Just a bit about me
I'm Hugo Ramos, a Portuguese guy in his late 40s. I heard about Bitcoin for the first time in late 2015. I bought my first BTC in late 2016, if I remember correctly, the price was around $1000. Yes it took me around 1+ years to fully understand the genius of Satoshi. In 2017 I quit my job and decided to get into the Bitcoin world full time. First by just studying and HODLing, then trying to evangelise family and friends and later by creating a YouTube channel and evangelise more people.
In 2022 I decided to move to El Salvador, together with my wife, and embrace the freedom of living in Bitcoin country. The goal was to buy some land and create a true Bitcoin Citadel where people sharing the same ideals could live together with us.
Today I run my own Bitcoin core full node, 2 lightning nodes (1 mainly for routing and 1 for small payments by family and friends), LNbits for wallets/accounting, 1 BTCPay server for onboarding merchants, 1 Nostr relay to help the network and several other Bitcoin related websites. All this at my own expense.
But what happened?
About 3 months ago, wanting to give back to the community even more, I decided to run a BTCPay server with the goal of onboarding merchants mainly in El Salvador but also other countries. I connected this server to the main Lightning node (the routing one) that, at the time, had 4+ BTC of liquidity.
Recently I was running version 1.11.1 of BTCPay server with LNbank v1.6.2 extension to allow merchants to receive Lightning payments.
On December 6th I woke up and noticed most of my LN node balance had been drained out. I started to investigate and realised this happened because 998 Lightning payments were made to the same LN wallet Bitlifi and all these payments, although going out through different channels and nodes, were all converging on the same node at the end: ln-1.anycoin.cz (pub key: 02ec20f34bb94460f3d63780dfc24a4d4a1ddabc3bd86c09e1830c5b5db08953e5).
Not knowing exactly what was happening, I decided to DM my good friend @DarthCoin (the most Bitcoin/Lightning knowledgeable person I know) and ask him if he knew about some exploit or something else that could explain these outgoing payments. Not knowing exactly what was happening and not even being able to see what I was seeing, he said "probably some people are making payments using their LNbits wallets". "Nothing to worry about". The problem is... I was really getting worried!
At this point (about 20 minutes after I woke up) 407.361.805 SATS had been drained out. I decided to shutdown the node.
First steps after being robbed
The first thing I did after shutting down the node was to email the guys at Bitlifi wallet. This App belongs to the regulated exchange Anycoin that belongs to the group 21M. All of these companies are located in Czech Republic.
Here's what I wrote:
Dear Sir/Madam,I'm writing to you because we, at F You Money! / MAXIMA Citadel, detected a fraud involving our lightning node (F You Money! 01) and BTCPay server being exploited for not authorised payments that ended up on a Bitlifi wallet (which was connected to your node ln-1.anycoin.cz). At this point in time we already identified and created a list of all the transactions made by this dishonest person but we need your help identifying the person and trying to recover the BTC. The attack occurred on December 6th, between 16:21h and 22:02h (Prague time). The total amount of BTC stolen was ~4BTC. I'm sure you will be able to find the big number of transactions on your logs, in between these times, originating from our node to your node and then to a Bitlifi wallet.All the documentation containing the transactions, emails used to register on our BTCPay server, and the specific amount for each transaction will be supplied to you as soon as needed for your verification and confirmation. We just need to be pointed to the right person in your company to further discuss this matter.Surely we can count on you and your collaboration to help us find and possibly recover the stolen funds. It would be a matter of urgency to freeze the Bitlifi wallet in question so that the funds are not transferred out of your node. For this reason we would appreciate if you could contact us asap.Looking forward to hearing from you, Best regards
