The Coinmine One is a box that mines crypto at home

For $799 you can start mining cryptocurrencies in your home, a feat that previously either required a massive box costing thousands of dollars or, if you didn’t actually want to make any money, a Raspberry Pi. The Coinmine One, created by Farbood Nivi, soundly hits the sweet spot between actual mining and experimentation.

The box is about as big as a gaming console and runs a custom OS called MineOS. The system lets you pick a cryptocurrency to mine – Monero, for example, as the system isn’t very good with mature, ASIC-dependent currencies like BTC – and then runs it on the built in CPU and GPU. The machine contains a Intel Celeron Processor J Series processor and a AMD Radeon RX570 graphics card for mining. It also has a 1 TB drive to hold the massive blockchains required to manage these currencies.

The box mines Ethereum at 29 Mh/s and Monero at 800 h/s – acceptable numbers for an entry level miner like this one. You can upgrade it to support new coins, allowing you to get in on the ground floor of whatever weird thing crypto folks create tomorrow.

I saw the Coinmine in Brooklyn and it looks nice. It’s a cleverly-made piece of consumer tech that brings the mystery of crypto mining to the average user. Nivi doesn’t see this as a profit-making machine. Instead, it is a tool to help crypto experimenters try to mine new currencies and run a full node on the network. That doesn’t mean you can’t get Lambo with this thing, but expect Lambo to take a long, long time.

The device ships next month to hungry miners world-wide. It’s a fascinating move for the average user to experience the thrills and spills of the recent crypto bust.

States will vote on these energy and environment issues in midterm elections

Voter voting

In the United States, mid-term elections are set to take place on Tuesday November 6. Although much of the limelight is on Congressional races and gubernatorial races, US citizens also have the chance to vote on some important initiatives, measures, and amendments that are specific to their state. These state rules can often have a more direct impact on the lives of Americans than their representatives in Congress do, but because proposals tend to be long and nuanced, they also can attract a lot less attention.

Energy and environment topics are among the most contentious of 2018’s ballots, especially in western states where fossil fuel interests are facing a public that’s increasingly concerned with climate change. Here’s a look at seven proposed rules on US state ballots that could influence state economies and environments in serious ways.

Alaska, Ballot Measure 1

Salmon Habitat Protections and Permits Initiative

Read 25 remaining paragraphs | Comments

Lithium giants feud over competition, brine in Chile’s Atacama Desert

Salt flats in South America

Two of the world’s biggest lithium producers, Albemarle Corporation and Sociedad Quimica y Minera de Chile (otherwise known as SQM), are tangled in two disputes: the first over water rights in Chile’s Atacama desert, and the second over ownership of SQM.

Both Albemarle and and SQM have significant operations in the Atacama desert, where some of the world’s best lithium resources exist. As electric vehicles with lithium-ion batteries become more popular, lithium resources are becoming more valuable. That has created some conflict in an industry that has long remained relatively quiet.

Who’s drinking whom’s milkshake?

This week, Reuters reported that both Albemarle and SQM have accused each other of overdrawing brine from the Atacama’s underground aquifers. Both companies have operations in the Atacama’s Salar, and their operations are just three miles apart from each other. The brine water that has been accumulating for millennia under the Atacama is lithium-rich, and companies pump it out and send the brine to evaporation ponds where heat extracts the water and leaves the reactive alkali metal behind.

Read 10 remaining paragraphs | Comments

African experiments with drone technologies could leapfrog decades of infrastructure neglect

A drone revolution is coming to sub-Saharan Africa.

Countries across the continent are experimenting with this 21st century technology as a way to leapfrog decades of neglect of 20th century infrastructure.

Over the last two years, San Francisco-based startup Zipline launched a national UAV delivery program in East Africa; South Africa passed commercial drone legislation to train and license pilots; and Malawi even opened a Drone Test Corridor to African and its global partners. 

In Rwanda, the country’s government became one of the first adopters of performance-based regulations for all drones earlier this year. The country’s progressive UAV programs drew special attention from the White House and two U.S. Secretaries of Transportation.

Some experts believe Africa’s drone space could contribute to UAV development in the U.S. and elsewhere around the globe.

“The fact that [global drone] companies can operate in Africa and showcase amazing use cases…is a big benefit,” said Lisa Ellsman, co-executive director of the Commercial Drone Alliance.

