Recovering lost coins: The rise of crypto bounty hunting
Losing the password to your wallet can cost you millions, but options for recovery exist
- Losing a crypto fortune
- Rise of the crypto bounty hunter
- Don't get stung twice
- Recovering from theft
- Prevention is the best cure
- When life happens
- Final thoughts
Losing a crypto fortune
Cryptocurrency’s short history is peppered with horror stories of people losing huge sums of bitcoin and other digital assets, whether by human error, scams, or computer malfunction. Take Gabriel Abed. In 2011, Abed’s work laptop was formatted by an IT colleague, wiping the private keys to 800 BTC stored in his wallet.
Abed’s wallet would have been worth more than $3.1m today. Luckily for him, this was only a fraction of the BTC he had stashed in various digital locations. The setback did not prevent him from recently purchasing a 100-acre plot of Barbados oceanfront property, worth $25m, in 2021.
Stephan Thomas was not so lucky. A victim of simple forgetfulness, the German-born programmer holds the private keys to 7,002 BTC, worth more than $274m, on an IronKey USB stick. There is only one problem: As of today, he has two password attempts left before the IronKey, by design, permanently deletes all information stored on the flash drive, taking any chance of accessing those 7002 BTC with it. A good advertisement for IronKey’s security functions. A depressing situation for Thomas.
As unfortunate as these situations are, lost and stolen crypto is far from an uncommon story. Some estimates suggest up to 20% of all bitcoins have been lost to date. That is more than $164bn, approximately the GDP of Portugal, effectively wiped from circulation.
But how many of these trapped coins can be recovered? Can a crypto bounty hunter help to recover them? How does a bitcoin bounty hunt work? We sat down with some experts to discover how they go about recovering lost coins.
Note: Currency.com is not affiliated with any entity mentioned in this article. You should conduct your own research on any company that you are considering employing. Make sure to keep your expectations in check: There are zero guarantees when it comes to bounty hunting for cryptocurrency. Any organisation promising 100% success rates is potentially a scam.
Rise of the crypto bounty hunter
Chris and Charlie Brooks, the father-and-son crypto bounty hunting duo at Crypto Asset Recovery, are two of a growing number of “ethical hackers” applying their skills to crypto asset recovery. Using a complex process involving hashing algorithms and targeted brute force attacks, their programmes can cycle through millions, sometimes even trillions, of password combinations in an attempt to find the right one.
Chris established Crypto Asset Recovery by himself in 2017, until scalability problems forced him shut down only one year later. Enter Charlie, who suggested rebooting the company in 2021. “We moved all our servers off AWS [Amazon Web Services] and moved everything in-house. In the last year we've been working pretty much full time on it since,” Charlie said.
The Brooks’s work process is not just a technical one. Their service relies on a ballpark guess of what the password might be. This involves “a huge trust element”, according to Chris. “We have our highest crack percentages when people will actually go to their password manager, export all their passwords, remove any random ones and then send those passwords to us.” Developing a rapport and getting to know their customer is the key to success, even down to what their favourite football team (or family member) is.
That trust is a two-way street. Naturally, not all of the Brooks’s bitcoin bounty hunt customers are legit. If the duo suspect malicious intent, or if they think they are dealing with a stolen wallet, the case will be severed. Additionally, the bounty might be a massive anticlimax. Chris recalled one instance regarding a supposed wallet containing 12 bitcoins, worth more than $700,000 at the time. “We found the password to it. We're jumping up and down and we get the guy on the phone and crack the wallet... and it had $2.78 inside.”
Such are the pitfalls of working on a no-win-no-fee basis. On the bright side, a successful bitcoin bounty hunt can pay off big time. “Our biggest recovery was $270,000,” said Charlie. “We were really excited about that!”
Don't get stung twice
While the market for crypto asset recovery services is growing, not all offerings are genuine. “Every time we get a major article published, we will have four or five businesses crop up that advertise with the [SEO] phrase ‘crypto asset recovery’ and are complete scams,” Chris said. Red flags to consider include large up-front payment requirements and claims of 100% success rates.
Josh Chinn, co-founder of the Manchester, England-based firm Wealth Recovery Solicitors, which recently moved into crypto recovery, said: “Make sure when looking into trying to recover your money you don't get stung twice. Make sure they are a regulated entity, they know what they are talking about, there is a real person there and if you are a UK resident, that it is a UK company you are dealing with.”
Recovering from theft
The Brooks gang might achieve a cited 30% success rate, but when it comes to lost crypto resulting from hacks and other criminal behaviour, things can get more complicated. Chris Brooks said: “If someone has been scammed out of their funds, there's just nothing that we or any other private company can do. We can help them liaise with the police and that kind of stuff but it really becomes a law enforcement issue in terms of actual recovery.”