Here's their reply (~6 hours later):
Hi,we register higher amount of transaction in specified time frame. Can you please provide more information about this case? ID of transactions, LN addresses etc?Can you also share the version of BTCPay your are using?Unfortunately it seems all the deposits have been forwarded to other LN nodes. One of the destination LN nodes is also yours (3rd row)021294fff596e497ad2902cd5f19673e9020953d90625d68c22e91b51a45c032d3 1.02326007 0260fab633066ed7b1d9b9b8a0fac87e1579d1709e874d28a0d171a1f5c43bb877 0.37778463 02758d961750972030292701d85c90e332bc1b7d8db0e705df3f087d285f9caf06 1.10696326 031df8ea711416b52d33c2f4a9b2a41d82f1da3c7672ffef2c24b0751cbdb75404 0.22228289 0324ba2392e25bff76abd0b1f7e4b53b5f82aa53fddc3419b051b6c801db9e2247 0.32877441 035e4ff418fc8b5554c5d9eea66396c227bd429a3251c8cbc711002ba215bfc226 0.35888885 0366faf9b8693d5ca2278f6a93c393a6ca0f25ab033d13703339037bb4ee845a5b 0.06666666 037f990e61acee8a7697966afd29dd88f3b1f8a7b14d625c4f8742bd952003a590 0.57444938S pozdravem Tým Bitlifi.com
Although they got it wrong (none of the stolen BTC came back to my node and also the amounts are not correct), I wrote back and sent them the files with my complete investigation, all the logs and records I got from the servers.
Here's my reply:
Hi S Pozdravem,I'm going to provide a short description of what happened and also send you all the files with the information related to the attack.On December 6th at 15:20h UTC (16:20h Prague) 5 new accounts were created on our BTCPay server (v1.11.1) that were involved in the attack. From the BTCPay server the attackers were able to send payments to your Bitlifi wallet using the LNbank API (this is under investigation with the BTCPay server developers). The BTCPay server is connected to our LN node F You Money! 01 which sent all the payments using different routes/channels but always ending the transaction on your node ln-1.anycoin.cz. The attack stopped at 21:02h UTC (22:02h Prague) when we understood what was happening and shutdown the servers where BTCPay server and the LN node are running. The final amount of BTC transferred from our node to your node was evaluated to be ~4BTC.All the files with transactions registered on the database of BTCPay server, NGINX logs, node records and accounts/IP addresses used to do this attack are attached.List of accounts created at the BTCPay server and all the information related to the attackers (also attached):========================================================================= dekajulimoro@proton.me (btcpay id: 25d18e23-6e74-4507-8432-154ead7a9a91) 82.79.98.45 - COUNTRY: Romania; REGION: Bucuresti; CITY: Cluj-Napoca; ISP: RCS & RDS S.A.olgahargraveuoy.34@gmail.com (btcpay id: 61f40a8f-9259-4a0f-882d-4c02f0e8d253) 82.79.98.45 - COUNTRY: Romania; REGION: Bucuresti; CITY: Cluj-Napoca; ISP: RCS & RDS S.A.olgahargraveuoy34@gmail.com (btcpay id: b5f4ec8a-0448-487b-be0a-361730af00d5) 178.175.141.216 - COUNTRY: Moldova; REGION: Chișinău Municipality; CITY: Chisinau; ISP: Trabia SRL 212.0.195.102 - COUNTRY: Moldova; REGION: Chisinau; CITY: Chisinau; ISP: Moldtelecom SAhuxype@imagepoet.net (btcpay id: eef512d2-6fb8-494f-bf41-c7e058e68003) 82.79.98.45 - COUNTRY: Romania; REGION: Bucuresti; CITY: Cluj-Napoca; ISP: RCS & RDS S.A.goomoogle1@proton.me (btcpay id: fa4d6bd1-bcb7-43c9-a93a-313f7ac1cf7d) 178.175.141.212 - COUNTRY: Moldova; REGION: Chișinău Municipality; CITY: Chisinau; ISP: Trabia SRL=========================================================================The above accounts and IPs are all related to this attack. Please compare the above IPs with your own records for validation. When checking our NGINX logs also search for the above IPs and email accounts. These lines will show all transactions made. When checking the DB records you will find all transactions and hashes related to the attack and invoice IDs, etc.We will appreciate your collaboration in identifying these people and also providing us and the authorities with all the information about who was using the wallet and where they sent the BTC. Also we will appreciate that you URGENTLY freeze any funds related to the transactions in the attached files that are related to this attack.We will be happy to hear from you ASAP. This is a very urgent situation.Best regards
