Wyoming’s private keys bill addresses growing threat to rights and assets

March 14, 2023 Coin Telegraph

Wyoming's new law ensures that courts won't overstep their authority in requiring individuals to disclose their private keys.

Governor Mark Gordon of the U.S. state of Wyoming recently signed a bill preventing the forced disclosure of private keys in a move to protect the privacy of digital asset owners.

The incoming law reads “No person shall be compelled to produce a private key or make a private key known to any other person in any civil, criminal, administrative, legislative or other proceeding[s].”

To pass as a private key under the law, it must be “held by a person, paired with a unique, publicly available element of cryptographic data, and, associated with an algorithm that is necessary to carry out an encryption or decryption required to execute a transaction.”

From the effective date, courts in Wyoming will no longer compel individuals to provide access to any private keys that grant access to their digital assets, digital identity or any other interests or rights to which the private key provides.

The only exception to this law applies when individuals are required to disclose the ownership or transfer of crypto during any lawful proceeding.

As the United States Congress struggles to put reins on the crypto, there has been an uptick number of cases where courts force the disclosure of cryptographic private keys.

In many of these cases, courts force the disclosure of private keys as part of discovery or other pre-trial motions.

The forced disclosure of private keys by courts fundamentally contradicts how private keys are designed to work.

Private keys are the wrong tools to use for discovery

A private key is an alphanumeric code used to authorize transactions and prove ownership of a blockchain asset. Private keys are encrypted to protect a user from theft and unauthorized access to their digital assets or digital identity.

When a court requests the disclosure of a private key, they ultimately have access to the digital assets and identities protected by the keys.

Jon Callas, the director of technology projects at the Electronic Frontier Foundation, a non-profit defending digital privacy, free speech, and innovation, said the courts “don’t even want the key, they want the data.”

Mary Beth Buchanan, a former federal prosecutor offering her testimony in favor of Wyoming’s private-key disclosure law, said: “The court could order a disclosure or an accounting of all the digital assets that are held.”

In an essay, the Blockchain Commons, a non-profit that advocates for open, interoperable, and secure digital asset infrastructure, explained that United States courts are not ready to handle private keys.

Blockchain Commons explained that court staff do not have the necessary experience to protect private keys. With a single private key needing to pass through different hands during a case, it possesses a greater threat to the security of private keys.

Wyoming seeks to protect privacy

U.S. Senator Cynthia Lummis, known for her ardent support of Bitcoin and push for clearer digital asset regulation within the country, has in the past said that privacy is a way of life in Wyoming.

Speaking to Cointelegraph on the bill, Senator Chris Rothfuss, co-chair of a digital asset committee in Wyoming, said that the bill aims to provide “Clarity on the legal status of a private key and how it should be treated by the courts.”

“The intent (of the law) is to clearly protect the privacy interest and property rights of digital asset holders. It is to provide the right line guidelines for courts on the standing of private keys,” Rothfuss explained.

As a state, Wyoming has taken some of the most crypto-friendly approaches to regulate crypto in the United States. Although having the smallest population in the United States, in 2021, Wyoming became the first jurisdiction to acknowledge decentralized autonomous organizations as limited liability business entities.

‘Blockchain Bandit’ reawakens: $90M in stolen crypto seen shifting

January 26, 2023 Coin Telegraph

Blockchain bandit

The hacker accumulated as much as $90 million worth of crypto during a six-year thieving spree.

A hacker dubbed the “Blockchain Bandit” has finally woken from a six-year slumber and has started to move their ill-gotten gains.

According to Chainalysis, around $90 million in crypto pilfered from the attacker’s long-running string of “programmatic theft” since 2016 has started moving over the past week.

This included 51,000 Ether (ETH) and 470 Bitcoin (BTC), worth around $90 million leaving the Bandit’s address for a new one, with Chainalysis noting:

“We suspect that the bandit is moving their funds given the recent jump in prices."

The hacker was dubbed the “Blockchain Bandit” due to being able to empty Ethereum wallets protected with weak private keys in a process termed “Ethercombing.”

The attacker’s “programmatic theft” process has drained more than 10,000 wallets from individuals across the globe since the first attacks were perpetrated six years ago.