Test in Africa

It’s clear that the UAV programs in Malawi and Rwanda are getting attention from international drone companies.

Opened in 2017, Malawi’s Drone Test Corridor has been accepting global applications. The program is managed by the country’s Civil Aviation Authority in partnership with UNICEF.

The primary purpose is to test UAV’s for humanitarian purposes, but the program “was designed to provide a controlled platform for… governments…and other partners…to explore how UAV’s can help deliver services,” according to Michael Scheibenreif, UNICEF’s drone lead in Malawi.

That decision to include the private sector opened the launch pads for commercial drones. Swedish firm GLOBEHE has tested using the corridor and reps from Chinese e-commerce company JD have toured the site. Other companies to test in Malawi’s corridor include Belgian UAV air traffic systems company Unifly and U.S. delivery drone manufacturer Vayu, according to Scheibenreif.

Though the government of Rwanda is most visible for its Zipline partnership, it shaping a national testing program for multiple drone actors. 

“We don’t want to limit ourselves with just one operator,” said Claudette Irere, Director General of the Ministry of Information Technology and Communications (MiTEC).

“When we started with Zipline it was more of a pilot to see if this could work,” she said. “As we’ve gotten more interest and have grown the program…this gives us an opportunity to open up to other drone operators, and give space to our local UAV operators.”

Irere said Rwanda has been approached by 16 drone operators, “some of them big names”—but could not reveal them due to temporary NDAs. She also highlighted Charis UAS, a Rwandan drone company, that’s used the country’s test program, and is now operating commercially in and outside of Rwanda.

UAV Policy

Africa’s commercial drone history is largely compressed to a handful of projects and countries within the last 5-7 years. Several governments have jumped out ahead on UAV policy.

In 2016, South Africa passed drone legislation regulating the sector under the country’s Civil Aviation Authority. The guidelines set training requirements for commercial drone pilots to receive Remote Pilot Licenses (RPLs) for Remotely Piloted Aircraft Systems. At the end of 2017 South Africa had registered 686 RPLs and 663 drone aircraft systems, according to a recent State of Drone Report.

Over the last year and a half Kenya, Ghana, and Tanzania have issued or updated drone regulatory guidelines and announced future UAV initiatives.  

In 2018, Rwanda extended its leadership role on drone policy when it adopted performance-based regulations for all drones—claiming to be the first country in the world to do so.

So what does this mean?

“In performance-based regulation the government states this is our safety threshold and you companies tell us the combination of technologies and operational mitigations you’re going to use to meet it,” said Timothy Reuter, Civil Drones Project Head at the World Economic Forum.

Lisa Ellsman, shared a similar interpretation.

“Rather than the government saying ‘you have to use this kind of technology to stop your drone,’ they would say, ‘your drone needs to be able to stop in so many seconds,’” she said.

This gives the drone operators flexibility to build drones around performance targets, vs. “prescriptively requiring a certain type of technology,” according to Ellsman.

Rwanda is still working out the implementation of its performance-based regulations, according to MiTEC’s Claudette Irere. They’ve entered a partnership with the World Economic Forum to further build out best practices. Rwanda will also soon release an online portal for global drone operators to apply to test there.

As for Rwanda being first to release performance-based regulations, that’s disputable. “Many States around the world have been developing and implementing performance-based regulations for unmanned aircraft,” said Leslie Cary, Program Manager for the International Civil Aviation Authority’s Remotely Piloted Aircraft System. “ICAO has not monitored all of these States to determine which was first,” she added.

Other governments have done bits and pieces of Rwanda’s drone policy, according to Timothy Reuter, the head of the civil drones project at the World Economic Forum. “But as currently written in Rwanda, it’s the broadest implementation of performance based regulations in the world.”

Commercial Use Cases

As the UAV programs across Africa mature, there are a handful of strong examples and several projects to watch.

With Zipline as the most robust and visible drone use case in Sub-Saharan Africa.

While the startup’s primary focus is delivery of critical medical supplies, execs repeatedly underscore that Zipline is a for-profit venture backed by $41 million in VC.

The San Francisco-based robotics company — that also manufactures its own UAVs — was one of the earliest drone partners of the government of Rwanda.

Zipline demonstration

The alliance also brought UPS and the UPS Foundation into the mix, who supports Zipline with financial and logistical support.

