to maintain others' people money and it does not use CI/CD yet? "Somebody has lost his founds, so it looks like it is now the right time to start testing..." WTF?
Nowadays, anybody can write code because it looks easy. Even AI can write code today. Sharing everything. But where is some responsibility? Ok, it's FOSS, no warranty... But, really?
reply
This change looks suspicious: it resides inside a commit named "More transaction sorting" but instead it changes wallet balance caching code, which is a quite possible spot for a vulnerability.
reply
Brother, I was a developer and sysadmin myself for many years. Old school python dev. Once I learned a great lesson with someone I respect a lot... "If you want you server to be completely 1000% secure, disconnect both the network cable and power cable."
I understand nothing can be 1000% totally secure but after running 2 LN nodes for almost 2 years, using always latest versions of LND, using a great firewall on my network and many other things like researching all the time and being aware of bug reports, I had 0 (zero) issues with the LND node itself. Considering this I felt I could trust LND and my implementation to have it in production. And for 2 years all went fine until a installed BTCPay server a few months ago.
Regarding the rest of your comment, I totally agree 100% with you.
reply
I believe, you did your best.
It is now important to prevent such silly things in the future as much as we can. Bitcoin is not a toy anymore.
Take care.
reply
With all due respect, in retrospect I don't think you should consider "I had 0 (zero) issues" as a condition to put all your life savings or deduce something is bug free. If you are not risk adverse, putting 1/4 would have been better. Just one example: many people use bash and yet there was a critical bug discovered in it in 2015 I think, heartbleed. And yet it was considered safe to use for years.
reply
How does ACINQ use a ledger to secure a lightning node?
reply
They probably track everything because of that.
reply
deleted by author
reply
I'm sorry about what happened to you.
If you ever find yourself in a similar situation in the future, make sure to have a backup plan to handle and mitigate the possibility of hacks, since dealing with these kinds risks is part of what it takes to be a service provider.
As a developer, I wouldn't say sorry either. Opensource software usually comes with clear disclaimers stating that it's provided as-is, without any guarantee or insurance.
When you use open-source software, you're essentially taking it on as your own, and you're responsible for what happens while using it. If you can't vet it or handle potential unexpected issues, it might be best not to use it at all.
Offering an apology might be seen as admitting wrongdoing in this context, that is not a great idea in today's environment where opensource developers are frequently blamed by for profit corporations that freely use their work.
reply
Bro, if you knew me a bit, or any libertarian for that matter, you would know I don't rely on State justice to claim anything! When I said apology, I was referring to a moral obligation and not looking to input liability. If I was the developer I would. But that's me...
reply
Hi Hugo, Bitlifi is a nonkyc project from Anycoin. However Its a LN wallet making possible to send satoshis on phone contact. So you still have a change to identify the attacker, if you get the connected number from Bitlifi and if he used registered SIM card. Unfortunately what I know, neither in Czech Republic nor in Romania or Moldova is kyc of SIM card user mandatory. But knowing the connected phone number you can still get more important data from Internet or from the phone company, which can help you with tracking the attacker. Wishing you success to find him
reply
I would never have more than 10% lightning
reply
I am really sorry, I couldn't help you with more support that day. You contacted me on a chat when I wasn't at home and not being able to give you more advice. Also not seeing what really was going on. I didn't even know you were running a BTCpay for other people.
This is a terrible mistake from BTCpay team that didn't verified correctly the bug in LN bank plugin.
Please keep us posted with the investigation from the CZ exchange.
I am speechless.
reply
It's not your fault... You couldn't imagine what was really happening without seeing it in front of you. Anyway, when I saw it and DM you almost everything was drained already...
I will continue to post news if any arise.
reply
I hope this case will be an important lesson. Firstly for developers, to be more cateful and test better all releases. I notice lately that many apps are doing rushed releases sometimes even skipping an intense beta testing in secured enviornments.
Also other users must learn the lesson from your terrible case. As I know you enough, being a good tech guy with high level of security knowledge, even that, with all the secure measures you took, the bug in the software is something you couldn't know and be ready for it. I hope all thosr noobs trying to run LN public nodes will reconsider it if they do not have at least your level of tech knowledge.
reply
Yes exactly. People keep insisting in "you've put 4BTC in a hot wallet?". Yes I did because I know and took all the security measures and precautions. The proof is that for almost 2 years my LN nodes were perfectly safe and never hacked.