Here are the files I sent them in this email. They contain all the information about this hack:
- List of BTCPay accounts created by the attackers
- DB tables and node records with all the transactions, hashes and invoices
- NGINX logs with all the IPs, accounts and http calls
Here's their reply (~21 hours later):
Hi, sorry for a delayed response. We were crunching through the data you sent and we have bit more work to do, but from what we already know the BTC sent from these accounts was immediately forwarded to other nodes (with the exception of some residual amounts left). We sent you the node IDs and amounts in the previous message so that you can try to find those LN node owners and see if they have the funds. If there is any more information we can give you to increase the chances of recovering at least some of the funds lost, we will do our best, however our options are limited.So far, based on your data we identified just one more account on our side that we didn't previously find but it was probably only used for a test, there is only few euros worth of bitcoin now. All other accounts used are unfortunately empty.Is there anything we can help you with right now?Kinds regards, Bitlifi team
Clearly this email was written in that "We're sorry but there's nothing else we can do" tone... They sent me the nodes where some of the BTC might have gone but, considering that my own node was on that list and none of the BTC was returned to my node and also they didn't even mention if some of the BTC was exchanged for FIAT and withdrawn on their exchange I can't do much. The amounts were also not correct, for fuck sake... How can I contact other nodes with incorrect information?!
So I sent this email in reply (the last one so far because days later I have no reply from them):
Hi,Thank you very much for your reply. The list of nodes in your previous email is incorrect as no amount of the stolen Bitcoin was ever rerouted to my node. All the correct information is in the files I sent over to you. Also I would like to know if you were able to identify any more information based on the files I sent in my previous email?But anyway, as I understand from your website legal information, you are a regulated and 100% KYC exchange. Taking this into account, I again ask you for your collaboration in identifying the person (your customer) that used your LN node and wallet to do this attack and also all the routes used to transfer the Bitcoin out from your node, to other nodes or even L1 wallets or exchange fiat currency to withdraw in any bank. Also there's a need to know exactly what was done after the Bitcoin arrived in your node and exchange.I'm preparing all the information to contact the authorities in Czech Republic, Moldava and Romania on Monday. The legal procedures will obviously require all the correct KYC information on this customer of yours.I very much appreciate having your collaboration and trying to identify the person(s) associated with this.Looking forward to receiving your reply, Best regards
Two days later... SILENCE.
No more emails were received by me.
In the meantime, while I was GETTING FORGOTTEN by Bitlifi, Anycoin and 21M...
While this was going on, @DarthCoin also helped me getting into contact with 2 core developers of BTCPay server: Pavlenex and Rockstardev that had so far not replied my DMs.
Pavlenex and I spoke on Telegram and, while we were messaging, he also pressed the CEO of Anycoin a bit to help me. As far as I was told by Pavlenex, the CEO said they can't do much. But Pavlenex said that he would continue to follow this case and would get back to me if some new information was discovered... I'm still waiting... No new information from the CEO of Anycoin or Pavlenex.
As to the developer of LNbank, Dennis Reimann, I replied to him on Nostr when he FINALLY AND PUBLICLY ADMITTED that there was a bug on his code and everyone should upgrade the LNbank extension. This was 2 days after my BTCPay server was exploited!
You know what happened? HE DIDN'T EVEN COMMENT MY POST. NOT EVEN A FUCKING APOLOGY! Just another person that added me to the "forgotten ones" list...