After several test rounds, Zipline went live with the program in October, becoming the world’s first national drone delivery program at scale.

“We’ve since completed over 6000 deliveries and logged 500,000 flight kilometers,” Zipline co-founder Keenan Wyrobek told TechCrunch. “We’re planning to go live in Tanzania soon and talking to some other African countries.”  

In May Zipline was accepted into the U.S. Department of Transportation’s Unmanned Aircraft Systems Integration Pilot Program (UAS IPP). Out of 149 applicants, the Africa focused startup was one of 10 selected to participate in a drone pilot in the U.S.– to operate beyond visual line of sight medical delivery services in North Carolina.    

In a non-delivery commercial use case, South Africa’s Rocketmine has built out a UAV survey business in 5 countries. The company looks to book $2 million in revenue in 2018 for its “aerial data solutions” services in mining, agriculture, forestry, and civil engineering.

“We have over 50 aircraft now, compared to 15 a couple years ago,” Rocketmine CEO Christopher Clark told TechCrunch. “We operate in South Africa, Namibia, Ghana, Ivory Coast, and moved into Mexico.”

Rocketmine doesn’t plan to enter delivery services, but is looking to expand into the surveillance and security market. “After the survey market that’s probably the biggest request we get from our customers,” said Clark.

More African use cases are likely to come from the Lake Victoria Challenge — a mission specific drone operator challenge set in Tanzania’s Mwanza testing corridor. WeRobotics has also opened FlyingLabs in Kenya, Tanzania, and Benin. And the government of Zambia is reportedly working with Sony’s Aerosense on a drone delivery pilot program.

Africa and Global UAV

With Europe, Asia, and the U.S. rapidly developing drone regulations and testing (or already operating) delivery programs (see JD.com in China), Africa may not take the sole position as the leader in global UAV development — but these pilot projects in the particularly challenging environments these geographies (and economies) represent will shape the development of the drone industry. 

The continent’s test programs — and Rwanda’s performance-based drone regulations in particular — could advance beyond visual line of sight UAV technology at a quicker pace. This could set the stage for faster development of automated drone fleets for remote internet access, commercial and medical delivery, and even give Africa a lead in testing flying autonomous taxis.

“With drones, Africa is willing to take more bold steps more quickly because the benefits are there and the countries have been willing to move in a more agile manner around regulation,” said the WEF’s Reuter.

“There’s an opportunity for Africa to maintain its leadership in this space,” he said. “But the countries need to be willing to take calculated risk to enable technology companies to deploy their solutions there.”

Reuter also underscored the potential for “drone companies that originate in Africa increasingly developing services.”

There’s a case to be made this is already happening with Zipline. Though founded in California, the startup honed its UAVs and delivery model in Rwanda.

“We’re absolutely leveraging our experience built in Africa as we now test through the UAS IPP program to deliver in the U.S.,” said Zipline co-founder Keenan Wyrobek.

Cryptocurrency mining attacks using leaked NSA hacking tools are still highly active a year later

It’s been over a year since highly classified exploits built by the National Security Agency were stolen and published online.

One of the tools, dubbed EternalBlue, can covertly break into almost any Windows machine around the world. It didn’t take long for hackers to start using the exploits to run ransomware on thousands of computers, grinding hospitals and businesses to a halt. Two separate attacks in as many months used WannaCry and NotPetya ransomware, which spread like wildfire. Once a single computer in a network was infected, the malware would also target other devices on the network. The recovery was slow and cost companies hundreds of millions in damages.

Yet, more than a year since Microsoft released patches that slammed the backdoor shut, almost a million computers and networks are still unpatched and vulnerable to attack.

Although WannaCry infections have slowed, hackers are still using the publicly accessible NSA exploits to infect computers to mine cryptocurrency.

Nobody knows that better than one major Fortune 500 multinational, which was hit by a massive WannaMine cryptocurrency mining infection just days ago.

“Our customer is a very large corporation with multiple offices around the world,” said Amit Serper, who heads the security research team at Boston-based Cybereason.

“Once their first machine was hit the malware propagated to more than 1,000 machines in a day,” he said, without naming the company.

Cryptomining attacks have been around for a while. It’s more common for hackers to inject cryptocurrency mining code into vulnerable websites, but the payoffs are low. Some news sites are now installing their own mining code as an alternative to running ads.