The focus here is that a bug in LNbank/BTCPay allowed hackers to bypass all security!!! This is the point!!! :(
reply
If this is your takeaway from this, that software shouldn't be infallible and that it's ok to put large amounts of funds into hot wallets if you believe the software is secure, then you're also taking away the wrong lessons in addition to a painful loss
reply
This is terrible news, I am sorry for your loss.
Any ecommerce platform built on bitcoin/lightning is an incredibly risky venture. A tiny vulnerability somewhere could lead to a total loss of funds if things are not done carefully.
It sounds like the LNBank plugin (and perhaps all plugins) had no restrictions on withdraws, and so the attacks used it to drain your account.
Introducing plugins has been a growing trend with a number of platforms, and it compounds the risk of losing funds even further.
I wish you good luck with everything, and I hope that you will bounce back from this stronger than before.
reply
Thanks bro. I'm fighting here to get up and continue... But it's really hard! I appreciate your kind words.
reply
33 sats \ 1 reply \ @fm 11 Dec 2023
Foda-se.. Nao ha muito a dizer.. A ver se consegues recuperar algo. KYC esta para proteger as instituiçoes e governos.. E possivel que apresentem até informaçao falsa.. Pensei alguma vez em mudar-me para El Salvador como tu. A ver se quando estiveres mais tranquilo nos contas mais sobre o país. Boa sorte Hugo
reply
A merda do KYC só serve para proteger os masters. Como sempre. Obrigado pelas palavras! Abraços.
reply
I am really sorry for your loss. I hope you can recover your BTC. Unfortunately, I would not hold my breath that KYC will help you find your coins. KYC is only to help the government catch the people they want to catch. It was not made to help the little guys.
reply
Exactly. Then KYC can go to hell. Anyway, I still hope the exchange people help me track the payments and identifying the hackers.
reply
i feel your pain brother, hope maxis will help!!! here is my small donation, 1 small step for maxima citadel and freedom
024c48890a48fa9a1b7839312f50a31239fe7c3b009824d07f813941479c9ec1
reply
Brother, thank you so much! You can't imagine how this is appreciated and important to me. I confirm the funds were received.
reply
STATUS UPDATE (Dec 12th 2023):
  • Yesterday I had a video call with the guys at Bitlifi in Czech Republic (finally they crunched all the data and asked me to talk to them). They confirmed all the information in the files I sent them and matched the records with theirs. Everything matches with my information. That's good. We came to a final amount of 4.06BTC stolen. The difference to 4.07 means my node payed ~1M sats of fees (4.06 was the amount received at Bitlifi).
  • They provided me with the phone number used to register the Bitlifi wallet app used in the attack. If someone here can help me identify the number, please do: +19097073730
  • We agreed that next steps are identifying and contacting all the LN nodes where the funds were rerouted to. I'm working on this now. There's a possibility we could trace the funds to know where the off-ramp was.
  • They promised me that will collaborate with the authorities in case I decide to go ahead with this path. Good to know guys, I appreciate this.
reply
I am sorry about your case. What exactly do you expect from bitlifi? It is a lightning service that anybody can use just by using a phone number (or nowadays probably even an email address). Thus, I guess, the payments arrived there and then were sent to another node somewhere else. I'd be very pessimistic that any KYC is applicable here.
reply
I would expect full cooperation in identifying their hacker customer in accordance with their own terms of service. If you read my article well you saw I published their TOS where you can read they identify every customer with KYC. Also this exchange is regulated by EU and full KYC. What the hell is KYC for other than identifying customers to prevent fraud?
I would also expect them to, as soon as they received my first email, freeze the funds immediately, contact authorities and deliver them the identification of the person(s) involved.
reply
You have unreasonable expectations.
reply
No I don't. Expecting a company to actually go by their own TOS is perfectly reasonable. Expecting them to collaborate with authorities is perfectly reasonable. Expecting them to freeze LN funds asap is perfectly reasonable.
reply
If I understand it correctly, Bitlifi and Anycoin are 2 separate things (eventhough they are owned by the same company). Bitlifi is a wallet, nothing to do with KYC and Anycoin is an exchange which require KYC (only for transaction from certain amount). Unless the funds were used on the exchange, there is no KYC information. From the emails, it does not look like any of the stolen btc was used on the exchange, so there is on KYC info to be provided at any point of the theft.
I am totally pissed off this has happened to you and these thieving assholes diserve some karma boomerang. To be fair though, a company cannot react with customer data (if they have some) to a request from anybody. As you said, you need to file a proper police reports etc, in order to move forward in any way if you are after KYC info which in this case is probably none to be had.
