Hacker News new | past | comments | ask | show | jobs | submit login
Crypto investor charged with kidnapping and torturing (nytimes.com)
94 points by jonas21 17 days ago | hide | past | favorite | 82 comments




As someone who has worked for and/or audited most major crypto custody companies, I am sad to report every single one takes shortcuts that give single individuals acting alone the power to move billions of dollars in value. They also never review third party dependencies. They blindly merge any code dependabot tells them to merge from internet randos and give it control of the funds.

This level of negligence should be illegal, but it isn't. Negligence is the default in crypto custody. There are no useful security regulations in this space.

Even the ones that think they have a good split custody solution or claim to use HSMs always let an IT manager have remote access to all workstations involved or a release engineer build the software that is used shifting the centralized power and risk to them.

Kidnappings and torture are becoming common as people realize this

https://github.com/jlopp/physical-bitcoin-attacks

If you directly or indirectly control secret keys of any significant financial value on your own, you are endangering yourself and your family.

Even if you only maintain an open source library used by crypto custodians that do not review the code you write, someone has good reason to coerce you into sneaking in malicious code.

To engineers working at custodians: Make your employers manage keys with a quorum of geographically distributed individuals with HSMs, immutable time delayed access controls, and a software supply chain that is full source bootstrapped, reviewed, compiled deterministically, and signed by multiple people so no single person can manipulate the flow.

My team and I open sourced a lot of tooling to do this safely. Please use it, or use it for reference to ensure your internal tooling meets the same bar.

https://trove.distrust.co


But don't you see, dear kidnapper, you've made such folly for my systems do not allow me any access to grant your one desire. I'm worthless to you! In fact I'm only a liability now!


Publicizing the existence of one's countermeasures is an interesting problem. You'd want a believable way to communicate the fact that torturing/extorting the principle buys the opposition nothing (believable being the key part). It would have to become common knowledge in the criminal underworld to have real utility.


Exactly why from the start we knew Trove -had- to be open source with open documentation to practice Kerkhoffs Principle.

Combine with remotely attestable enclaves running open source deterministic code and your adversaries can easily verify attacking any one person will be unsuccessful.


The most telling or disturbing thing I learned from a recent article posted here about the Crypto-related kidnappings was how criminals found some of their victims’ addresses and personal information in marketing data that companies kept on their customers.


The recent Coinbase leak is mostly stored KYC data AFAIK, so even if the company isn’t using it for marketing, they’re probably being forced to store data that they’re not responsible enough to protect.


Yup - KYC is of course going to have identifying info on customers.



Technology isn't even a cool field anymore, the major innovations (crypto, blockchain, AI) have such a film of sliminess around them. You have to ignore or be ignorant of the fact that they're going to be used for scams and bullshit more than for good.


> the major innovations

You mean the overhyped extremely niche technologies?


The idea that a technology that challenges Google search, and digital money are ‘niche’ is… odd.


AI is not niche. Blockchain ledgers are because centralized ledgers are cheaper, faster, and controllable by law; which is what most people want if they spend a few seconds thinking about it.


This is the typical HN 2015 crypto knowledge. It was accurate a decade ago but isn’t any more.

- Centralised ledgers are multiple orders of magnitude more expensive (2.5% to 6%, a typical blue and white square checkout is 3.5%) versus something like $0.000025 on the most active blockchain)

- At their best (2-3 second confirmation) as fast as current gen blockchain networks and an order of magnitude slower than next generation (150 milliseconds block time so expected subsecond confirmations).

- Tokens have techniques like permanent delegate for OFAC compliance.

This isn’t meant to be a personal attack, it’s just that this view of crypto is akin to saying that ‘AI is customer service chatbots that don’t work’ - correct ten years ago but not anymore.

Axiom, YC W25 is the fastest growing company in YC history hitting 100 million in revenue in five months.


You're comparing different things to try to prove something that is obviously wrong to anyone who spends a few seconds thinking about it.

> Centralised ledgers are multiple orders of magnitude more expensive (2.5% to 6%, a typical blue and white square checkout is 3.5%) versus something like $0.000025 on the most active blockchain)

I was comparing cost of recording the transaction. Think for 2 seconds. Obviously, a centralized ledger is going to be cheaper. You are comparing the cost for completing a transaction on one side with the cost of completing a transaction plus fraud fraud mitigation, chargebacks, etc. on the other.

> At their best (2-3 second confirmation) as fast as current gen blockchain networks and an order of magnitude slower than next generation (150 milliseconds block time so expected subsecond confirmations).

Same mistake. Think for two seconds. Obviously, the speed of recording a transaction on a centralized ledger is going to be faster.

Whatever you build on a blockchain ledger you can build faster and cheaper on a centralized ledger.

People fooled by crypto grifters don't have enough economics education to understand "ceteris paribus" let alone everything that comes after in an introductory course.


I’d like to start by saying “think for two seconds” is not a respectful way to communicate.

Do I need fraud mitigation and insurance to buy a coffee or groceries?

Regardless of the capabilities of centralised networks when you last bought something using a Visa card was it hundreds of milliseconds or was it two or three seconds to confirm?

> People fooled by crypto grifters don't have enough economics education

That’s a very broad statement about a lot of people highly regarded in traditional finance.


> I’d like to start by saying “think for two seconds” is not a respectful way to communicate.

I'm assuming the readers here have enough technological sophistication to understand the problem in two seconds. This is not the case among general YouTube audiences being fooled by crypto grifters.

