Bitcoin Hack - A Hand in the Cookie Jar

It has been another interesting week. The US Government is currently on shutdown and we all live in desperate hope that it might remain that way. Meanwhile, Bitcoin is approaching new all-time highs against government issued coupons, and continues to demonstrate that it’s the most superior form of money we have.  

But as much as we enjoy making fun of inept governments and celebrating the inevitable demise of fiat currencies, this week we wanted to share with you a story that’s a little more serious and definitely not something worth celebrating.

This week, Bitcoin Cookie, a valued member of the Bitcoin community who some of you may know already, was unfortunately targeted by a hacker and had his entire Bitcoin stack drained.

This story truly is the stuff of nightmares, and not one I enjoy writing about.

Nevertheless, in the midst of a bull market, where excitement and exuberance are high, mistakes are easy to make. This story acts as a timely reminder to always keep your wits about you and to make sure Bitcoin security is your top priority.

Let’s dive into what happened so you can learn the techniques hackers are currently using and the steps you can take to thwart their efforts.

‍

Cookie’s Bitcoin Hack – How It Happened

So, you will no doubt be wondering how the attack happened.

How exactly did the Cookie crumble?

Well, it all started with a social engineering attack.

Cookie is a relatively well-known Bitcoiner on X and is currently building a Bitcoin project of his own. As a game designer by trade, he’s creating a Bitcoin Trading Card Game in his free time, building it in public, and sharing his progress with the community along the way.

All very fun, wholesome stuff!

Unfortunately, the hacker used this information to their advantage and reached out to Cookie from a verified X account, claiming they would love to invite him onto a podcast to talk about Bitcoin and his project.

The sad truth, however, is that the podcast was never genuine, and the verified X account the hacker reached out from actually belonged to another one of his recent victims.

It was all just a cruel trap.

Cookie, being a lot like the rest of us, never needs much of an excuse to talk about Bitcoin, so he agreed to the podcast without realizing he was being led toward a fatal mistake.

The hacker explained that, to facilitate the recording, they would be using the popular podcasting software StreamYard and insisted that Cookie install the software on his desktop because “advanced recording features” would be needed that aren’t available in the browser version.

The ever “helpful” hacker also provided a link that Cookie could download it from.

But the link the hacker shared didn’t lead to the legitimate StreamYard website. Instead, it directed Cookie to a copycat site controlled by the hacker.
‍

The file Cookie was instructed to download wasn’t streaming software at all—it was malware that granted the hacker access to Cookie’s device and a variety of his online accounts.

Now, Cookie was using a hardware wallet to secure his Bitcoin and had also securely backed up his seed phrase offline by stamping it onto metal—steps that should have been enough to keep access to his Bitcoin well out of the hacker’s reach. Unfortunately, his setup had one major flaw: he had also backed up his seed phrase online, in plain text, to the cloud.

This meant that once the attacker had compromised Cookie’s online accounts and gained access to his cloud storage, he could look through all the files, eventually find Cookie’s seed phrase, and steal his Bitcoin.

A painful reminder that you should NEVER store your seed phrase online or anywhere near an internet-connected device.

Chasing the Stolen Bitcoin

I only have an intimate understanding of this story because I was probably one of the first people to hear that Cookie had been hacked. Through complete serendipity, I happen to have notifications switched on for Cookie’s X account (I wanted to follow along with his game development).

So when he posted a random reply to someone on Twitter, I saw it.

My heart immediately sank.

You may or may not know that I had my own experience with getting hacked. My father and I suffered a very similar experience back in 2023, where hackers compromised us and stole 25 Bitcoin that we had hodl’d for 10 long years. My entire life savings and his retirement were wiped out in an instant. If you’re unfamiliar with the story, I gave a talk on it in Prague that you can watch here.

It was one of the most brutal experiences of my life, and I knew exactly how Cookie must have been feeling. I felt his pain immediately.

Having been through the same situation, I knew exactly the steps Cookie should take next. Given the hack had happened recently, there was still a chance (albeit slim) to track the funds and try to get ahead of the hacker.

First, I put Cookie in touch with the contacts I made in the U.K. police force following my hack. I knew that doing this quickly was essential because the police can contact Bitcoin exchanges and notify them to freeze the stolen funds if they ever get deposited there.

If you ever find yourself in this situation, you should contact the authorities immediately for this reason.

Next, we needed to figure out where the funds were being sent and track the attacker’s movements through the blockchain. I know my way around a block explorer reasonably well, but I’m no chain analyst. We needed expert help.

Not knowing where else to turn, I reached out to one of the amazing people who helped me when I got hacked. I messaged Keonne Rodriguez, the Samourai developer currently facing five years in jail at the hands of the DOJ for building tools to help Bitcoiners protect their privacy.

When I was hacked, and despite us being complete strangers, Keonne Rodriguez reached out and did everything he could to help trace my funds. The chain analysis he did for us was invaluable when we had to explain to authorities what had happened.