Good luck mate. I hope you get to recover some of it at least,
reply
Bro, a LN wallet is just a frontend for your balance (sats) which resides in a LN Node. The LN node is property of the exchange.
If they KYC the customers they should have the information on the person that used their services to receive the sats and transfer them.
Also if the exchange is EU regulated and has KYC they should by law identify all persons using their services, even the wallet Bitlifi.
I never asked them to give me the identity of the customers. But they could have gathered this info about the hacker and tell me "we have the info. Please contact the police so that we can collaborate with them."
reply
You misunderstand how these things work. LN wallet and LN node has nothing to do with the exchange customers, Unless the KYC exchange customer uses to send/receive funds via lighning, then it is not connected at all. You do not need to be the exchange customer in order to use the lightning wallet and this was probably the case. The Bitlifi wallet only uses a phone number to identify the owner of the wallet, so a burner phone will stop the investigation right there.
reply
I understand all that. Whatever the case might be, the people that work there should have immediately frozen the funds and contact the authorities as soon as they got my email.
reply
They wrote there were no funds left. Imagine the attacker, they most likely setup many LN wallets at custodial providers (Bitlifi, Wallet of Satoshi, etc) with fake data (mobile phone, email) and just sent LN payments between them to make the tracking worse. I guess in the end, they sent it to something like FixedFloat and exchanged it for Monero.
reply
I can partially confirm these statements: my node (c-otto.de) has a direct channel to "F You Money! 01" and it routed around 100% of the available liquidity from "F You Money! 01" to ln-1.anycoin.cz (directly or indirectly).
reply
Dear @C_Otto, thank you very much for confirming the part of the data you could confirm. I want you to know that you were one of the first people I watched in a interview on YouTube about Lightning and your node was always part of my channels choice and something to lookup to. Best regards brother!
reply
Don't feel for him, he is anti-Semitic and spreads hate against everyone.
reply
Damn. Thanks for providing the detailed post-mortem for posterity. This is a good reminder (again), just like the Bitpay/copay/event-stream hack, developers of financial software have an overwhelming responsibility to test the living shit out of supposedly supported software integrations and dependencies to prevent end users from attacks/exploits. Simply saying “this is beta/experimental software” is not going to fly.
reply
The worst part is that I didn't even get an apology! NOTHING. Complete silence from the LNbank developer @d11n.
The exchange and BTCPay team could use their influence to start a crowdfund and help the people that got destroyed... Just sayin...
reply
deleted by author
reply
Perhaps my intention was never to expose @d11n to liability but only get an apology and collaboration. Please notice I only replied to him after the bug was corrected contrary to what he argues that "I was correcting the bug..."
reply
LR; So sorry for this, and hope the authorities can help.
reply
Thanks bro.
reply
Shoot, heard about this earlier in the week and was hoping for a happier ending. Hang in there, we have a great community, still hoping for a positive outcome!
reply
Thanks for the kind words. I'm hoping for that too!
reply
Awful to hear, so sorry that happened to you..
reply
Thanks for the kind words.
reply
Sorry man, I hoped this is followed till it reach a favourable end
reply
That could only happen if the people involved (the exchange and BTCPay team) would actually dedicate time and effort to help track the hackers. On the other hand they could use their influence to start a crowdfund to help victims of this bug. But there are no incentives for them...
reply
So you're fabricating a story where we (BTCPay community) ignored you (we didn't) just because we didn't immediately start a crowdfunding for you instead of patching a bug and ensuring others don't get impacted on a Friday evening, evil people we are. I'l let know the entire team of 8 people maintaining payment infrastructure for entire bitcoin, to immediately start one.
Did you ask how Dennis was? Has he slept? Have I slept? Do you really think we're not impacted by this equality ,even though I can be jackass and pin-point several things you could've done to mitigate a hot wallet attack better?
Listen, I understand your frustration and pain, I emphatize, but you attacking us for your pain instead of the hacker is probably not fair direction to go into, especially because I really believe we've done everything we could to help you.
reply
I'm not fabricating a story! The first time I contacted Dennis was on the Nostr post where he announced the bug and asked everyone to update!
At this time The patch was already in place and published. Dennis @d11n never replied to me 1 single word until the time I published this article!
Stop this narrative. I was very clear. When I replied to Dennis he had already patched the bug and he would not have to stop his work to apologise or help in any other way.
I made a clear distinction between you and Dennis. I wrote in the article that you talked to me and pressed the CEO of the exchange.
