Bitcoin Q&A: Multi-signature and distributed storage

“When a wallet is hacked, is all that they’re taking the
private keys, which they can store somewhere else… and use the value associated with it?” “Is there no way to follow the money at all?
Is there a way those stolen bitcoin could be laundered?” That’s a good question, Carol.
Let’s see how that works… As soon as someone accesses your private keys, they
have the private keys and you have the private keys. Now it is a race for who will take the money first. An attacker who has accessed your private keys will not
leave the money on addresses controlled by those keys. Those private keys are still also controlled by you.
Either you or the attack can now spend that money. If you find out that your keys have been stolen,
[and the attacker hasn’t moved the money yet], the best thing you can do is move
that money as quickly as possible… to addresses controlled by
keys that haven’t been stolen. Then you are still the only owner of that money.
The attacker is trying to do the same thing. They will try to move that money as quickly
as possible to addresses they control alone. There is this very short period of time when
two parties control the keys to a set of address; whichever party can move those funds to new
addresses they control, effectively takes those funds. The first thing an attacker will do, as soon as they
gain control of your private keys, is called a sweep. They will do a transaction [which moves]
everything from those private keys and addresses… to new addresses that they control. Is there no way to follow the money at all?
Sure. You can follow the money [on the blockchain]. But how far can you really follow the money? You can
follow the money from that first sweep transaction. You see [the money] going to another address,
but you don’t know who owns that address. A few minutes later, you see [the money]
leaving that address to ten other addresses. A few more minutes later, from each of those ten
addresses, the money leaves to twenty new addresses. Now you [must] track two hundred addresses total.
A few more minutes later, all the money moves again. Now you [must] track two thousand addresses.
Some of those [transactions] end up at an exchange… or some other place where the money can
be exchanged for another cryptocurrency. Maybe they are involved in an atomic swap
or sent to LocalBitcoins to be sold for cash. You are no longer able to track or follow that money. To answer your question, is there a way
these stolen Bitcoin could be laundered? Oh, yes. Keep in mind that the bitcoin
stolen from Mt. Gox didn’t disappear, it simply got transferred again and again until it could
no longer be tracked with any degree of certainty. It’s still out there. You may have used
[some of it] this morning to buy a cup of coffee. You wouldn’t know that money had originally been held
in an Mt. Gox wallet. It cycled back [into the economy]. Think of it like cash. If a bank robber steals cash, they
[may] then go to a hundred gas stations to spend it. That cash [will] be taken by the cashier, given [later
to someone else] in change for the pack of gum. Once you have it, you [will] take it to the next shop
and spend it. Before long, it’s still in the economy, but no longer owned by the same person,
and it’s [practically] impossible to track. “If an exchange or wallet is hacked, is it
possible to track and identify the hacker?” Possible? Yes. Likely? No. Even though you
can track transactions on the blockchain, see that they’ve moved from address to address,
you don’t know who that address belongs to. Addresses in Bitcoin are not [inherently] tied to IP
addresses or anything showing the identity of the user. Even if you track them to an address, usually a few
minutes later they move the coins to another address. then ten more addresses, they split up and join
back together. Very soon, you completely lose track. Some companies have done rather extensive analytics.
They have tried to track various stolen coins, including… the coins that left Mt. Gox [in 2014] and
various other thefts from exchanges. Even though those coins are in circulation, it is hard to
tell if they’ve been laundered, sold, distributed to users, or if they’re still being held by the hacker
in multiple different addresses. You can track to a certain extent, but you
can’t identify any of the addresses [easily]. “What are some suggestions for keeping your bitcoin
private keys safe from developers/ coders you hire?” That is an interesting question. Ideally, you would
have [the private keys] on hardware wallets. One good trick, almost essential, to use in a corporate
environment is multi-signature [addresses and wallets]. You should be using multi-signature with hardware
wallets, where different people in the organization… have a key as part of a multi-signature scheme,
for example a 2-of-3 or 3-of-5 signing scheme. The purpose is not just to protect it from
the developers and coders you hire, but also to prevent the CEO from running
away with all of the company’s money. You should never have one person able
to take all the money and run away. The best way to do that is through separation of duties,
the use of on-chain multi-signature transactions, [with keys] stored and [signatures]
signed on hardware wallets. There are a number of [wallets] that can do [these
operations]. Probably the two easiest wallets to use… are Copay or Electrum, which support multi-signature
and the Ledger and Trezor hardware wallets. Mark asks, “Multi-sig Trezor wallets with Electrum.” “Is setting up multi-sig wallets in Electrum secure?
Is it something worthwhile to do, or is it better to… stick with a single Trezor and use a passphrase, storing
a copy of your recovery seed at a secure location?” “The single Trezor is much more convenient,
but I have been wondering how safe it is.” “If someone manages to steal it, even if I added a
passphrase, is it possible or likely that a thief with… technological know-how would be able to
figure out my passphrase and brute-force it? All right, great. There are a couple of different
questions there. Let’s untangle them. I’ll start from the end: Is it possible a thief [could] brute-
force your passphrase by stealing your hardware wallet? There are [three] different aspects here.
One is whether they can steal your hardware wallet. The other one is whether they can steal your seed. Then the question is whether they can
brute-force the passphrase or not. The hardware wallet is actually more secure than the
seed, because most hardware wallets store seeds in… a chip that is either a Secure Element or that is isolated