1/ $90M stolen funds on the move: After 6 years of hodling, the “Blockchain Bandit” has awoken. In this we cover how the Blockchain Bandit amassed this treasure trove and where the funds are currently held.
— Chainalysis (@chainalysis) January 25, 2023

In 2019, Cointelegraph reported that the "Blockchain Bandit" managed to amass almost 45,000 ETH by successfully guessing those frail private keys.

A security analyst said he discovered the hacker by accident while researching private key generation. He noted at the time that the hacker had set up a node to automatically filch funds from addresses with weak keys.

The researchers identified 732 weak private keys associated with a total of 49,060 transactions. It is unclear how many of those were exploited by the bandit, however.

“There was a guy who had an address who was going around and siphoning money from some of the keys we had access to,” he said at the time.

*Blockchain Bandit crypto movements. Source: Chainalysis*

Chainalysis produced a diagram depicting the flow of the funds, however, it did not specify the target address, only labeling them as "intermediary addresses."

To avoid having weak private keys, Chainalysis advised users to use well-known and trusted wallets, and consider moving funds to hardware wallets if large amounts of cryptocurrency are involved to avoid having weak private keys.

Also in 2019, a computer researcher discovered a wallet vulnerability that issued the same key pairs to multiple users.

1inch Network Launches Hardware Wallet for Storing Users’ Private Keys in a Secure Offline Setting

January 19, 2023 Bitcoin.com

What are hierarchical deterministic (HD) crypto wallets?

January 19, 2023 Coin Telegraph

Blockchain

A hierarchical deterministic wallet uses a single seed to create an infinite number of addresses, allowing users to recover funds using a master key.

Are HD wallets safe?

HD wallets are as secure as the medium (physical or digital) on which they are stored.

BIP-32 enables an HD wallet to produce a tree-like hierarchical structure of private keys from the seed. As a result, if a device is lost or destroyed, the seed backup can be used to restore the wallet along with all of the tree’s private keys.

Hierarchical deterministic wallets offer enhanced security and privacy compared to non-deterministic wallets. They are secure because a new address is issued for every new transaction. Therefore, hacking them is a challenging and intricate process. Additionally, an indefinite number of public addresses can be created for the purpose of collecting payments, ensuring users’ financial anonymity.

However, if either private keys or master keys are not safely stored, they can expose users’ funds to malicious actors. Therefore, the chosen seed phrases in HD wallets should be unrelated to users’ names or any other personal details that attackers will find simpler to compromise.

What are the benefits and drawbacks of using an HD wallet?

With hierarchical deterministic wallets, users’ privacy is improved because they can share their master public key with others without putting their money in jeopardy. Similarly, HD wallets are secure since funds are diversified over numerous addresses. However, there is a substantial chance of money being lost if the master key or private keys get revealed to the public.

Due to the hierarchical structure of deterministic wallets, every private key generated by the seed has the potential to be utilized as a master private key, which can then be used as a deterministic wallet to generate further keys.

Also, the changing addresses offer enhanced privacy, as one cannot find out the exact wallet balance from the public ledger. However, anyone who has access to the extended private keys can steal users’ funds, which is why they shouldn’t be shared with non-trusted parties.

Along with improved privacy, deterministic wallets offer great security, as access to a number of different private keys will be required to gain access to all of the users’ crypto assets because they have spread their funds across several addresses. Furthermore, the coins that are controlled by other private keys remain unaffected if one private key is compromised. However, if the seed is compromised, all funds may be stolen by hackers.

How does a hierarchical deterministic wallet work?

To increase security and privacy, an HD wallet creates a fresh key pair from a master key pair (consisting of an extended private key and an extended public key) for each cryptocurrency transaction.

With BIP-32, HD wallets become the de facto standard for Bitcoin. BIP-32 is the Bitcoin Improvement Proposal (BIP) that introduced the development of a wallet structure that resembled a hierarchical tree.

In an HD wallet like MetaMask, a single master key is derived from the wallet seed, which is then used to generate child keys, each of which is capable of generating its own children. A seed, often represented as a mnemonic phrase, is a piece of information that can be used to produce both the wallet’s public and private keys.