Look man... I'm not going to continue arguing with you. I never attacked you or wrote anything bad about you. I appreciate that you talked to me on Telegram and hope you start to sleep better in the coming days and have a really happy life doing what you love to do! I really do.
reply
+1 Pavlenex.
reply
Very sad.
Early software have more chances in give problems.
I hope you recover your sats.
reply
Thank you sir for the kind words.
reply
Sorry for your loss.
Everyone should be reminder LN is still a nascent, risky tech.
I think a VLS (validating lightning signer, not yet in production afaik) could have helped here.
reply
Projects like VLS are underrated. We need more people working on these initiatives.
reply
Thanks bro.
reply
STATUS UPDATE (Dec 13th 2023):
To be completely fair and just I want to clarify something I didn't know when I first posted my article. Only a few days after my original post I was clarified by Bitlifi that Anycoin and Bitlifi are separate entities and KYC is only used by Anycoin. Bitlifi only asks the user of the App for a phone number to be able to use the lightning wallet app.
My apologies to the guys at Anycoin and Bitlifi and thanks for clarifying this information.
Also I almost finished the research of the nodes were the funds rerouted to when sent out off ln-1.anycoin.cz. Not sharing this info yet because I want to contact all these nodes before publishing the list.
reply
I suspect one of those nodes is mine. If so, I would be happy to return them to you (unfortunately it is a very very small sum). How can we check?
reply
Brother, what's your node public key? And name?
reply
Hi Hugo,
I'm a listener to your podcast and I was a fellow node runner until I realized how dangerous running a lightning node can be.
Today I work with bitcoin and I'm trying to make it more secure and easy to onboard new people. There is a lot of development that still needs to be done. It's not ready yet for the level of adoption we are hoping for.
As you have a development and sysadmin background, if you need another source of income, consider looking closer into the ecosystem. There are a lot of opportunities. Contact me if you're interested in pursuing this path.
Anyway, I'm very sorry for your loss. I've donated to you in the past and will continue to do so. I hope one day to meet you in El Salvador.
reply
Hi and thanks for following my podcast. Thanks also for the suggestions I'll consider my options and contact you. I really appreciate your kind words.
reply
Foda-se.
I'm sorry this happened to you, I hope somehow you can catch those guys and it's also very sad to see that companies don't really care...
reply
Foda-se mesmo! I'm also sorry, especially me being so careful and implementing all the security possible. Companies caring for people that are not even their customers would too much to ask. Abraços!
reply
Even people that are their customers, that's why I avoid 3rd parties at full, took sometime to adapt, but I just had to make a change. Also, vais voltar para a pátria?
reply
NDV co-founder Christian2022.eth disclosed via X that NDV has gradually accumulated over $8 million worth of Binance Coin (BNB) since October 2024. Christian expressed confidence that BNB and Ethereum (ETH) will "make up for the rise" and dominate the second half of the bull market.
reply
I think your best hope is the police. In Japan though for Mt Gox it took quite some time to get the money back from robbers.
Could you add a Liquid address also? I will send you $10 worth of bitcoins. I hope you will get through this. You remind me the guy who got stolen $800 000 worth of bitcoins last year.
Just from my perspective, in Japan we apologize for sure but the way people in Europe manage responsibility can be quite... irresponsible. Or they shift the responsibility to someone else... In my case I had a 2 million dollars bug but fortunately it was fiat so it was relatively quickly reversible, and I apologized multiple times. I also got new white hairs... It is easier said than done and a painful lesson but when thinking about software engineering I think we should remind us of examples like a rocket which blew up in the air because of a bug related to the type of a number (it was in a CS book but will find the reference if you are interested). This to say that software will inevitably have bugs, and even small changes can lead to critical bugs. So for Lightning, the only way to manage it in my opinion is to be prepared to lose money and to only put in it a part which we can lose. But of course risk management differs depending on everyone and I don't want to blame you.
reply
What a long shaggy dog story to arrive at the LNBank plugin fucked up.
Running other people's code with send access to a Lightning server is inherently very very high risk. Lightning is not a safe place to store anything.
I'm pleased that nearly all my funds on Hive are locked up in a way that makes even an active key loss is far from catastrophic because of time locks and the ability to revoke keys.
reply
As a Portuguese native speaker, I empathize with you. The least I could do to help you in your brave journey is give all sats I have in my account. Thanks for your courage and dreams. I know many of us who would like to do the same as you but are sitting and waiting for people like you to represent the community.
Thank you!
reply
Thank you brother! Muito muito obrigado!
reply
It sucks that this happened to you. My LN apps got hacked way too many times to count I did loose large amounts of bitcoin due to my own bugs but never a huge amount like 4btc.