That is when recovery becomes difficult. Speaking with Currency.com, Liam O’Farrell*, a senior PR consultant in the financial services sector, discussed his continuing struggle with the British Virgin islands-registered crypto exchange HitBTC, after a hack resulted in the loss of, among other digital assets, eight bitcoins, hundreds of Chainlink tokens and thousands of Cardano tokens. The bitcoins alone were worth over $300,000.
O’Farrell believes that HitBTC is aware of the hacker’s wallet address, but is refusing to hand over the information. According to Liam, HitBTC has so far refused to cooperate with the Metropolitan Police after numerous official requests from the Central Specialist Crime unit. Requests dating back to September 2021 have been confidentially shared with Currency.com.
A response to O’Farrell's initial request stated: “We have taken all the required measures in relation to this incident. Unfortunately, due to security reasons, we are not at liberty to disclose any information in this conversation with you, but we encourage you to contact the local police department to initiate an official investigation as soon as possible. We are ready to fully cooperate with them and pass on to them all the information we have at our disposal upon their official request.” However, subsequent and repeated police filings have gone unanswered.
O’Farrell’s battle to recover years of savings continues, while the lack of accountability and response from HitBTC is “adding salt to the wound of a brutal moment”. HitBTC has been approached for its side of the story.
Prevention is the best cure
While a fascinating pursuit, no one should have to go through a costly crypto bounty hunting exercise in the first place. Chris Brooks said: “If you’re just getting into crypto, you should move slowly. I always recommend that people start with a custodial exchange like Kraken, Binance or Coinbase, ideally one that’s based in the country you live in. Then, at least, the local police have jurisdiction.”
Even though writing down and keeping your seed phrase somewhere safe is a no-brainer, you should not just stop there. Many crypto bounty hunting jobs arise after a client disposes of documents containing their seed phrase, often when moving house. “I recommend people buy a $30 safe off Amazon,” Chris suggested. “When you move apartments in a year, everyone in your family knows that the things in that safe are important, as opposed to the stack of papers on your desk.”
If writing your seed phrase on a piece of paper sounds too amateur, how about etching it into a slab of steel? That is one recommendation touted by Ruud Feltkamp, chief executive officer of the crypto trading bot Cryptohopper, who also suggested locking it away in a safe at home or even a guarded safe at a bank. These measures might sound excessive, but the UK company CryptoSteel has been offering this service from as far back as 2013.
When life happens
Sadly, it is not uncommon for large amounts of cryptocurrency to be lost when a death occurs. Such was the case of Romanian bitcoin maximalist Mircea Popescu, who reportedly drowned off the coast of Costa Rica in 2021, leaving his estimated $2bn bitcoin wealth in permanent limbo.
The case of Popescu is not an isolated incident. Without the infrastructure of a central bank or any meaningful legal recourse, vast swathes of cryptocurrencies are destined to exist solely as a line of text on a blockchain scanner, out of reach of family members and benefactors.
Some experts believe that this could have some pretty big implications. Jawad Nayyar, co-founder of DAO PropTech, said: "Should this trend continue, the amount of bitcoin lost will outpace the issuance rate of bitcoin, creating a heavy supply shock causing the price of bitcoin to surge."
If this is an issue keeping you up at night, there are steps that can be taken. Of course, sharing passwords and seed phrases with a trusted significant other is a possibility. There are also inheritance devices such as the Kirobo Liquid Vault, which distributes stored crypto among predetermined wallets if a timer fails to be manually reset. Though in all fairness, this is far from a foolproof technology.
Bounty hunting in crypto is a growing niche, particularly in times of substantial price growth, when users tend to recall those 10 bitcoins they bought back in 2013. While a bitcoin bounty hunter can help, there will never be a guaranteed method to password recovery (and anyone claiming a 100% success rate should probably be avoided). Users need to be aware of the huge implications involved in losing your keys.
Just like any valuable asset, you should take reasonable precautions at the early stages of your investment journey to protect your stash. Unfortunately, while password recovery options exist, crypto bounty hunters are less useful when it comes to criminal actions. At least for the moment.
So perhaps accountability at the service-provider level also needs improving. Reflecting on his ongoing ordeal, O’Farrell said: “I think this industry just needs to act together and monitor these public addresses that are clearly owned by hackers. Losing my crypto was a horrible lesson but there’s a lack of urgency from HitBTC to respond to the police when they are making enquiries, and there's a lack of transparency about the process… you can understand my frustration.”
*name changed per request of anonymity