But WannaMine works differently, Cybereason said in its post-mortem of the infection. By using those leaked NSA exploits to gain a single foothold into a network, the malware tries to infect any computer within. It’s persistent so the malware can survive a reboot. After it’s implanted, the malware uses the computer’s processor to mine cryptocurrency. On dozens, hundreds, or even thousands of computers, the malware can mine cryptocurrency far faster and more efficiently. Though it’s a drain on energy and computer resources, it can often go unnoticed.

After the malware spreads within the network, it modifies the power management settings to prevent the infected computer from going to sleep. Not only that, the malware tries to detect other cryptomining scripts running on the computer and terminates them — likely to squeeze every bit of energy out of the processor, maximizing its mining effort.

At least 300,000 computers or networks are still vulnerable to the NSA’s EternalBlue hacking tools.

Based on up-to-date statistics from Shodan, a search engine for open ports and databases, at least 919,000 servers are still vulnerable to EternalBlue, with some 300,000 machines in the US alone. And that’s just the tip of the iceberg — that figure can represent either individual vulnerable computers or a vulnerable network server capable of infecting hundreds or thousands more machines.

Cybereason said companies are still severely impacted because their systems aren’t protected.

“There’s no reason why these exploits should remain unpatched,” the blog post said. “Organizations need to install security patches and update machines.”

If not ransomware yesterday, it’s cryptomining malware today. Given how versatile the EternalBlue exploit is, tomorrow it could be something far worse — like data theft or destruction.

In other words: if you haven’t patched already, what are you waiting for?

Toronto miner unearths boulder that contains 9,000 ounces of gold in Australia, worth about $15 million

Rare is the story of a modern mining company that unexpectedly strikes a mother lode of gold.

But Toronto-based junior mining company Royal Nickel Corp. announced Sunday night that its employees in Australia at the Beta Hunt mine — which the company has been trying to sell since April — removed a golden boulder like few others in the world: Within a single cube of earth that measured roughly three meters wide, three meters long, and three meters deep, they found 9,000 ounces of gold including two large lumps — all told worth around $14 or $15 million at current prices. That’s equivalent to roughly 40 per cent of RNC’s $35 million market capitalization as of last week.

“It was a nickel mine for years and years,” said Mark Selby, chief executive of RNC. “But we bought it because there were a bunch of gold deposits sitting beneath it.”

Royal Nickel stock surged 83 per cent to $0.16 on the Toronto Stock Exchange on Monday.

To put the latest find into perspective, the Beta Hunt mine normally produces ore that contains around two to four grams of gold per ton, considered a standard amount. But the latest find contained 2,000 grams of gold per tone, according to Selby.

They broke off one 95-kilogram stone that contained an estimated 2,440 ounces of gold, according to the company. He said it was so pure it did not need to be processed and was sent directly to the Perth Mint.

According to the World Gold Council, the “largest ever true gold nugget” weighed slightly more than 2,300 ounces. RNC’s specimen contains some quartz, however, so it may not count as an apple to apple comparison.

Trevor Turnbull, a mining analyst with Scotia Capital, said that while it’s not a pure gold nugget, its sheer size makes it unique and potentially very valuable.

“They’ll probably sell it as a museum piece and they’ll make a fair bit of money,” said Turnbull.

The company will likely sell the specimen stone to a museum, according to an analyst.

He said the real question, unanswerable without more information, is whether the gold comes from a vein that will quickly “pinch out or whether it stays wide.”

RNC purchased the Beta Hunt mine in 2016 for a mix of cash and its own shares worth around $12.5 million.

Located in Western Australia, about 600 kilometres from Perth, it had been a nickel mine since the 1970s. RNC has been trying to sell it since April so it can focus on raising $1 billion to build its planned Dumont nickel mine in Quebec.

Selby, who lives in Toronto, said he heard the news when he woke up in the middle of the night last Monday to use the bathroom.

“I flip my phone on and find out,” he said. “I didn’t go back to bed. You don’t find 2,000-ounce hunks of gold very often, so it’s good to be lucky.”

The Australian news channel ABC reported that the miners were working underground, at around 500 meters below surface, in the Kambalda district.

Henry Dole, the miner credited with finding the gold, said “Never in my life have I seen anything like this. There were chunks of gold in the face, on the ground, truly unique I reckon,” according to the ABC news report.