All I know is that if you keep at it, you'll make so much more which is what happened in my case.
Appreciate you, stay safe, take care of your family and keep working and doing good things. You'll win in the end.
reply
Thanks for your kind words, brother!
reply
I am very sorry for your loss. did you disclose to anyone in the Bitcoin community your activity and how much was involved with this lightning node operation?
Did you check with people to see if this was a generally good idea before implementing this venture? who/where did you check?
reply
Well I talk about my projects (in Portuguese) on my podcast. The Portuguese and Brazilian Bitcoin communities are aware of what I'm doing in El Salvador.
I Discuss with @DarthCoin many things about Lightning in general and best practices. Also I participate in Lightning discussion groups.
reply
I feel it Hugo. Sorry for the loss. Some lessons are pretty costly.
reply
Yes this one was. I appreciate your support.
reply
Well that just fucking sucks. Sorry for the loss.
Easier said than done of course, but I'm sure you will find a way to turn this event into something worth 10x more. It may take a while, and it will surely be hard, but this is how great things and great humans are carved out.
reply
I hope for that too. Thanks a lot!
reply
Sorry for the loss. Losing 4 btc can drive you crazy,I understand that. You need to focus because tracking hackers like those is a bit tricky.sorry once again and don't give up on your dreams.
reply
Thank you very much!
reply
I am very sorry what has happened. I wish I could help but much smarter people are commenting here, I do not think I could give any additional help. By the way be very careful about Romania and Moldova. Since a while, a group of criminal organisation from Italy is washing money through newly built casinos in Romaina and they also use bitcoin for additional purposes... I know this does not help much but it maybe something to keep in mind.
reply
Thanks for your support. I really appreciate it.
reply
Esse é aquele gordão fumante que ficava pregando ódio contra judeus no twitter? kkkkkkkkkkkkkkkkk, resultado veio rápido, que sirva de lição.
reply
Ooof sorry for your loss sir. Software is not perfect and it will probably never be unfortunately. This is why it's important to have multiple people vet code that exposes money to the internet.
reply
Thanks for your support! In the future I hope people developing software will try their best to test very carefully before posting new code.
reply
Well, it's not as simple that imo. Developers can work on a project for months, write a lot of tests to verify expected behaviour and there can still be unintended bugs the developer didn't catch. Even with multiple people vetting the code, sometimes all of them overlook a weird edge case that nobody thought about which can be misused by an attacker. I've worked for a couple of big worldwide companies as a developer and I've seen this many times over the years. There is always some trust involved when you run code, either you have to trust your own code or someone elses.
I hope you get the help you need to get the bitcoins back though, it's fantastic to have people like you in the community that wants to host services and help others out in some kind of way. 4 BTC is a lot but I hope you keep that community-spirit up after this too.
reply
Ainda foi pouco pro bolofo da palestina.
reply
You didn’t setup 2FA with your hot wallet?
reply
This has nothing to do with 2FA. It was a bug on LNbank that allowed hackers to make payments from the LN node.
reply
reply
This link is the announcement of the announcement AFTER all this happened, not before. BTCPay team was not even aware of the bug until Hugo discovered and alert them. They ignored his messages on nostr and only next day they bother to answer.
reply
Pavlenex here. This is not true, I don't use Nostr that much, as soon as I was notified I reached out to user. We have process for security reports as well as reaching out to us, he completely ignored those and even publicly notified people on Telegram about vulnerability before it was patched.
I've spent at least 4 hours on Friday at 21:00 night trying to help him and get him in touch with exchange. I understand the frustration, but usage of external plugins comes with a risk, let alone keeping your life-saving in a hot wallet and on top of that opening your instance for public registrations.
reply
ok understood. Thanks for clear up.
reply
Thank you for notifying me through a common friend on Telegram, as soon as I was aware of Hugo's problem, I've reached out to him to connect us.
reply
yes indeed, After Hugo asked on nostr about the issue he came back to me asking what should do more. So I've contacted Lux knowing that is a friend of yours to give me a direct contact for Hugo, because he was desperate. That's all I did, passing your contact to him. And he immediately told me that is with you talking.
reply
The only person I talked to about this hack before talking to you PRIVATELY on Telegram was @DarthCoin and was also private DM. Also contacted the exchange by email.
"publicly notified people on Telegram about vulnerability before it was patched." Can you please provide proof about this?