My investigation
I don't want to bother you with 2 days of not sleeping and just digging up all this shit from the server logs, database records and many other things I had to do to connect the dots.
I started by isolating all possible things that were connect to my Lightning node. Only 2 platforms: LNbits and BTCPay server.
On LNbits nothing was out of the ordinary. All the wallets were normal and the balances were correct. No suspicious transactions were recorded on Postgres.
When I went to investigate BTCPay server the story was a completely different one. Immediately I found 5 newly created accounts on the server. Created precisely on the same day of the attack just a few minutes before the exploit started.
From there I went to investigate the Postgres database. And surely there they were... Hundreds and hundreds of payments made to invoices created at the ln-1.anycoin.cz node in the space of a few hours. All of them with the description "Payment to Bitlifi wallet".
From there I went on to investigate the NGINX logs to check for the login of those 5 accounts newly created on that unforgettable day Dec 6th 2023. It was a horrible show of thousands and thousands of lines with IP addresses, LNbank API calls, account logins and a shit show of other stuff that I crossed with other data from the node, Postgres DB and BTCPay server to conclude 5 accounts (emails) were created to exploit LNbank and all the satoshis that were stolen amounted to exactly 407.361.805 SATS.
In the end I also checked the Lightning node to cross reference the transactions and they are correct with the transactions registered in the database.
All this information can be checked by you guys on the links above.
What next?
As I wrote to Anycoin in my last email, I'm preparing a case to deliver to the authorities in Czech Republic and also Romania and Moldova because the IPs associated to this attack are from Internet Service Providers in those countries.
In the process of talking to Anycoin, I also found out that this exchange is regulated by the EU and 100% KYC. You can check it here in their own terms of service that I saved before anything could happen to their website... Read closely points 3 and 4. They must have all the information of the clients to provide the service.
IF KYC IS NOT TO AVOID CASES LIKE THIS OR PUNISH CRIMINALS THEN WHAT THE FUCK IS IT FOR?
I don't know if the authorities or the exchange are going to collaborate in finding the person that conducted the attack on my server but I can't do anything else. Just hope that they identify this person or persons and some of what was stolen can be retrieved.
I will also talk to some people as soon as I can calm down a bit more. I'll try to get some ideas about what my options are.
Broken dreams
As I described above, me and my wife's dream was to move to Bitcoin country and build a community of Bitcoiners that also want to move and live here. We were going to build our own house and a few others so that Bitcoiners can live together in the same land and share the same honest and morally correct principles.
I never stole from anyone in my entire life! I'm a libertarian that respects life and private property. These are the principles that unite the big majority of Bitcoiners! And those are the ones that would be sharing our space. To live off the land and get some affordable rent from the other small houses was our future income.
Now the dream is broken and possibly over. Most of the Bitcoin is gone and I don't even know how I will be able to continue to live here and help El Salvador to become the dream everyone wants it to be. Our only income is a few bucks /month from YouTube, Lightning fees from the hacked node and a few thousand sats /day from Bitcoin mining. We were mainly living very humbly on our own Bitcoin waiting for the next halving to start building this project.
Message to whom it may concern
If you are the one who did this attack, please return the Bitcoins and all will be forgotten. Please read next point.
If you are, in any way, connected to this case, help me in any way you can (tracing the Bitcoin, identifying the person(s) or any other way you can think of). I'm addressing Anycoin and 21M, BTCPay server and LNbank developers, and any other person that feels they should help. Please read next point.
If you are just a random person that happens to be reading this and you feel you can help in any way, please read the next point.
How you can help
I've setup a new wallet that will be publicly exposed so that anyone can send what they want/can and check its balance over time. If by any chance or miracle this wallet gets more than 4BTC, I will donate the surplus to help other Bitcoin projects in El Salvador:
bc1qz8dxk6h8gha5qvsnw67rjzz3xn6t4k0wmafqz3
If you just want to send an email with a kind word of support:
Thank you!