• Email: gfriedman@postmedia.com | Twitter:

The collapse of ETH is inevitable

Here’s a prediction. ETH — the asset, not the Ethereum Network itself — will go to zero.

Those who already think that ETH will not see real adoption — thanks to a failure to scale, to adopt more secure contract authoring practices, or to out-compete its competitors — don’t need to be convinced that a price collapse would follow as a consequence.

But, if one believes that Ethereum will succeed beyond anyone’s wildest dreams as a platform then the proposition that ETH (as a currency) will go to zero will take a bit more convincing running a substantial share of the world’s commerce securely.

So here’s how Ethereum ends up succeeding wildly but ETH becomes worthless. Ethereum’s value proposition, as given by ethereum.org, is as follows:

Build unstoppable applications

Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interference.

These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property.

This enables developers to create markets, store registries of debts or promises, move funds in accordance with instructions given long in the past (like a will or a futures contract) and many other things that have not been invented yet, all without a middleman or counterparty risk.

If Ethereum succeeds on its value proposition it will therefore mitigate external risk factors for decentralized applications.

İstanbul, Turkey – January 28, 2018: Close up shot of Bitcoin, Litecoin and Ethereum memorial coins and shovels on soil. Bitcoin Litecoin and Ethereum are crypto currencies and a worldwide payment system.

No Future for ‘Gas’

There’s no value proposition for ETH in the official description. Perhaps this omission is because ETH’s value seems so obvious to the Ethereum Foundation that it is hardly worth mentioning: $ETH fees (dubbed ‘Gas’) is how you pay for all this.

If the concept of gas isn’t immediately obvious, let’s expand the metaphor: The Ethereum network is like a shared car. When a contract wants to be driven by the shared car, the car uses up fuel, which you have to pay the driver for. How much gas money you owe depends on how far you had to be driven, and how much trash you left in the car.

Gas is a nice metaphor, but the metaphor is insufficient as an argument to support non-zero $ETH prices. Gasoline actually burns inside an internal combustion engine; an internal combustion engine will not work without a combustible fuel. $ETH as Gas is a metaphor for how gasoline is consumed; there is no hard requirement for Gas in an Ethereum contract.

(Photo by Manuel Romano/NurPhoto via Getty Images)

Buying the “BuzzwordCoin”

Suppose we’re building a new decentralized application, BuzzwordCoin. By default, following a standard ERC-20 Token template, every transaction on BuzzwordCoin will pay gas in $ETH. Requiring every BuzzwordCoin transaction to also depend on ETH for fees creates substantial risk, third party dependency, and artificial downwards pressure on the price of the underlying token (if one must sell BuzzwordCoin for ETH ahead of time to run a BuzzwordCoin transaction, then the sell-pressure will happen before the transaction requires it, and must be a larger sale than necessary to ensure sufficient funds to cover the transaction).

Instead of paying for Gas in ETH, we could make every BuzzwordCoin transaction deposit a small amount of BuzzwordCoin directly to the block’s miner’s address to pay for the contract’s execution. Paying for Gas in a non-ETH asset is sometimes referred  to as economic abstraction in the Ethereum community.

The revised BuzzwordCoin contract has no functional dependence on ETH. We’re able to incentivize miners to mine transactions without paying any fees in ETH whatsoever.

If the BuzzwordCoin contract has non-transactional contractual clauses — that is, a functionality that should be regularly called by any party for tasking like computing and updating cached statistics in the contract — we can specify that the miner performing those clauses receives coins from an inflation or shared gas pool. In the shared pool, all fees for user’s transactions in a specific contract are paid to the contract’s wallet. A fee dispensing contract call performing the non-transactional clauses releases the fee to the miner (this bears some semblance to Child Pays for Parent in the Bitcoin Ecosystem).

Battling the economic abstraction

There are four main counterarguments to economically abstracting Ethereum: the lack of software support for economic abstraction; difficulty in pricing many tokens; the existence of contracts not tied to tokens; and the need for ETH for Proof-of-Stake. While nuanced, all four arguments fall flat.

Software Support: Currently, miners select transactions based on the amount of Gas provided in ETH. As ETH is not a contract (like an ERC-20 token), the code is special-cased for transactions dealing in ETH. However, there are efforts to make Ethereum treat ETH less special-cased and more like other ERC-20 Tokens and vice-versa. Weth, for instance, wraps ETH in a 1:1 pegged ERC-20 compliant token for trading in Decentralized Exchanges.