Now you are LYING about me.
reply
Yes you're right, my mistake on the telegram public posting, it was another user.
reply
No worries. Thanks for talking to me and helping with the Bitlifi people.
reply
😳
reply
Yep, accurate. That's also my face when I woke up and looked at the servers. Thanks bro.
reply
Trust is just as crucial to recovering lost bitcoin as recognising the difference between your morning coffee and private key. You require a dependable, trustworthy solution that considers your best interests. With their understanding of the value of trust, FAYED HACKER makes sure that your recovery procedure is transparent and safe, providing you with peace of mind while you embark on your BTC journey. Using an unreliable recovery service is like asking a shady character in a back alley to help you find your lost wallet. You're likely to end up with more problems than solutions. Unreliable recovery services can put your personal information at risk, leaving you vulnerable to further attacks or scams. Don't risk falling into the clutches of those who might take advantage of your desperation. Stick with a trusted solution like FAYED HACKER to ensure your BTC is in safe hands. Modern methods, refined over years of study and development, are employed by FAYED HACKER. With the use of these algorithms, users can discover and retrieve misplaced bitcoin with great efficiency and success rate. Say goodbye to complicated recovery processes and confusing interfaces. FAYED HACKER takes pride in its user-friendly interface, which allows even those with limited technical knowledge to navigate the platform effortlessly. Recovering your lost bitcoin has never been so simple. When it comes to finding missing BTC, security is paramount. Strong privacy and security safeguards are used by FAYED HACKER to protect your private data. You may be sure that your financial and personal information will be secure during the entire recovery process. For proper info, email : writeus (@) fayedhacker (.) tech or via or Signal : +1 313 264 2635 Web site : https://fayedhacker.tech
Stay strong brother
This is really awful mate but best I can say is sorry and if you need help in recovering your funds, dm @hacktorpedo1 on twitter he will properly assist you with the recovery of what you lost he is efficient at his job.
Firstly, the Lightning Network has good use cases for b2b, but it should have never been used as a global payment network for retails. Small blockers didn't have any other good scaling alternatives in 2017, so they went all-in with the LN.
Secondly, you've made a serious mistake by trusting an experimental software with all your bitcoins. It's very unfortunate that the developer didn't even reply to your post, but we can't expect him to refund you since LNbank is an open source software under the MIT license and it's very hard to verify that a victim and an exploiter are different individuals.
Thirdly, the adoption in El Salvador is still pretty low and the Bitcoin Citadel is more vulnerable than guerrilla-style surviving strategies like a parallel economy.
Bitlifi has at least a phone number of the user. If funds went to Bitlifi, Anycoin does have at least a phone number of the user. I would suggest you to insist at Anycoin and file the Police report ASAP, However, most probably the phone number was a disposable one that can no longer be tracked.
I am sorry to read about this, Really sorry. What was the exploit? Did you get any response from LNBank?
This is for anyone seeking to recover their data or funds lost to scammers on the internet. I sent out $132,000.00 worth of BTC to this broker named E29  Crypto Marketers. My experience was a good business proposal turned sour. l was added to a crypto learning and trading group on Telegram. I thought it was real, unfortunately, they are like other fraudsters found on the internet and online romance apps, I only knew about their fraudulent activities after losing my investment to E-29 marketers. l would have lost all my invested funds to this online scam scheme. with the quick help of these professionals in reclaiming stolen money. I found their reviews on Google, After my research about them, I concluded they were the perfect recovery expert to hire to recover my stolen cryptos. I never regret coming in contact with CYBER GENIE HACK PRO team. Within the short period I spent conversing with them during the recovery process, I learned a lot more than the four walls of a school. They can be reached via their details below: Telegramm;  CYBERGENIEHACKPRO...
Listen to me carefully:
This was the man who distributed unlimited hate on his podcast and social media for years.
This was the man who criticized everyone who supported KYC and other ways of blocking funds in the face of theft.
This was the man who MOCKED and LAUGHED at everyone who lost funds in a situation similar to his.
This is the man who is now trying to deceive us all because he is simply an opportunist.
You will never deceive me.
I have a lot of doubts about this story and I think he PURPOSELY did this just to find a reason for good people to send him BTC.
Don't fall for the scheme. You'll see that time will prove me right.
KARMA IS A BITCH.
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.
deleted by author
reply
Não tinha o stack inteiro mas uma grande parte. E tudo esteve seguro por quase 2 anos até instalar a porra do BTCPay.
O último ponto do artigo é como ajudar, se quiseres... Eu não vou pedir nada mais a ninguém. Abraços
reply
deleted by author
reply