It is currently 2021, and cryptocurrencies have scored an all-time high in terms of price, more than doubling the previous event that happened in 2017. For the record, a Bitcoin (BTC) went for over 51,000 EUR. Even large companies like Tesla are buying large volumes.
So during this time, I was wondering if cryptocurrency theft is also on the rise, because of the increased returns of performing these illegal actions. After all, it makes sense to try and obtain something by any means, especially when it became extremely more valuable than before.
In order to perform a non-statistical and non-representative experiment that could not prove this hypothesis right or wrong (i.e. I did it because it seemed like it was fun, and I wanted to see what would happen), I “lost” a few Bitcoin wallets on the Internet, and tried to observe what would happen. Would people notice? Would they contact me? Take the money and run?
A wallet in the cryptocurrency context is a collection of some cryptographic keys that are able to control the spending of coins for their relevant addresses. In order to send money from a Bitcoin account, you need to know this secret key that is mathematically tied to the account number, and anyone who knows this key can then perform transactions on the account’s behalf.
This is usually represented in the most popular cryptocurrencies as a “seed phrase” that looks something like this:
airport lawn pulse laundry lawn project great subway rule zoo embark canyon
or, to make scanning it from a mobile device or computer easier, a QR code:
Of course, it can also take the form of a computer file, that is typically password protected.
If this leaks in a format that is not password protected (like the word seed or the QR code above), or the password can be guessed, then anyone can use this account like it is their own, and can perform actions like transferring all the balance to a different one.
In order to run this experiment, I created 10 brand new wallets, and I stored their QR code on my computer. Creating new wallets is free and extremely fast, as it’s essentially just a random number.
I then transferred to each wallet the equivalent of $10 in Bitcoin, essentially adding to the account balance. Now they all have a non-zero balance that can easily be converted to a little bit of fiat currency (USD, EUR, CHF, etc.).
The next step involves the dissemination of the QR codes. Essentially I have 10 pictures, and I want to spread them to as many different audiences as possible, to increase the amount of people that will “find” my “lost wallet”. Ideally it should also be different groups, to hopefully gain more data.
I have a Twitter account so I figured that this would be a good place to start. I sent out a tweet with no text, just a single QR code there, and no more information. My hope is that people will simply scan it and then get an idea of what’s going on.
In order to increase the probabilities of someone discovering this, I also sent out another tweet, around 12 hours later, that also included a hint:
T___ i_ a b______ p______ k__.
With some luck, someone could figure out that this means This is a bitcoin private key.
and act upon it.
A different type of audience can be found on my LinkedIn network, so I made a post there as well. The caption there was a simple question mark, without giving out any hints.
I am also a member of DevStaff, a tech community in Crete with 1,400 members, 411 of which are members of our Slack group.
I posted the QR code on the #random
channel, which usually has all the
members, but is not a top priority one like for example #general
.
I use the Signal instant messaging app heavily and I usually chat with a lot of people on a regular basis using it. For this reason, I thought it would be appropriate to change my profile picture there to that of a QR code. I don’t know how frequently these changes propagate, but I hope it was quick enough.
As any website on the Internet, I receive a large number of daily requests by
bots that try to find “interesting” parts of my website, and upon finding them,
proceed to try and hack them. Most people block these types of requests, but I
thought I should (temporarily) reward them, by responding to the most popular
ones (like wp-login.php
or phpmyadmin
) with the QR code of a wallet that
contains money in it.
The rest of the QR codes went to various online forums in the likes of Reddit that allow semi-random pictures and posts without violating their guidelines.
From the platforms that provide analytics (e.g. Twitter, LinkedIn, etc.), the amount of people that have “seen” (for whatever definition of seen these sources may have) is in the high thousands within a period of 24 hours. They have received less than ten reactions, mostly the thinking face “🤔” emoji. Around ten people contacted me privately and spent time on trying to figure out what these mysterious QR codes that I posted may be, but none -to my knowledge- found more than one of them. There were no “shares” (e.g. retweets) of any of them, in any medium.
The results were something that I certainly did not expect. After a period of 24 hours, not a single wallet had the cryptocurrency transferred to a different account. I was able to retrieve 100% of it (minus the transaction fees of course) and despite knowing of people that spent the time to figure it out, the money was all there.
I posted my Bitcoin private keys to the Internet, tried to get it in front of as many people as possible within 24 hours, and nothing was taken.
To be clear, it is NOT recommended to post your private keys online, and just because nobody took my funds does not mean they won’t take yours, but I was very surprised to see that I was able to reclaim all of it, even after 24 hours.
I am giving the Internet one more, final chance.. ;)