And once again, Keonne dropped everything to help a Bitcoiner in need. Despite having more than enough on his own plate right now, he helped track Cookie’s stolen funds and, within 25 minutes, provided us with all the information we would need to pass to the authorities.

Keonne’s chain analysis helped us identify that the hacker had sent Cookie’s Bitcoin to Binance, which meant there was still hope. If we could get the authorities to contact Binance quickly enough, they could have the funds frozen, at which point there would be a good chance of recovery.

And guys, I wish so much that I could tell you we were fast enough. But unfortunately, we weren’t. The hacker swept Cookie’s wallet on Saturday, and we only became aware of it on Monday. The hacker did deposit the funds to Binance, but I’m sorry to say that by the time we managed to make contact with them, the funds had already been withdrawn.

The police will continue to investigate the case and hopefully will be able to identify the perpetrators, but I’m sorry to say that the chances of recovering the funds are now extremely low.

‍

Bitcoin Community Assemble

This is, of course, a tragic story, but like with most sad stories, you can always find a silver lining. In this story, that silver lining was created by the amazing people in our apparently “toxic” Bitcoin community.

Following the hack, Cookie has been inundated with messages of support, and despite his initial reluctance, the community has been showering him with donations to help him get back on his feet.

And you’ll be pleased to know that our very own Tony has reached out to Cookie as well to make sure he NEVER loses his Bitcoin again. We will be gifting him a brand-new Start9 Server so he can run his own Bitcoin node, an air-gapped hardware wallet so his seed phrase never touches an internet-connected device ever again.

And, of course, we will provide him with expert training on how to use them.

Welcome to The Bitcoin Way community, Cookie. It’s a pleasure to have you on board.

If any of you would like to extend a warm welcome to Cookie or a message of support, you can find him on X here.

(I can verify he now has full control over this account again.)

‍

Key Lessons Learned

There are a few key lessons we can all learn from this event to help us stay vigilant and keep our devices and our Bitcoin secure:

‍

1) The Threat Is Real

‍It’s easy to forget that there are people out there who are actively seeking to steal your Bitcoin. They make a career out of it.

They buy leaked KYC data to target people, impersonate legitimate companies, send fake emails with phishing links, and, like in this case, use social engineering to manipulate you.

These threats are very real, and you can’t afford to get complacent. You have to take your Bitcoin security extremely seriously. If you want to be your own bank, you also take on the responsibility of “head of security.”

2) Trust No One

‍A verified account doesn’t mean someone is trustworthy. Like in this case, any account that messages you could potentially be compromised—even friends and family. Once the hacker had control of Cookie’s X account, they went on to use it to DM his contacts and try to scam them as well.

If you’re not sure, slow down and take the time to verify that you really are speaking to who you think you are.

‍

3) Only Download Software from Reputable Sources

‍Someone sending you a link to download software should be an immediate red flag, especially if it’s someone you don’t know well. Instead of trusting random links, go directly to the official website to download anything you want to use.

You should make a habit of doing everything possible to verify that any software you’re downloading is legitimate. Most Bitcoin-related software will be signed by the developer with PGP keys that you can use to prove that what you’re downloading is authentic.

‍

4) Never Store Your Seed Phrase Online

When it comes to keeping your Bitcoin safe, it’s absolutely essential that you never store your seed phrase online. Your hardware wallet can’t protect your seed phrase when an attacker can just find it somewhere else.

With the right self-custody setup, your seed phrase should NEVER interact with an internet-connected device, even when you need to send a transaction. If you’re still plugging your hardware wallet into your laptop to send Bitcoin, you’re doing it wrong. You should be using an air-gapped hardware wallet instead.

I want to extend a big thank-you to Cookie for being strong enough to share his experience with the rest of the community and for giving me the thumbs-up to cover it in this week’s newsletter. Doing so will help countless others avoid making the same mistake. It takes a strong character to own your mistakes so publicly.

That’s how we all know you’re still gonna make it—because you’re one tough cookie.

‍

Secure Your BTC the Right Way – The Bitcoin Way

The best investment you’ll ever make is buying Bitcoin. The second best is the time and energy you put into making sure you keep it secure.

At The Bitcoin Way, that’s what we’re here for. We train people from all walks of life and all skill levels on how to use Bitcoin effectively and keep it 100% secure. With our training, you won’t have to worry about hackers stealing your Bitcoin because you’ll have a setup that makes it impossible.

Bitcoin can and will change your life, but only if you can keep hold of it. If you’re ready to make that an absolute certainty, then all you need to do is book a free 30 minute consultation with one of our experts and we will get your training started ASAP.

Podcasts and price predictions can wait. In The Bitcoin Way community we prioritise stacking sats and stacking skills. If you want to become the best version of yourself, you should join our ranks.