A master key pair consisting of an extended private key (XPRIV) and an extended public key (XPUB) is typically present in HD wallets for Bitcoin. Additionally, a child private key is created pseudorandomly from a master private key, and the matching child public keys can be generated by anybody who knows the master public key.

The XPRIV produces all of the child private keys, and the XPUB may display the balances of all the child public keys in the wallet. Moreover, the need for storing multiple key pairs is eliminated, as HD wallet addresses can be generated from the master key or seed.

The same tree of keys will be generated by the master key, allowing users to back up a single seed rather than hundreds of keys in the case of non-deterministic wallets. Furthermore, XPUB keys allow users to receive Bitcoin directly into a cold storage wallet and keep their private keys offline because they allow users to generate new addresses using online extended public keys.

A web retailer that creates new public keys for each sale is an inspiring use case for HD crypto wallets. Using a deterministic wallet, the merchant can quickly produce and save only the public keys on a risky internet server while keeping all of the related private keys secure in offline storage. Additionally, the retailer can use HD wallets’ hierarchical feature to keep only the public keys required to process consumer payments, which might improve the privacy of the user.

What are deterministic and non-deterministic wallets?

A hierarchical deterministic wallet generates public and private keys from a master key, allowing users to create a new wallet and retrieve all addresses and keys, given that they have access to the seed. On the contrary, non-deterministic wallets randomly generate wallet addresses and private keys, restricting users’ ability to recover addresses and keys if the wallet’s details are lost.

Typically, digital signatures and pairs of private and public signing keys are used in blockchain-based cryptocurrencies. That said, users spend their money by signing a transaction with the private key, and other users (recipients) can use the public key to confirm the signature’s validity. Private keys can be used to generate public keys, but not the other way around.

For instance, a user’s Bitcoin wallet comprises a set of private keys that enable the owner to spend any Bitcoin (BTC) linked to those keys. When the user needed them, Bitcoin wallets would randomly generate BTC addresses and private keys. Such types of digital wallets are called non-deterministic wallets (ND).

However, since the keys are not generated in any pattern, users must make a backup of each key whenever a new one is generated. That said, if the wallet’s details are lost, all of the addresses and keys would also be lost.

This type of Bitcoin wallet is also known as a “just-a-bunch-of-keys” (JBOK) wallet, as it produces unrelated keys and requires users to keep track of their transactions every time they buy and sell their cryptocurrencies. So, what are hierarchical deterministic (HD) wallets?

Hierarchical deterministic wallets took the place of JBOK wallets since users could back up HD wallets using a single seed and greatly benefit from extended keys. Therefore, a wallet that generates its public and private keys from a seed is referred to as a hierarchical deterministic wallet.

These wallets can be used for a variety of intriguing things, such as trustless auditing, online shopping and departmental funding distribution by the treasurer. For instance, an individual might disclose their master public key to external auditors, who could then use that key to view any future transactions made using BTC. In this case, the user’s funds are secure because the private keys linked to those funds are never revealed.

The summary of differences HD vs. non-HD wallets is listed in the table below:

How to keep your crypto safe in 2023: a few tips from an analyst

January 9, 2023 Coin Telegraph

Bitcoin Wallet

Lead on-chain analyst at Glassnode, James Check, explains why taking self-custody of your private keys has become more important than ever and how to do it in a few simple steps.

There is no excuse for not putting a few hours of research into how to properly custody your crypto, according to lead on-chain analyst James Check. Joining the latest debate around self-custody, the analyst pushed back against the notion that managing private keys is too complicated and risky for the average crypto user.

“If you have gold in your vault, if you have cash in your wallet, it's the same concept: you need to exercise a level of responsibility,” said Check in our latest Cointelegraph interview.

Check argued that, while third-party custody and semi-custodial solutions such as collaborative custody may appear more user-friendly for the average user, they also have their own, even bigger, vectors of risks.

To the analyst, when it comes to custody "there are no solutions, only trade-offs." His position is that being in full control of your own crypto and eliminating the third-party risk is well worth the effort of learning how to keep your wallet's 12 word seed phrase safe.

Ultimately, Check pointed out that the amount of time and effort someone should put into learning self-custody should be scaled proportionally to the size of thei holdings.

“If you're not willing to put more than 5 minutes into it, then don't put more than $5 into it. If you're willing to do 100 hours now, you can start talking about doing your significant sums of savings,” he said.

