260 million BTC and BCH are missing, the giant whale suspected to use Blockchain.info service

On February 22, Beijing time, a giant whale named “zhoujianfu” in the forum broke the news that he had just lost 1547 BTC and nearly 60,000 BCH, and is currently worth nearly 260 million yuan. It is reported that the true identity of the giant whale is suspected Founder of Bitcoin Builder, Josh Jones, and one of Mt.Gox's largest creditors.

According to him, the hacker appears to have stolen his cryptocurrency through a SIM card.

As of press time, some of the stolen bitcoins have been split up by hackers in small amounts. According to the monitoring system of Beijing Lianan, these coins have been mixed with small bitcoins transferred from some exchanges.

The coin's founder Pan Zhibiao also confirmed on Weibo about the incident. He also stated:

"Technically speaking, restructuring the double spend is still too late."


The so-called restructured double spend refers to a 51% attack on the blockchain, which can be retrieved by rewriting the history of the blockchain. However, this method is extremely controversial.

As early as May 19, the exchange of Binance's bitcoin hot wallet on the exchange had also occurred. At that time, about 7,000 BTC of asset losses were caused. Afterwards, the exchange also hoped to recover the loss by restructuring the double spend method. Bitcoin, however, did not get the consent of such miners because this approach would seriously damage the immutability of the blockchain.

Therefore, pinning hopes on restructuring double flowers is actually not realistic.

Victim suspected of using Blockchain.info service

According to the information available, the giant whale can control the private key by himself (he performed signature verification), and claims to have been attacked by a SIM card. In response, the SlowMist security team analyzed:

"Guessing is that a well-known decentralized wallet service is used, and this decentralized wallet actually needs SIM card authentication, which means that there is a user system that can turn on two-factor authentication of SMS based on SIM card. It's Blockchain.info. "

Netizens of r / Btc Forum also believe that it is likely to use the service of Blockchain.info, and its analysis states:

"He may have used a Blockchain.com wallet because the relevant BCH transaction has 546 Satoshi inputs and outputs."

Another netizen, "Shadowofashadow", confirmed that the giant whale was also a victim of Mt.GOX. It did use the Blockchain.info wallet and had at most 10,000 BTC in the wallet.


How to prevent SIM card attacks against large cryptocurrency players?

In fact, SIM card attacks are a very common type of attack. The target of this type of attack is usually a celebrity with a precious social media account or a whale with a large amount of decentralized assets.

The target of the attack, Josh Jones, belongs to the latter, and he belongs to a very high-profile type. The signature claims to be a billionaire.

In June 19, Sean Coonce, Bitgo's engineering director, also exposed himself to a SIM card attack, and was stolen by a hacker for $ 100,000 worth of cryptocurrency. He suggested that after review:

"1. Use a hardware wallet to protect your cryptocurrency: If you are not transacting at any time, save your cryptocurrency in a hardware wallet / offline wallet / multi-signature wallet, instead of leaving funds idle in the trading platform .

2. The secondary verification based on mobile phone SMS service is not secure enough: whether you want to protect online assets or online identity, please use some hardware equipment to enhance protection measures. In this way, in order to carry out the attack, the attacker must get your equipment to store cryptocurrencies in real life.

3. Reduce your online traces: Suppress your urge to share personally identifiable information online (for example, your date of birth, address, pictures with geographic information, etc.). In the event of an attack, all such publicly available data is likely to be used as a tool to launch an attack.

4. Google's voice secondary authentication: In some cases, online services do not support hardware-based secondary authentication (they rely on weaker SMS service secondary authentication). At this time, you'd better create a Google Voice phone number (it cannot be transferred via SIM card) and use Google Voice Phone as your secondary verification tool.

4. Create another email address: Don't bind everything to the same email address. Create another email address for some very important online identities (such as bank accounts, social media accounts, cryptocurrency trading platforms, etc.). This email address must be kept secret. Do not use it for any other content. Use hardware-based secondary authentication to enhance the security of this email address.

5. Offline password manager: Use the password manager to enter the password. It is best to use an offline password manager, such as Password Store (a software for managing passwords).