Detractors of economic abstraction (notably, Vitalik Buterin) argue that the added complexity is not worth the ecosystem gains. This argument is absurd. If the software doesn’t support the needs of rational users, then the software should be amended. Furthermore, the actual wallet software required for any given token is made much more complex, as the wallet must manage balances in both ETH and the application’s token.

Market Pricing: To mine on Ethereum with economic abstraction, miners simply need software which allows them to account for discrepancies in their perceived value of active tokens and include transactions rationally on that basis.  Such software requires dynamically re-ordering pending transactions based on pricing information, gleaned either through the miner’s own outlook or monitoring cryptocurrency exchanges prices.

Vlad Zamfir argues that the potential need to monitor market information on prices makes economic abstraction difficult.

However, miners requiring pricing information is already the status quo — rational actors need a model of future ETH prices before mining (or staking) to maximize profit against electricity costs, hardware costs, and opportunity costs.

Non-Token Contracts: Not all contracts have coins, or if they do, they may not be widely recognized, valuable, and traded on exchanges. Can such contracts pay fees without ETH?

Users of a tokenless contract can pay fees in whichever tokens they want. For example, a user of TokenlessContract can pay their fees in a 50/50 mix of LemonadeCoin and TeaBucks. To ensure liquidity between users and miners with different assets they would pay or accept fees with, a user can simply issue multiple mutually-exclusive transactions paying with fees in different assets.

Specialized wallet contracts could also negotiate fees with miners directly .  A miner could also process transactions paying fee with an asset they do not want if there is an open Decentralized Exchange (DEX) offer to exchange the fee asset for something they prefer —  it is possible to create DEX orders for paying fees which allowing only a block’s miner to fill a user’s offers in proportion to the fees that a user has paid in that block preventing the case where a user’s fee diversifying offers are taken by non-miners.

Proof-of-Stake: Without ETH, a modified version of Proof-of-Stake with a multitude of assets could still decide consensus if each node selects a weight vector for the voting power of all assets (let’s call it HD-PoS, or Heterogeneous Deposit Proof Of Stake). While it is an open research question to

show under which conditions HD-PoS would maintain consensus, consensus may be possible if the weight vectors are similar enough.

Proofs of HD-PoS may be possible by assuming a bound on the pairwise euclidean distance of the weight vectors or the maximum difference between any two prices. If such a consensus algorithm proves impossible, the failure to find such an algorithm points to a more general vulnerability in Ethereum PoS.  

Assuming a future where ETH’s main utility is governance voting, why wouldn’t all the other valuable applications on Ethereum have a say in the consensus process? Rolling back actions in a valuable token contract by burning ETH stake could be a lucrative business; if HD-PoS is used such attacks are impossible.

Vitalik Buterin (Ethereum Foundation) at TechCrunch Disrupt SF 2017

ETH’s ethereal value

If all the applications and their transactions can run without ETH, there’s no reason for ETH to be valuable unless the miners enforce some sort of racket to require users to pay in ETH. But if miners are uncoordinated, mutually disinterested, and rational, they would prefer to be paid in assets of their own choosing rather than in something like ETH. Furthermore, risk-averse users would want to minimize their exposure to volatile assets they don’t have to use. Lastly, token developers benefit because pricing in their native asset should serve to reduce sell-pressure. Thus, in a stateless ecosystem, replacing ETH is a Pareto Improvement (i.e., all parties are better off). The only party disadvantaged is existing ETH holders.

  • The author holds Stellar and Bitcoin,  but has relatively little holdings in other cryptocurrencies. He has previously done a Virtual Lapel Pin Sale (like an ICO) for his cause, “Fuck Nazis”, on top of Ethereum which faced both government censorship and censorship from the Ethereum community. 

What happens when hackers steal your SIM? You learn to keep your crypto offline

A year ago I felt a panic that still reverberates in me today. Hackers swapped my T-Mobile SIM card without my approval and methodically shut down access to most of my accounts and began reaching out to my Facebook friends asking to borrow crypto. Their social engineering tactics, to be clear, were laughable but they could have been catastrophic if my friends were less savvy.