To find out more about Check's approach to self-custody, check out the full interview on our YouTube channel and subscribe!

Unreported Transactions Linked to Disgraced FTX Co-Founder Revealed by Onchain Investigation

January 5, 2023 Bitcoin.com

Crypto on-chain crime drama sees the good guys finally win

December 21, 2022 Coin Telegraph

Coin Telegraph

The security firm managed to avert a crypto robbery by simply paying a higher gas fee than the exploiter.

The stories about people getting their private keys hacked or stolen are nothing new, and users have reportedly lost their life savings because of these thefts. However, in quite an anti-climax scene, a crypto user managed to save their crypto holdings despite losing the private keys.

Harpie, an on-chain security firm, revealed an instance of on-chain crime drama where the good guys eventually won. One of the users in their discord group reportedly raised concerns about the suspected theft of their private keys. When the firm looked into the said customer’s wallet, someone was indeed trying to transfer funds from the victim’s accounts

How did we do this?

About a month ago, this user protected their tokens with Harpie.

By approving and protecting their tokens with Harpie, this user gave us permission to intervene if we ever spotted a theft on their wallet.

5/7 pic.twitter.com/33KYDKZeO1
— Harpie (@harpieio) December 20, 2022

However, the security group managed to act fast and move the victim’s funds to a non-custodial address before the hacker could transfer those funds. This contract allowed the victim to recover their lost tokens from a different, uncompromised wallet. The security firm was able to do so by offering a higher gas fee for transferring the victim’s address.

This was only possible because the victim protected their tokens with Harpie, allowing the security firm to intervene whenever a case of possible theft came to their attention. The firm said:

“When we detected the malicious transfer, we moved this user's funds to a noncustodial vault before that transaction could confirm by paying a higher gas fee.”

The on-chain security firm said that they have recovered about $700,000 worth of stolen funds and acts as an on-chain firewall for the community.

While what Harpie did was all about timely intervention and required access to the user’s wallet, there have been several instances where the crypto community has come together to retrieve stolen funds and nonfungible tokens as well. As Cointelegraph reported in May, the Solana community came together to “scam” a scammer in order to get back some stolen NFTs.

With blockchain and distributed ledger technology powering a majority of the cryptocurrencies, the tracking of any form of stolen funds becomes easier. On the other hand, stealing funds is only the first step for exploiters and it might take them years to move a small portion of funds, and there have been instances where they were caught even then.

Another Mysterious Person Signs a 2009 BTC Address, Message Shared by Martin Shkreli Mentions Convicted Felon Paul Le Roux

December 15, 2022 Bitcoin.com

How do crypto hardware wallet firms make money?

December 8, 2022 Coin Telegraph

Bitcoin Wallet

All the companies that are involved in producing hardware crypto wallets have multiple revenue streams, either directly or indirectly.

The hardware wallet industry has emerged as one of the most resilient sectors to the ongoing cryptocurrency winter, with issues like the FTX crash bringing in even more cold wallet sales.

The bear market of 2022 has once again reminded crypto investors of the importance of self-custody and independence from centralized exchanges (CEX).

As a result, some major CEXs like Binance has increased their investment exposure to hard wallet firms, while CEO Changpeng Zhao even suggested that CEXs may no longer be necessary in the future. Should it be the case, the crypto industry of the future will be quite unlike the existing one because the business model of hardware wallets is very different from that of CEXs.

One massive difference is how hardware wallets make money because — unlike CEXs — cold wallets don’t charge any fees for most transactions by design. But selling devices cannot be the sole revenue stream for cold wallet manufacturers due to a number of reasons, including that hardware wallets are durable devices that don’t often need upgrades.

So, how do hardware wallet manufacturers actually make money? Cointelegraph reached out to several cold wallet providers to discuss the issue to better understand their business model.

How long does a hardware wallet last?

There is no clear answer on how long a hardware cryptocurrency wallet is able to last, partly because the world’s first-ever cold wallets are still working properly.

Czech Republic-based hardware wallet firm Trezor was the first company in the world to officially release a cold wallet back in 2014. After eight years, the Trezor One model is still one of the most popular hard wallet devices, with many customers still using their first generation of Trezor devices, Trezor brand ambassador Josef Tetek told Cointelegraph.