from the user interface with some mechanisms… that enforce PIN control, [which] is designed to
be difficult, if not impossible, to brute-force. As anyone who has forgotten the PIN on
their hardware wallet soon discovered, the delay [to try another entry] doubles
every time you enter the PIN incorrectly. You get into some very serious delays
within just a dozen [failed] attempts. It reminds me of the old anecdote or story
about a peasant and a king who place a bet. The peasant asks only for a single grain of
rice on the first square of the chessboard, and then to double the amount of rice in every
subsequent square of the chessboard until it is full. The King agrees and then loses his kingdom, because by the final square of the chessboard,
the debt is [eighteen quintillion] grains of rice. Doubling delays on a PIN accumulate
much faster than you expect and… and can very quickly becomes a terrifying experience. [Someone] I know in this space wrote an article… about their experience trying to brute-force the PIN on
a Trezor and discovering, to their great consternation, that they couldn’t do it. Anyhow, that’s a longer story. If someone steals your physical device,
but you have both the PIN and a passphrase, it is very difficult to brute-force that… unless there is some vulnerability in the [firmware], as
was the case with the friend I was telling you about. Those vulnerabilities have been addressed
with subsequent firmware [updates]. If you have upgraded your device, it is
now more secure than it was before. It is very difficult to brute-force that. You should always
make sure you have a [way] to recover your funds… if your device is stolen, and [you should
still] always know where your devices are. If one of your hardware wallets is stolen,
immediately move the funds away from that seed. You [need to] be more careful with the seed than with
the hardware wallets. The seed has no PIN to protect it. If you can’t [access] the seed in the hardware wallet,
brute-forcing the passphrase is a lot harder to do. You [must] keep asking the hardware
wallet to try different passphrases. The passphrase itself is protected
by a stretching algorithm. Unfortunately, because these hardware wallet devices
are fairly low in power and processing capabilities, the BIP-39 specification requires only two thousand
rounds of repetition on the stretching algorithm. That is not ideal. If you have a very short
passphrase and your seed is compromised, it is possible for someone with sufficient resources —
by putting together a GPU farm of machines — to brute-force a passphrase [of less than eight or
ten characters] in a reasonable amount of time. You [must] keep your seed secure. You [must] use a
passphrase with sufficient [characters and] entropy, to make it difficult, even with two thousand
rounds of repetition, to brute-force it. For example, I would use eight to ten words
that are not from the limited seed dictionary, but perhaps a much broader dictionary,
for the English language or your own language. Eight to ten words gives you sufficient entropy. Even with two thousand rounds of repetition with
[a GPU farm], it is very hard to brute-force that. Presumably you have the means to notice
[when] the seed has been compromised or the hardware wallet has been stolen,
to give you time to move your funds. That is my advice. To the second part of this question… I will
repeat it so that it is easier to understand. Mark asks, “Is setting up multi-sig
wallets in Electrum secure?” “Is it something worthwhile to do, or is it better to
stick with a single Trezor and use a passphrase… along with storing one copy of your
recovery seed at a secure location?” It really depends on your threat model
and what you are trying to protect against. One of the reasons you would want to use a multi-sig
system instead, is to protect yourself against coercion. If somebody else has one of the signing keys
and is required to participate [in a transaction], it is a lot harder for someone to force you to sign away
your funds through violence or physical intimidation. One of the advantages of separation of controls is
removing control from yourself, in order to protect you… against coercion attacks like that. If that is part of your threat model, then a multi-sig
solution might be something you should consider. Another reason you might do that: if you are concerned
about the security of any single hardware wallet. You might want to diversify [the devices you use]. Let’s pick some brands: a Ledger,
a Trezor, a KeepKey, or a Bitbox. You use three devices to create a three-way multi-sig; or you use a Trezor and a Ledger, and
keep a backup seed with a passphrase. You make a multi-sig from these three sets of keys. Now you have hardware wallets with passphrases
and PINs for two of the signing components, and the backup stored securely. In a 2-of-3 multi-sig, that is a very secure setup. Even if there is a compromising vulnerability in one
of the hardware wallets, you could argue that… by layering your defenses in that way,
you have superior solution. The question then is: is it worth the complexity,
the effort, the additional risk [of accidental loss]? Is that worth it, in your particular threat model? You
[must] evaluate based on your own circumstances. For some people, it is [worth it].
For other people, it is not. I have used Electrum as a multi-sig wallet, with
some or all of the keys being on hardware wallets. It works and is a very convenient solution. Some multi-sig wallets are not very well supported
anymore, other brands that I used in the past. I don’t use [them] anymore for a variety of reasons.
Electrum has been quite reliable and getting better. In the next few months, you will see some
changes to this infrastructure [for hardware wallets]. One of the big changes is due to the Google Chrome
browser deprecating part of its infrastructure that… supports extensions and plugins. As a result, hardware wallet [developers]
are now building various forms of bridges… using either the WebUSB protocol for browsers,
or a native operating system plugin. The infrastructure and implementation
of hardware wallets in Electrum… and other interfaces will change in the near future. Perhaps it will be better and more streamlined;
perhaps it will be a bit buggy. It will be a first implementation of this new
interface standard. We will see [what happens]. But please do expect there to be some changes soon
in how that is implemented for hardware wallets, because of this change in the Google Chrome policy.

35 thoughts on “Bitcoin Q&A: Multi-signature and distributed storage”

  1. for high profile thefts there are companies like chainalysis or elliptic and more than are specialized in reconciliation Wallet adresses to IP adresses. This is how the IRS know who owns what for eg

  2. Many thanks for yoir contents au usual.

    About tracking stolen crypto.: once the cryptos are moved to an exchange wallet why can't the person be identified? There is an identity behind it (kyc is required) and i guess in case of theft some agency can enforce the disclosure of the identity… what do i miss here?


  3. I would be lost in the crypto dessert dying of thirst without this dude. Thanks Andreas one of my favorite videos of you is when you schooled The Canadian Banking Committee. I recommend this vid for everyone, still relevant in many ways it seems

  4. something about the music at the end gives me a bittersweet aching feeling, somewhat like nostalgia. Except it's a premonitory sort, as if I can already feel how someday I'll look back at now and long for the relative youth or innocence or simple life that I'm current experiencing

  5. Trezor uses a doubling delay and Ledger uses a wipe after X failed attempts for protecting the pin from brute force attacks. Both are effective methods for pin protection.

  6. "As soon as an attacker gains control of your private keys, the first thing they will do is do a sweep."

    I disagree.

    An attacker that has access to your private keys may also have access to the private keys of many other people, accessed by the same unknown exploit or vulnerability that affects the victim(s).

    If the attacker sweeps one wallet from one victim, or even several victims, the likelihood of the security vulnerability that led to the compromised keys becoming known increases. Once the vulnerability becomes known, people will react and destroy the attacker's chance of stealing the funds.

    If I'm malwaring many different victims via a specific attack vector, it is in my interest as an attacker to wait before sweeping. If I sweep 1-2-3-4 victims, other potential victims will get wise and adjust. As an attacker, I would rather wait until the attack has allowed me access to a larger number of victim's wallets, THEN sweep.

    We will see this one day. A major exploit that some attacker sat on for months, or years, quietly accumulating private keys…and then one day…BAM…time to sweep.

    The future fucking scares me.

  7. Is this the reason why ledger made a desktop wallet to move away from chrome, what about metamask like wallets

Leave a Reply

Your email address will not be published. Required fields are marked *