Flash forward a year and the same thing happened to me again – my LTE coverage winked out at about 9pm and it appeared that my phone was disconnected from the network. Panicked, I rushed to my computer to try to salvage everything I could before more damage occurred. It was a false alarm but my pulse went up and I broke out in a cold sweat. I had dealt with this once before and didn’t want to deal with it again.

Sadly, I probably will. And you will, too. The SIM card swap hack is still alive and well and points to one and only one solution: keeping your crypto (and almost your entire life) offline.

Trust No Carrier

Stories about massive SIM-based hacks are all over. Most recently a crypto PR rep and investor, Michael Terpin, lost $24 million to hackers who swapped his AT&T SIM. Terpin is suing the carrier for $224 million. This move, which could set a frightening precedent for carriers, accuses AT&T of “fraud and gross negligence.”

From Krebs:

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

While we can wonder in disbelief at a crypto investor who keeps his cash in an online wallet secured by text message, how many other services do we use that depend on emails or text messages, two vectors easily hackable by SIM spoofing attacks? How many of us would be resistant to the techniques that nabbed Terpin?

Another crypto owner, Namek Zu’bi, lost access to his Coinbase account after hackers swapped his SIM, logged into his account, and changed his email while attempting direct debits to his bank account.

“When the hackers took over my account they attempted direct debits into the account. But because I blocked my bank accounts before they could it seems there are bank chargebacks on that account. So Coinbase is essentially telling me sorry you can’t recover your account and we can’t help you but if you do want to use the account you owe $3K in bank chargebacks,” he said.

Now Zu’bi is facing a different issue: Coinbase is accusing him of being $3,000 in arrears and will not give him access to his account because he cannot reply from the hacker’s email.

“I tried to work with coinbase hotline who is supposed to help with this but they were clueless even after I told them that the hackerchanged email address on my original account and then created a new account with my email address. Since then I’ve been waiting for a ‘specialist’ to email me (was supposed to be 4 business days it’s been 8 days) and I’m still locked out of my account because Coinbase support can’t verify me,” he said.

It has been a frustrating ride.

“As an avid supporter and investor in crypto it baffles me how one of the market leaders who just supposedly launched institutional grade custody solutions can barely deal with a basic account take-over fraud,” Zu’bi said.

How do you protect yourself?

I’ve been using Trezor hardware wallets for a while, storing them in safe places outside of my home and maintaining a separate record of the seeds in another location. I have very little crypto but even for a fraction of a few BTC it just makes sense to practice safe storage. Ultimately, if you own crypto you are now your own bank. That you would trust anyone – including a fiat bank – to keep your digital currency safe is deeply delusional. Heck, I barely trust Trezor and they seem like the only solution for safe storage right now.

When I was first hacked I posted recommendations by crypto exchange Kraken. They are still applicable today:

Call your telco and:

  • Set a passcode/PIN on your account

    • Make sure it applies to ALL account changes
    • Make sure it applies to all numbers on the account
    • Ask them what happens if you forget the passcode
      • Ask them what happens if you lose that too
  • Institute a port freeze

  • Institute a SIM lock

  • Add a high-risk flag

  • Close your online web-based management account

  • Block future registration to online management system

  • Hack yo’ self

    • See what information they will leak

    • See what account changes you can make

They also recommend changing your telco email to something wildly inappropriate and using a burner phone or Google Voice number that is completely disconnected from your regular accounts as a sort of blind for your two factor texts and alerts.

Sadly, doing all of these things is quite difficult. Further, carriers don’t make it easy. In May a 27-year-old man named Paul Rosenzweig fell victim to a SIM-swapping hack even though he had SIM lock installed on his account. A rogue T-Mobile employee bypassed the security, resulting in the loss of a unique three character Twitter and Snapchat account.

Ultimately nothing is secure. The bottom line is simple: if you’re in crypto expect to be hacked and expect it to be painful and frustrating. What you do now – setting up real two-factory security, offloading your crypto onto physical hardware, making diligent backups, and protecting your keys – will make things far better for you in the long run. Ultimately, you don’t want to wake up one morning with your phone off and all of your crypto siphoned off into the pocket of a college kid like Joel Ortiz, a hacker who is now facing jail time for “13 counts of identity theft, 13 counts of hacking, and two counts of grand theft.” Sadly, none of the crypto he stole has surfaced after his arrest.