Man Sues Parents of Teens Who Hijacked Nearly $1M in Bitcoin

Now adults, the then-teens apparently used clipboard hijacking malware to steal Bitcoin.

When Colorado resident Andrew Schober downloaded the Electrum Atom Bitcoin wallet from Reddit, he also picked up a piece of clipboard hijacking malware that eventually redirected his 16.4552 Bitcoin to a wallet controlled by two teenagers living in the U.K.

At today’s price, 16.4552 Bitcoin would be worth ~$773,000.

After spending years and around $10,000 on experts to track down the threat actors, according to a new lawsuit filing (PDF) uploaded by Krebs On Security, Schober identified the culprits as Benedict Thompson and Oliver Read, now adults who are studying computer science. But because they were juveniles at the time of the alleged theft, Schober is suing their parents for the nearly $1 million he lost in the heist.
Infosec Insiders Newsletter

“The deployment of the Malware on Mr. Schober’s computer and the subsequent theft of Mr. Schober’s cryptocurrency was devastating for Mr. Schober,” the lawsuit said. “He did not eat or sleep for days afterward and has been in a severe state of distress for the past three years.”

The filing explained that the value of the cryptocurrency wallet accounted for around 95 percent of Schober’s net wealth.

“Mr. Schober brings this action to hold Defendants accountable for their violations of federal and state law, and to seek recovery for the grave financial and personal harm he suffered,” the suit added.

Schober tried to settle things out of court, his attorneys said, presenting a letter he sent to the attorney for the Thompsons and Oliver and Paul Read.

Screenshot of letter without PII. Source: Krebs on Security.

“It seems your son has been using malware to steal money from people online,” the letter from Schober said, adding that he had evidence of the duo’s guilt, including GitHub records and repositories for Electrum Atom malware; something called Electrum Gold; and forensic analysis of the malware and Botcoin wallet, which, the letter added, “shows multiple thefts.”

The Electrum Atom wallet is a fork of the well-known Electrum Bitcoin wallet.

The defendants argue that the statute of limitations has expired and that the lawsuit should be dismissed, according to their response to the lawsuit (PDF via Krebs). No one seems to deny that the two teens stole the Bitcoin.

“Mr. Schober learned of his injury and its cause less than three years before he filed his Complaint, a fact that discovery will prove and — more importantly — which the Complaint does not contradict,” the response said. “As such, dismissal at the pleading stage would be inappropriate, and the defendants’ motions to dismiss should be denied.”

Electrum Atom Malware

Schober downloaded a malicious version of Electrum cryptocurrency wallet that, according to the lawsuit, was posted on Reddit by one of the teen threat actors who promised that their wallet would allow access to “Bitcoin Atom” cryptocurrency. Instead, when Schober copied and pasted a cryptocurrency wallet address, the malware replaced it with an alternate address that the legal filing said was controlled by Thomson and Read.

“The Malware is particularly intrusive because, once the Malware is installed on the hard drive of the victim’s computer, the Malware cannot be deleted from the victim’s computer by uninstalling the program in which it was hidden,” the filing explained. “This is because the Malware embeds itself in the Java library on a victim’s computer, regardless of the location where the downloaded file is initially saved and conceals its existence using an encryption technique that obfuscates the Malware’s XOR strings.”

In this instance, the malware’s function was used on the copy-paste data for a crypto wallet, but in the future it could be turned against anything else put on the computer’s clipboard, like passwords, the suit said.

Cryptocurrency Security & Privacy

Just this week, crypto-interoperability platform Proxy Logon was able to retrieve more than $610 million stolen after its systems were breached. The crypto was returned after the company tracked down the attacker, pleaded for the money back and even offered them a job as the company’s chief security officer.

And as volatile crypto markets continue to produce value, threat actors will continue their schemes to empty users’ wallets. They will also be forced to work around blockchain ledgers, which leave a clear-cut trail to stolen funds.

“Crypto assets, like bitcoin, post transactions to a public blockchain. Anybody can follow the transaction as it hops from digital wallet to digital wallet by using free and commercial blockchain explorer tools for the specific blockchain,” Coalfire’s Karl Steinkamp told Threatpost. “Tracking of crypto assets varies by crypto asset and its native features, which may include privacy enhancing features, which some altcoins (Zcash, Monero, etc.) have implemented.”

Those privacy features are luring attackers to cryptocurrencies like Monero precisely because they are hard to track, according to Netenrich’s John Bambenek.

Besides favoring more private platforms, Steinkamp predicts that attackers will also start to mix and develop tools around blockchain’s protections.

“This will [necessarily] require industry white hats to dramatically improve their cybersecurity tools and processes to account for a more nimble bad actor,” Steinkamp said.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles