Hacking the most valuable crypto wallets in San Francisco
“Where is the largest concentration of wealth in San Francisco?”
“The Federal Reserve on Market Street?”
“No, they just shred old notes,” Leo whispered with his back to the brick wall of the courtyard. People whispered amongst the usual Friday afternoon of drinks and flirtations. The sun shone a golden light upon the courtyard, the Transamerica Tower and a painted mural stood gazing down from a pink sky above.
Virgo placed his hand on his stubble, “The US Mint on lower height?” he guessed. A small infinity tattoo revealed itself on his hand.
Leo shook his head, sipping a glass of French Sancerre. “What am I supposed to do with a few kilos of gold?” His Israeli accent snuck through his near perfect English.
The two sat before a fountain, Leo’s iPhone X lay on the small table before them, blasting white noise. A lady dressed in Beijing 798’s finest attire chanced a seductive glance towards Leo. She smirked, whispering I hate you.
“The vaults beneath Deutsche Bank on California Street? They’re always laundering something or the other,” Virgo whispered to Leo. He laughed. The head of a lion behind them smiled, shooting water from its mouth into the fountain.
“No, no think real liquidity,” The two sat in the courtyard of The Battery Club, one of San Francisco’s posh scenes. Amongst the insanity, absurdity, and decadence of San Francisco, The Battery Club stood at its center. People from all walks of life seduced, drank, and made business. Billion dollar deals were sealed with a handshake, visions of the future echoed across these walls.
“Let me think…” Leo and Virgo sat outside in the courtyard, rumours echoed that the entire building was bugged.
“Think James Bond Attack,” Leo whispered, crypto-OPSEC slang for physically accessing a computer with valuable data on it.
Virgo began to laugh, “You aren’t saying… Coinbase?”
“You’re on the money, but their volumes are pitiful. Something less… regulated.”
Virgo Laughed, “The Loch Ness Exchange?”
Leo smiled, taking a sip of wine.
A helicopter thwacked above.
“Keep it down,” Leo pulled a beat up, black iPad Mini from his suit jacket and began reading, “The Loch Ness exchange, the largest source for Bitcoin liquidity on this side of planet Earth- In particular their Dark Pool.” Leo swiped to a floor plan of their office on Market Street.
“What we’re after,” Leo continued, “is not the exchange, but their dark pool and custodial service. At the current exchange rate that’s over ███ billion dollars in mostly bitcoin.
Leo opened Microsoft excel in his beat up iPad, showing a bank statement for the Loch Ness’ private custodial service.
Virgo appeared extremely skeptical, “How did you get this? These numbers are well over █ billion dollars a week!” He ran his fingers through his dark hair.
Leo shrugged, “SWIFT- is a pile of trash written on PL-One from the 1970s. Zero days go for a few Bitcoins on Tor.”
“The world’s richest and most powerful men,” Leo continued, “Entrust their money with Loch Ness, stored on HSMs [hardware security modules] on Market Street. But take a look at this,” Leo scrolled down the spreadsheet, showing a handful of transactions valued in the billions of dollars. “Looks like Loch Ness is in way over their heads.”
Virgo ran his finger down the edge of the iPad, and looked up. “Deposit: 1.29 Billion Euros. They’re running insane OTC,” [Over The Counter trades make up the highest volume crypto trades and are wildly unregulated.] “I didn’t know they had this sort of volume.”
“Yeah. From what I can understand, it looks like the IRS doesn’t know either. This isn’t their official bank statement.” Leo looked over his shoulder, “An acquaintance of mine traced this to a BVI.” He highlighted a row on Excel.
Virgo ran his fingers through his hair in astonishment.
“It gets better!” Leo laughed, “It looks like the Venezuelan central bank is diversifying. These deposits are associated directly with officials in South America.” He looked Virgo in the eye and powered off the iPad. “That’s billions of dollars in crypto that no one can ever report stolen,”
Somehow Israelis always had a way of explaining things.
“Oh no. Hell no! I know that look. No way, not since what happened in Mumbai.”
Leo smiled “I already have a guy in Malta,” and shrugged, “Besides, we made it out just fine!”
“I spent three days in a Goan prison!”
“You made some good friends,”
Virgo stopped him, “Besides, even if we can get our hands on the HSM, there’s no way we can crack it! Unless ARM SecurCore has a hardware backdoor,” He threw his hands up in the air, “Or we can get our hands on a…”
“…A quantum computer?” Leo had that smile again across his face.
The offline iPad glowed with the (very difficult to find) datasheet of the hardware security module (HSM).
“The SafeNet ProtectServer HSM running an ST31 type ARM SecurCore®.” Aires looked up, “You’ve gotta be kidding me.” She pursed her lips, sitting at a long table overlooking the city of San Francisco. Leo had rented the Battery’s rooftop suite. A hot tub bubbled to their left, the midday sun was shaded by canvas umbrellas.
Virgo had a Samsung laptop open running Tails, “It’s definitely doable. A few Russian and Israeli chip labs can disable that shield.”
The security module inside the specially designed server managed billions of dollars in Loch Ness cryptocurrency. The physical silicon lay protected by a nanometer mesh. If cut through to probe the chip, the device would self destruct. It was a fort knox, scaled down to the nanometer scale, with added explosive tripwires.
Aires wasn’t smiling. She knew where this was heading.
“But… we don’t need to probe the silicon,” Virgo continued, “If we can get a-”
Aires sighed, “That’s not how quantum computers work! Just because I build quantum computers for the largest tech company on Earth doesn’t mean we can go around breaking into secure elements!”
Leo exhaled briskly, raising his brow, “What about that contract with that Other Government Agency?” Leo asked, referring to the CIA’s project █████, a joint signals intelligence program with DARPA, the NSA, and a major Silicon Valley tech company.
Aires eyes jumped about her surroundings and she shifted her legs. A police siren sounded out on the streets below.
“Just hear me out,” Virgo switched tabs on his Tails machine, reading aloud, “Here’s a blog post from the manufacturer…
‘The scenario where the hackers manages to magically extract [Virgo wiggled his hands in the air] the master seed from the HSM is extremely unlikely… Most exploits have been limited to abuse or misunderstand…. blah blah blah …Of course, one can always say that nothing is unhackable, and this would be true; but the difficulty to achieve such a feat is a few orders of magnitude higher than “just” taking control of a full IT architecture.’”
Virgo continued, looking up to Aires, “They said it there- nothing is unhackable! We just need someone with technology ‘a few orders of magnitude’ better than what’s available commercially.”
Leo interrupted before Aires could take in the words, his older voice bringing strength to the situation, “The HSM we have in question here has over ███ Billion dollars in crypto. They haven’t declared it to the IRS, it’s dirty money, and I can get it mixed by the best. Your cut is one third.”
Aires looked up to the Transamerica Tower looming above. She smiled, then took a deep breath, “What makes you even think this is possible?”
“Wikileaks! Stolen datasheets! Gut feelings.” Virgo blurted out.
Leo coughed, silencing Virgo, “Trusted sources who have seen internal code, and others who deeply understand their banking patterns,” He paused for effect, “We can’t do this without you.”
Aires took another deep breath and quickly exhaled, “Regardless of the key scheme… God- people have freak accidents after this sort of talk!” She looked around, “This is single handedly what’s going to win World War Three. We’re not talking about sweeping a few bitcoin wallets, we’re talking about winning global, thermo- fu**ing nuclear war!” She looked at Virgo, Leo, then sighed “If its ARM based, and you can get me serial, I can break the chip in less than 60 seconds.”
Leo smiled. “Sixty seconds? You’ve never let us down before.” He held out his hand, and Aries grasped, shaking firmly.
While bitcoin’s SHA256 and ether’s SHA3 encryption scheme would take a few hours to crack, someone would notice a quantum computer gone for that time. However, the ST31 chipset signed transactions with a much weaker “NSA approved” cryptographic scheme. This key, once extracted, could further “leak” the master seed by modifying a fuse bit on the chipset. With that master seed, billions of dollars of crypto were free for the taking.
Aires knew this, in particular the ST31’s vulnerabilities. The US Government spends billions making sure these zero days go undiscovered. Besides, Aires had always found working with Leo an intense thrill. He was classy, intelligent, passionate, afraid of nothing-
“Here’s what we’re going to do,” Leo removed an open bottle of champagne from a chiller, his vintage Rolex Datejust reflecting in the sunlight, “We’ve set up a replica of the Loch Ness Exchange on Treasure Island; Down to the vault and server inside.” He opened up floor plans on his iPad, “I want to go through this a dozen times, each with a different seed…”
Leo and Virgo walked calmly down Market Street at three in the morning. The street had an eerie silence. People were sleeping about on the streets, a few lonely Ubers dove by. The foggy sky obscured buildings, giving the city a wet, suffocating blanket.
Turning into an unmarked office building, Virgo held up an Android phone with only its NFC radio enabled. The rooted smartphone ran an APK found on the deep web for less that .1 BTC. The front door of the building easily unlocked, its outdated security system logging entry of the CEO of Loch Ness.
Both wore matte black hoodies, black baggy jeans (to protect against gait recognition), and black Camelbak H.A.W.G. backpacks. Special shemaghs designed by 8200 covered their faces. The light, transparent fabric protecting against visible and thermal facial recognition (using a technique called visible and IR polarization). It made someone’s face appear as it had been digitally blurred.
The elevator chimed open with a swipe of the phone. Virgo’s pack had a large, matte painted cylinder sticking out. Leo removed a “Ghost Gun” from his shoulder holster, a Polymer 80, Glock 26 with a silencer. He press checked the chamber. Virgo set a timer on his watch.
“Bingo,” Leo said aloud. The elevator chimed opened on the 8th floor and Leo jumped out, strobing his flashlight, “POLICE! ON THE GROUND! SFPD! GET ON THE GROUND!” He screamed in a deep accent at the security guard armed with an AR-15. The rifle immediately clattered to the ground.
Before the security guard could realize his mistake Leo threw him to the floor, and zip-tied his hands. Virgo removed an Epi-Pen like device covered in Chinese writing (also purchased on the deep web), and stuck it into the guards neck. “Relax you’re going to be alright. We’re not here to hurt you. Hodl on and everything will be okay.”
The guard slumped over from the tranquilizer. Virgo checked his timer, “eight minutes.”
Leo walked up to the door leading to the office. Bulletproof glass lined the wall revealing an empty office. The biometric door lock was too secure to bother cracking, Leo slapped a Russian made breaching charge to the door (also bought online) and unspooled det-cord.
Already wearing yellow tinted safety goggles beneath their shemaghs, Virgo dragged the passed out security guard to a safe distance, covering his face and ears.
“CLEAR!” Leo yelled. A small explosion rocked through the hallway. The lock on the door disintegrated. Leo slammed against the deadbolt with his thick frame and the door screeched open, his pistol drawn.
They had the office memorized.
“Six minutes.” They sprinted towards the safe. Disabling modern day security alarms is nearly impossible, therefore it was assumed whatever alarms had been in place were already tripped. It was now a race against the average SFPD response time.
Virgo hoped the alarm wouldn’t wipe the HSMs. Fortunately, most crypto engineers believed code was god- in particular their code.
Who would be stupid enough to try and James Bond an HSM? Given the utmost paranoia of the Loch Ness Exchange, servers were stored in a physical time locked vault at the rear of the office.
The two paused before the magnificent vault door. They bowed politely before the beast, and Leo removed three custom shaped explosive charges.
Virgo measured and marked placement with a tape measure, drilling several small holes. Explosives were placed at cefully measured points against the vault. Leo ran det-cord to each of the explosives, lining up steel cover places. Virgo drilled self tapping bolts into the holes while Leo checked the connections individually.
Metal plates acted as an explosive lense, focusing the force onto specific mechanics within the vault. The same physics behind a nuclear warhead were going to open the vault before them.
A much larger explosion destroyed the face of the vault (And a few office Retina Displays), revealing wires and mechanical sub assemblies. Virgo clicked on a Surefire flashlight, reviewing a mess of contorted metal with his Mechanix gloves. He pulled a broken rod, listened for the click, and nodded.
Leo pocketed the detonator, and reached his hands into a hole blown open by one of the charges.
Virgo did the same. “Three, Two, One,” His whispered. Something within the door shifted. Virgo removed a drill, with a long flexible bit, and attached it deep within the door. He clicked the trigger, and the whirring of the motor sounded out.
Something began stirring within the vault. The giant metal pegs locking the door into place began to move. Virgo checked his watch, taking a deep breath.
The door clicked,
“Two minutes. Go!”
“Go!” Leo pulled the vault door open, while Virgo put away his tools, replacing the bit on his drill. An alarm sounded out, the sound of a buzzer or constant claxon. That wasn’t part of the plan.
Before them lay a magnificent server rack centered amongst the vault. Its dark interior glowed with colored LEDs. A Cisco router and a load balancer snaked ethernet cables into a dozen solid state drives. A few servers flashed brightly colored LEDs. Center frame, the hardware security modules stared demonically back. The two could barely hold back a gasp.
Death metal began playing in the background.
Virgo removed the black cylinder from his bag, twisting a valve. He aimed it at the number three HSM, a plume of nitrogen erupted on the device. The modified ThermoFisher liquid nitrogen flask sprayed the -196° C liquid across the module. After counting to eight he switched off the power to the server rack, continuously spraying the HSM with liquid nitrogen.
Leo simultaneously unscrewed the HSM, pulling it from the rack, and removed its top panel with another spray of liquid nitrogen. The whole PBC was potted (meaning covered in plastic). The ST31 security chip that held the private keys were controlled (and wiped upon tampering) by a small microcontroller. Virgo placed a special stencil over the HSM’s computer board and drilled three holes. One for the microcontroller, one for the backup power capacitor, and the third for a timing crystal.
The holes essentially disabled the circuits that would run consistency checks upon power failure, and wipe the HSM’s ST31 chip. Virgo placed the unit into a specially designed waterproof bag, and attached it to his backpack. He sprayed another blast of liquid nitrogen into the bag, further cooling the HSM.
The floor of the vault lay covered in nitrogen clouds leaking from Virgo’s backpack. “Fundez are safuh.”
“Sixty seconds,” Virgo sounded out. The two rushed for the exit. Leo saluted the office, throwing a small smoke grenade into the room. He pulled the fire alarm. Orange smoke filled the office.
“Loch Ness, it has been a pleasure.” Sprinklers were triggered, flooding the office with water.
The two turned right, careful not to slip as water cascaded down their Cordura garments. They headed for the emergency exit, barreling down the stairs. Virgo kept spraying the HSM, keeping it cold, careful to maintain its “power failure” state within the chip.
The stairwell was dry, Leo peered down the empty space between the flights as they bounded down the steps.
The ground floor fire door banged open. Four heavily armed private military contractors sprinted into the opening. Leo and Virgo hid against the walls as the men below spread out.
Loch Ness was not screwing around with their security.
“Right clear,” One of the men yelled.
Another, “Left Clear!”
“Engage! Top Left! Two men! Two stories up!” They yelled.
Leo was pretty sure the men were supposed to tell them to put their hands up or something. Instead, three fully automatic M4A1 rifles began raining brass into the stairwell below.
Lead sparked against the metal hand railings. Leo removed the silencer from his pistol, firing above the heads of the men below. He was NOT killing anyone tonight. He threw another smoke grenade into the stairwell below, “Get ready to jump!” Orange smoke was filling the stairwell.
Virgo removed a military flashbang, making his way down another flight of stairs. He pulled the tab, throwing the charge into the stairwell below. The device burst in a bright flash, then popped, mimicking automatic gunfire. The men below ran for cover.
“Go!” Leo yelled jumping into the basement below. He disappeared amidst a haze of orange smoke and bursts of gunfire.
Virgo followed, landing hard on his side. Leo pulled him up, escaping to the basement door. A steel door ‘s lock was quickly bumped open, as Leo and Virgo squeezed into the steam tunnels.
The two panted against the locked, steel fire door, looking at each other and grinning. They leapt forward, squeezing through the passageways before them.
The Loch Ness building connected to San Francisco’s PG&E steam tunnels from the basement. Blue tinted LED lights lit from a ceiling riddled with pipes and fibre optic cables. A plume of clouds followed Virgo as liquid nitrogen leaked from his pack.
Leo could hear sirens on the street above. The tunnel followed Market Street, with access from any one of the grated manhole covers above. Anyone on Market Street could look down and see this hidden world below.
Counting each manholes above, Leo stopped at a ladder marked in pink tape, and began climbing. Pushing open the grate, climbing up to the corner of Market and Gough St.
Zuni Cafe lay silent, covered in mist as Leo he helped Virgo pull up the backpack containing the HSM. Sweat beaded down Leo’s face amongst the crisp, humid air. A grey ceiling of clouds rolled above as Virgo climbed out. Orange sodium vapour lamps of a pre-nuclear civilization lit the sky a daring yellow.
It was a rush that could compare to nothing, not sex, not cocaine, not even killing someone. The manhole cover was replaced, and a fire truck shot down Market Street. Its tires slid on the wet roads as it sped towards the Loch Ness building.
A deep breath.
The grey Ford cargo van waited a few meters away. Leo climbed in the driver’s seat, cranking the ignition, Virgo hoped in the back. The van pulled a u-turn on the wet roads, hauling ass towards Height street.
Only minutes remained before the root key stored within the HSM would be recreated somewhere else, swept, and become useless.
Virgo plugged in a multi-SIM gateway, opening up his Tails machine. He initiated a specially encrypted VoIP. “Aires, copy?”
“Aires standing by. I see your port now.”
The HSM was placed on a table in the back of the van. They had already done this half a dozen times in training.
A large box sat in the rear of the van, reading “Epilog Laser”. Virgo carefully placed the HSM into a jig within the laser cutter, defining datums. A 3D model of the PCB structure was loaded onto a small industrial computer. Leo slid the van into a parking space in The Castro. The van blacked out, and he joined Virgo in the back.
The laser cutter began away etching away the HSM’s PCB potting.
A precision rework soldering iron chimed on, heating up next to the laptop on the table. Plastic potting covering the HSM electronics board was removed as the precision infrared laser vaporized the HSM’s protective coating. Virgo removed the device from the machine. Another squirt of liquid nitrogen kept the HSM colder than the dark side of the moon.
Virgo blew away the bits of dust, a complex maze had been etched into the circuit board potting. He clicked on a fan, “Probing the crystal now, standby.”
Aires replied in almost a whisper, “Roger that.”
Virgo placed a magnifying glass over the HSM. The ST31’s “heart” was a tiny quartz oscillating crystal. It set the pace at which the microprocessor would run. With a careful movement on the rework soldering iron, he melted away the remaining solder around the quartz crystal, replacing it with a custom designed module.
He flicked on a very expensive signal generator, and set a the clock speed for the chip.
“Crystal running, getting feedback from the chip,” Virgo said aloud, wiping his brow. With another spurt from the liquid nitrogen, he continued to melt away solder from a spot around the ST31 chipset. This was the most delicate part of the operation. Leo aimed a small tube of liquid nitrogen at the chip, while Virgo melted solder just millimetres away.
The chip uses a serial interface, which communicates with other parts of the electronics. Virgo carefully cleaned away a few via from the PCB, soldering tiny wires to the board. The final wires connected to ground and power pins of the chip. The tiny wires from the HSM connected to a Segger debugging kit, plugged into to Virgo’s computer.
“I see the Segger. Starting quantum script.” Aires exclaimed, “Listening. Core looks stable. Ready when you are.”
Virgo checked the signal generator, and clicked on a digital power supply. An LED flashed on the PCB.
“Got it, probing IART,” Aires whispered, typing rapidly on her computer, “Signals looking good. Take her sub kilohertz.”
“Okay now,” Virgo slowly spun the knob on the signal generator, taking the integrated hardware security module clock speed from nearly 10 Mhz, to a standstill. The chip became frozen in time.
This function disabled the rate limiter, allowing the team to send multiple commands without wiping the chip.
“Sending test transaction now to multifactor…” Aires whispered, “Declined! Extracting public key…”
Meanwhile a quantum computer in Santa Monica ran a “test simulation” attempting to solve for a difficult math problem that one of the test engineers had provided. The quantum computer solved the simple problem in just under seven seconds. No records for the CIA’s project █████ were recorded.
“Key extracted,” Aires said with a monotone. “Probing fuse bit… Got it!”
Virgo wiped his face again,
“Running the attack,” She continued. A keyboard clacked in the background.
Virgo opened the command prompt to receive the private key from Aires.
Leo took a deep breath, then swore. The root key appeared on screen:
“Sweep her clean”
“Thanks Aires” Virgo received the private key, then ran a script. From there, he constructed thousands of bitcoin wallets, performing a “sweeping function”.
The sweeping function signed Bitcoin transactions from the hundreds of derived wallets.
The final act of the theft was perhaps its least elegant.
Virgo sat with his computer open staring at the bland interface of Electrum Wallet. Tails’ ugly blue screen wallpaper filled the van with blue light. Leo peered closer at the list of hundreds of wallets, each loaded with tens of thousands of their very own Bitcoins.
The transactions were now being verified by miners, irrevocable, written forever in time.
Virgo walked along the sandy shores of Anjuna Beach on the dreamy shores of Goa, India. The faint sun was setting, he held a silver iPhone X up to his ear, connected to an encrypted VoIP.
“I hope you’re enjoying Malta, my friend!”
Leo sounded overjoyed on the phone, his Israeli accent hard to ignore now, “Likewise! I believe it’s been years since we first met on the beaches of India.”
Virgo chuckled, “And I’m still missing my home in Koramangala,” A stunning white gowned lady followed him along the beach, playing her feet in the water.
“By the way, you should see the vibrant sunrises here in Malta!”
Virgo stopped in the sands, looking out to the setting sun. Its orange, circular edge wiggled on the horizon, dipping towards sunrise in California.
Adjectives describing the sky defined a successful transfer. Synesthesia defined trouble- predetermined code to initiate an absurdly encrypted chat.
Funds had been converted countless times from Bitcoin into a variety of privacy coins (Mostly Zcash, Loki and Monero) and back again into Bitcoin. This process was repeated hundreds of times, across thousands of accounts. For some reason the ‘coin was converted into Doge’ a few times.
In the end, vibrant sunrises, or colorful clouds- or whatever, meant that over ██ Billion dollars worth of Bitcoin had been deposited into Virgo’s pre determined wallets.
On the same beaches that brought Arab, African, and Chinese, traders stood Virgo, barefoot, staring into the sunset. Hundreds of Thousands of bitcoins flooded his wallets, validated block by block.
The strange thing about growing wealthy is you don’t really feel it. In an instant you’re rich yet you feel entirely the same. Everyone is your best friend, and you don’t know a thing about anyone. Perhaps the wealthiest anyone will ever feel is when they’re completely poor; Completely free from the chains of wealth.
Leo spoke out from the iPhone. His voice sounding distant amongst the waves. Virgo looked back to his lady, in flowing white garbs.
Leo spoke through the encrypted VoIP, “Now what?”
Virgo smiled, looking back to his love, “See you soon, my friend.” Virgo threw his phone into the sea, splashing amongst ripples of the sunset.