Data from Chainanalysis shows that $14 billion in cryptocurrency was stolen in 2021 — some of which were due to sophisticated attacks. Here’s one story that’s a pricey reminder to never forget the most basic security rules
A security analyst in Pinellas Park, Florida (about a 15-minute drive from our office in downtown St. Petersburg) was arrested for stealing well over half a million dollars in cryptocurrency from a client. But unlike many other crypto theft cases, this incident isn’t the result of a complex cyber attack or even a phishing scam. The way this cybercriminal carried out this theft is far simpler to explain and even easier to prevent…
Let’s hash it out.
An Overview of What Occurred and How Nearly $600,000 in Crypto Was Stolen
Aaron Motta, the 27-year-old owner of Motta Management and Mitigation Services (according to his LinkedIn profile), is accused of stealing $575,910.61 in cryptocurrency from a client’s Trezor crypto hardware wallet. FOX 13 reports the victim invited Motta into their home to install a security system. Once there, Motta found the victim’s hardware storage device, which stores cryptocurrency offline, and stole it.
Of course, simply finding the hardware wasn’t the only contributing factor here; what makes matters worse for the victim is that they’d decided to store their account passwords in the home insecurely as well. In this case, the Tampa Bay Times reports that Motta used the password to gain access to the elderly victim’s cryptocurrency on the stolen device. He then transferred the digital currency to multiple wallets he controlled.
According to Pinellas County Sheriff’s Office (PCSO) Who’s In Jail booking records, Motta has been charged with two felonies: 1) grand theft, and 2) offenses against computer users. He’s now out of jail on a $60,000 bond.
Motta’s LinkedIn profile has him listed as a “Certified Ethical Hacker & CyberSec Analyst” who is “striving to be the change [he wishes] to see in the world.” However, looking at PCSO’s arrest records for Motta, it looks like the Georgia native has some questionable decision-making skills.
Suffice it to say, it looks like Motta’s falling a bit short of the mark if his intention is to have a positive influence on the world. This goes to show that you can’t just assume anyone claiming to be an expert is a legitimate expert. Carefully vet anyone you hire, particularly those who will have access to your sensitive data, network and systems.
Victim Made an Easy Target by Storing Crypto Wallet and Account Passwords Insecurely
The title of the article may leave you asking: did the victim really store their passwords on Post-It notes? We don’t know what the victim’s passwords were written on specifically and, frankly, it doesn’t matter. Whether you’re storing your passwords on a sticky note or in a password book, we want to make here that you need to lock up those secrets to keep them safe.
We know that trying to remember a slew of passwords for dozens of accounts is virtually impossible. But storing your passwords insecurely — especially in the same area as your device — is akin to placing all of your valuables in a safe and then taping the safe’s security combination on the door. Sure, your belongings are locked up, but all a criminal has to do is enter the combination you’ve provided to gain access to them.
Before anyone gets upset by thinking we’re attacking the victim: no, we’re not blaming the victim here. Clearly, Motta was at the victim’s home in a professional capacity as a security expert and never should have taken the device in the first place. If anything, he should have educated the homeowner about the security issues. But as we all know, bad guys are going to do what they’re going to do regardless of what’s right or wrong — there’s no need to make their criminal endeavors any easier.
We want our readers to realize that something like this can happen to them as well; this is why you should take steps to protect your accounts. Some of the ways to do this include:
- Using a unique password for every account (never using the same passwords to secure multiple accounts),
- Locking up your data storage and security-related devices, and
- Securing any personally identifiable information, login credentials, and other sensitive information.
Big Takeaway: Lock Up Your Devices and Passwords
We’ve written about password security at length because compromised credentials are a huge problem, and passwords are secrets that every individual and organization needs to take steps to secure. Data from Verizon’s 2021 Data Breach Investigations Report (DBIR) Executive Brief shows that:
- Nearly two-thirds (61%) of data breaches involved credential data in some way, and
- Credentials represented 85% of data compromised in social engineering attacks.
The National Institute of Standards and Technology (NIST) describes passwords as memorized secrets, meaning that they’re intended to not be shared or stored insecurely. If you insecurely store your passwords anywhere in the physical vicinity of your device, those secrets are at risk of being stolen and used by malicious individuals.
Likewise, using weak passwords or the same password across multiple accounts is another big security issue. Any accounts you use that password for are at risk of compromise. This is why we often recommend users either use strong passphrases or avoid using passwords altogether by implementing passwordless authentication security measures instead
Of course, it’s important to note that passwordless authentication doesn’t work for all use cases. In this particular situation, the criminal has physical access to the device and the passwords the victim used to secure their accounts. So, there’s not much that could have been done to prevent this situation from a cryptographic perspective since Motta had access to both the hardware and the victim’s account passwords.
If you decide to use passwords to secure your devices, accounts, cryptocurrency or other things you want to protect, be sure to keep those passwords safe and secure. And when you can use passwordless authentication, be sure to do so with client authentication certificates.