Getting your Bitcoin stolen at the club, a cautionary tale
We’ve all heard countless tales of people losing their crypto. Whether that be via an exchange breach, loss of keys or malware; but few have had their crypto stolen from them physically, especially in a public setting.
This article is a cautionary tale about a good friend of mine (let’s call him Bob), who had his crypto stolen (and bank cards drained) on a night out on the town in London. With this article I hope to draw more attention to this attack and remind everyone that even banks can fail to make you whole.
Some context
I am a crypto enthusiast and software engineer in the field. Bob works a non tech job and I helped him purchase and store the bitcoin that he held on his phone.
Since he had only purchased a few thousand dollars worth of Bitcoin, I figured that an iOS crypto wallet would be secure enough for his needs. We made sure to secure his seed phrase with pen and paper, and I never anticipated an attack in person like this, instead I believed it far more likely that he would lose his seed phrase.
What happened
Bob went on a holiday with his friends to Europe. One of the places on his list was London (a surprisingly risky city) and he went out for drinks with his mates.
While at the club, he was scouted out by a group of criminals. Bob had had a few drinks and was noticeably intoxicated. Despite having FaceId enabled, he remembers keying in his pin code.
Bob and his mates were later approached by these group of criminals when they left the club. They seemed like friendly lads who enjoyed a bit of banter. While walking, they encouraged them to have some nangs with them (nitrous oxide). Initially reluctant, Bob and his mates agreed to have some, figuring they were decent enough blokes.
As soon as they were dazed by the nangs, Bob immediately noticed that something was amiss and he began to feel suspicious. While under the influence, he noticed the group suddenly walk off at a frisk pace. Checking his pocket, he noticed that his iPhone had gone missing…
Bob initially thought that he had only lost his iPhone, but he was quickly disabused of this notion. Checking his accounts on another device, he released that his credit card had been maxed out and his passwords changed.
All the Bitcoin and other coins held in his mobile wallet had also disappeared and while he never revealed this ownership to the thieves, they knew where to look. The thieves also changed his binance password, but thankfully he did not have any crypto in there.
While the attackers did not have the means to unlock his FaceId, they were able to successfully snoop on him keying in his passcode.
Bob was quick to inform the police and his bank, but neither party was particularly useful. I will delve deeper in this below…
What the UK police did to help Bob
…
The battle with the bank
What is particularly interesting about this unfortunate event is what happened afterwards with Bob’s bank.
Bob’s credit card had been completely drained via Apple Pay to illegitimate merchants and the thieves were only able to stop spending the funds once the card had been completely maxed out.
The bank was unable to recognise these transactions as suspicious, despite the fact that such banks routinely block their users legitimate transactions on the suspicion that they were not authorised.
Bob immediately informed the bank of what had happened and had to wait many hours on hold to get through to a representative.
Despite all this, the bank on numerous occasions sent emails to Bob stating that his case was rejected, on the count that the transactions were authorised by him, as they had come from his unlocked device.
Frustrated, Bob lodged numerous complaints and eventually got hold of a manager from the bank. This manager tried to pressure him into receiving a fraction of the stolen funds back in “good faith”.
It was not until Bob engaged the services of a tribunal that the bank agreed to give back the majority (but not all) of the funds. The bank also threatened to withdraw their “good faith” offer upon escalation of the case with the tribunal.
We in the crypto world have always known that transactions are irreversible and once it’s gone, it’s gone. Traditional financial services, like banks, were always viewed as a place where you could get recourse and be made whole. This story has shown that even the banks are not as reliable or honest as we have been led to believe.
What you should take from this article
It is my hope that this article has informed you about some of the offline risks that you take with crypto. While it is more likely that you will lose your seed phrase or be subject to an online attack, you must ensure that you are also secure in the offline world.
While my friend only lost a few thousand dollars worth of crypto, it is a worrying tale, one that should alert us to the fact that we really ought to keep the majority of our crypto holdings off devices that are connected to the internet and/or frequently on our person.
Some tips to keep you safe
- Only store small amounts of crypto on your mobile device
- Limit the amount of funds available on your credit cards
- Never let strangers near your devices, even if they are locked
- Don’t assume that you will only lose your phone if it is stolen, that’s the best case scenario
- Look up the reputation of your bank
- Some banks allow you to lock up your credit card, but that lock might not apply to Apple/Google pay
So what do you think about this situation? Leave your comments below…