“Trezor devices come with a two-year warranty. However, that doesn’t mean the devices break down after two years,” Tetek said, adding:

“At conferences we regularly meet users who still use the first edition from 2013. In general Trezor devices are very durable and the fault rate is minimal.”

The exec emphasized that users can break, lose or damage their devices, but they will keep their Bitcoin (BTC) if they keep their recovery seed backup intact.

According to Ledger, another major cold wallet provider, the lifespan of a cold wallet is “really long,” but is not something that the firm can estimate. “Devices are designed to last. Sometimes issues come up as with every product, but people should be able to bury them,” a spokesperson for the firm told Cointelegraph.

According to some hardware wallet providers, card-based cold wallets can last for dozens of years or never expire at all.

Recent: Into the storm: The murky world of cryptocurrency mixers

Andrey Kurennykh, CEO at the SBI-backed cold wallet firm Tangem, suggested that their card-like hardware wallet has the same lifespan as the underlying Samsung S3D350A secure element. “Samsung claims that they have a lifespan of more than 25 years. Since there are no other hardware components in Tangem wallets, we consider this to be the lifespan of the whole device,” Kurennykh said in an interview with Cointelegraph.

Adam Lowe, creator of another cold wallet company Arculus, also told Cointelegraph that the company’s card-like cold storage device “never expires.”

As hardware wallets might never require a user to upgrade the device, how do cold wallet firms keep running operations, given that such companies have to spend significant resources to provide long-time support for their customers?

Increasing demand for hardware wallets

Many hardware wallet providers have been forced to expand their support staff in order to meet increasing demand for cold wallet devices.

“We have significantly scaled up our support team, which has been important to us considering recent events in the crypto industry and the increase in people moving to self-custody,” the Ledger spokesperson said.

“We’re seeing a large influx of people new to crypto from different channels and geographies, and we're strengthening support proportionally,” Tangem’s Kurennykh noted.

A number of wallets have also introduced new support solutions including self-help tools and chat bots, allowing them to more easily handle frequently recurring requests like implementing an e-commerce API. “This helps to handle unexpected surges in inquiries such as that experienced in the recent FTX collapse,” Trezor’s Tetek said, adding that the firm has also been actively adding videos on solving the most common issues and difficulties.

Cold wallets’ multiple revenue streams

All the companies that are involved in manufacturing hardware crypto wallets have multiple revenue streams, either directly or indirectly, according to comments from industry executives.

“Ledger isn’t just a hardware company, we’re a software company as well with Ledger Live,” a representative said, adding that its revenue comes from not only selling Ledger devices but also through services on Ledger Live.

The firm also offers its own nonfungible token platform known as Ledger Market, business-to-business (B2B) products tool called Ledger Enterprise and others, the spokesperson noted.

Ledger has also been actively expanding its devices, launching a total of seven different cold wallets since 2014. Ledger’s latest wallet, developed in collaboration with iPod Classic creator Tony Fadell, is priced at $279, which is $200 higher than the cost of the previous Ledger wallet.

Rival firm Trezor doesn’t offer any financial services and doesn’t levy any fees on using its Trezor Suite app, Tetek said. At the same time, its sister firm, Invity, enables Trezor users to buy and sell Bitcoin (BTC) and other crypto currencies directly from the Trezor Suite, he said, stressing that the firm is a separate business from Trezor.

According to Tangem’s Kurennykh, the firm has several revenue streams, with as much as 70% of the company’s revenue coming from hardware wallet sales. About 20% of revenues come from third-party services fees like on-ramp and off-ramp exchanges, while 10% is generated through white-label wallet sales, Kurennykh said. The company is also working on its own non-custodial payment solution, which is expected to make another additional revenue stream.

Ruben Merre, co-founder and CEO at Binance-backed crypto wallet Ngrave, also told Cointelegraph that the firm’s revenue is mostly generated from product sales. However, there are areas for additional revenue streams, including a transaction fee for a fiat-crypto onramp. “The user can then buy crypto directly from the hardware wallet app [...] The hardware wallet manufacturer may charge a transaction fee for this process,” Merre said.

Additionally, a number of cold wallets also participate in affiliate or promotion programs in cooperation with crypto services and exchanges.

There’s no public hard wallet company yet

As none of the existing hardware wallet companies are public, there is no readily available data on the revenues coming from their business. All the hardware wallet firms interviewed by Cointelegraph declined to provide any figures related to their financial information, citing their status as a private company.

At the same time, the executives reiterated that the collapse of the FTX exchange in November has driven massive sales and traffic to hardware wallet platforms.

In November, Ledger doubled its transaction revenue through Ledger Live month-over-month, also recording an all-time-high in number of trades through Ledger Live, the spokesperson said. “We had our best sales month ever in November, with our two best sales days ever on Nov. 13 and Nov. 14, following FTX,” the representative added.

“We can say that we have sold over 1 million devices, and we are experiencing record sales after the recent FTX collapse,” Trezor’s Tetek also noted.

As previously reported by Cointelegraph, the hardware wallet industry had been estimated to grow at a faster pace than exchanges, even before the FTX crash. But despite self-custody being one of the genuine purposes of crypto, investors should still be aware of the risks associated with storing coins by themselves.

Breaking: Ankr confirms exploit, asks for immediate trading halt

December 2, 2022 Coin Telegraph

aBNBc

The decentralized-finance protocol said it is working with exchanges to immediately halt trading of its BNB staking rewards token, aBNBc.

BNB Chain-based decentralized finance (DeFi) protocol Ankr has confirmed it has been hit by a multi-million dollar exploit on Dec. 1.

The attack appeared to be first discovered by on-chain security analyst PeckShield at approximately 12:35 am UTC on Dec. 2.

Within an hour of the attack, Ankr confirmed on Twitter that the aBNB token has been exploited and that they’re working with exchanges to immediately halt trading of the compromised token.

Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
— Ankr (@ankr) December 2, 2022

The attacker was purportedly able to mint 20 trillion Ankr Reward Bearing Staked BNB (aBNBc), a reward-bearing token for BNB staked on the protocol.

According to a Twitter post from on-chain analysis firm Lookonchain, the exploiter has since used services such as Uniswap, Tornado Cash, and various bridges to swap and obfuscate the funds in order to gain around $5 million worth of USD Coin (USDC).

It also added in a following post that “all underlying assets on Ankr Staking are safe at this time, and all infrastructure services are unaffected.”

Seems that @ankr got hacked an hour ago!

The exploiter minted 20T aBNBc and dumped it on #PancakeSwap.

At present, the exploiter have successfully exchanged more than 5 million $USDC.https://t.co/hF1tgNYw0t pic.twitter.com/XIPjBi6wvs
— Lookonchain (@lookonchain) December 2, 2022

In comments to Cointelegraph about the attack, blockchain security firm Beosin suggested the exploit was likely the result of vulnerabilities in the smart contract code combined with compromised private keys, which may have come from a technical upgrade by the Ankr team about 12 hours ago.

Beosin also noted that the mass minting episode caused the price of aBNBc to fall 99.5% from $303.89 to $1.53 in a matter of hours, according to data from CoinMarketCap.

@ankr has been exploited. $aBNBc has dropped -99.5%.
The hacker minted tons of $aBNBc and made a profit of 5,500 BNB (~$1.6 million)
The deployer changed the implementation contract to the vulnerable contract address before the attack (possibly due to private key compromise). pic.twitter.com/GJheXh0oDp
— Beosin Alert (@BeosinAlert) December 2, 2022

“It is possible that the deployer’s private key was exposed in this upgrade, leading to an attacker using deployer privileges to modify the contract,” a Beosin spokesperson told Cointelegraph.

In a Dec. 2 Twitter post, crypto exchange Binance also confirmed its team is engaged with relevant parties to investigate the matter further, adding that Binance's user funds are not at risk.

We are aware of the attack targeting @ankr's aBNBc token. Our team is engaged with the relevant parties and @BNBCHAIN to investigate further.

This is not an attack against #Binance, and your funds are SAFU on our exchange. This thread will be updated should there be any updates.
— Binance (@binance) December 2, 2022

Cointelegraph contacted Ankr when the exploit was first discovered but did not receive an immediate response.

private keys