> Do I need fraud mitigation and insurance to buy a coffee or groceries?

Do you want to be on the hook for somebody else buying coffee and groceries on your dime? Most people don't. Thus, fraud mitigation.

> That’s a very broad statement about a lot of people highly regarded in traditional finance.

That's assuming that those "highly regarded" people are fooled by crypto grifters instead of profiting off the fools.


Do you think not engaging with the actual content of the poster and purposefully misinterpreting them disingenuously is a respectful way to communicate?


> Do you think not engaging with the actual content of the poster and purposefully misinterpreting them disingenuously

No. But nobody did that.


AI is slimy? Please elaborate.


When the weakest link between the criminal and the cryptocurrency is a single person (the holder himself in this instance), that person alone would need to withstand all attacks and “rubber hose cryptanalysis”.


The most effective protection is a combination of discretion, strong security practices, and advanced wallet configurations like multisig and passphrase protection.

You could store passphrases in a hardware wallet in a bank vault in a small European country.


> You could store passphrases in a hardware wallet in a bank vault in a small European country.

A little bit of irony here having to store your crypto related stuff at a bank to keep it safe.


Not all bank vaults are in banks, here's the basement of a prog rock musician and his wife's house (a former bank(?)) .. https://www.youtube.com/watch?v=CM6iqwcyC1A

Physical security for digital credentials is the main point here, that doesn't always imply a regular bank, many modern banks lack the bank vaults of yore in any case.

Tangentially, avoid showing up unannounced at grandparents house: https://www.youtube.com/watch?v=oZZmFG07OVs


Yes, ironic. But, of course, nothing in this attack has anything to do with blockchain or crypto per se. They could have been torturing someone for the password with access to the bank's old school accounts or safe deposit box.


And in the "socialist" Big Government over-regulated hellscape of Europe no less.

I would have thought one of those libertarian seasteads or enclaves would be axiomatically the best place for such things?


That won’t stop you from being tortured. You need to make sure nobody knows you have cryptocurrency


Hard to do when they’re potentially getting info from exchanges.


> Inside the home, the police found Polaroid pictures showing the man bound and being assaulted

Because of course. These people live in a world where nothing can touch them, least of all the law, so why wouldn’t you literally make your own evidence of your crime and leave it lying around.


I wonder how much of the Impossible Project's (Now Polaroid B.V.) sales are from crypto-kidnappers!? https://www.polaroid.com/en_us/film


To send to the man's employer/friends/family for ransom if the crypto thing didn't work out?


If you are already paying rent on a $30k/m apartment, does it really have to?


This is so crazy, this happened not far from my place and we saw a lot of cops around, even crazier some people broke into my building 3 days after the kidnapping looking for a "john", even crazieeeer I had coffee with this john (the kidnapper) in 2019 in SF. He seemed a bit odd but overall nice, kind of like a blackhat that had found a job on the other side (he was doing security for a crypto project called grin).

Most likely this is not your typical kidnapping, I would bet that they knew each other and that there's something else at play. Also the apartment he was staying at is $75k/month rent, that's insane...


This is part of why I designed Tarsnap to keep data as secure as possible, even from me. If someone stores their crypto keys -- or world domination^W optimization plans -- on Tarsnap, I don't want to get kidnapped and tortured by anyone trying to steal that data.


If torturing and kidnap are on the table, how does this help? They can torture you to give them the keys just like a password.


He can’t give the attackers the customer keys or any other data. But yes as another poster says downtown the attackers may not actually understand that.


You might want to study asymetric cryptography.


No, you'd better hope that the kidnappers have studied cryptography. If they think they can extract something, they'll go ahead anyway.


Why don't they bother traditional bank managers then?

One time long ago someone did try to get money by forcing a bank owner to open a vault, and it didn't work, and since then everyone knows it's fruitless.

It just needs to actually be fruitless. It sounds like for crypto custodians, it's not fruitless and they know that.


What if they force you to change the way your software works so the data is no longer encrypted unknown to the user?


Please describe exactly the software change you imagine would produce this result, and describe how it gets from the attackers head onto the machines where it needs to run.

In other words I think you have hanwaved and imagined 2 different required things which probably simply don't exist. Or at least, may exist but could easily not exist.

There may be no such thing as a software change that will give a back door to the data. It depends hpw the system is designed, which I do not know.

And there may be no such thing as a way to get such software change onto customers machines without passing through review by multiple someone else's. Even if one, as owner of a business has the power to change the review policy itself, it's still physically impossible to do that without everyone else knowing it happened.

tarsnap would have to be a sole developer sole propriator business (or a multi employee business run as badly as crypto custodians aparently all are) for that to even be physically possible. Which maybe it is but it's not the impression I've formed of that company over the many years. Not a customer, and know nothing of either the software or the company's internal workings.


Who can access it?


the person who uploaded it only (or whomever they shared keys with)


Okay, so kidnap them, right?


yes and? you get the data of only one tarsnap user.

The comment you were responding to was from the tarsnap creator where he was saying he doesn't have access to those keys so cannot be coerced to give them (and thus has no way to decrypt the data of all the clients).


And the point is, the main creator isn’t the target in any of these situations anyway. The end user is. So what’s the point of the statement?


You really think the kind of people who do such things will read your website and just give up? "Aw shucks, he's using e2e encryption, no point trying anything"?


You missunderstood the comment. He can not access the data. You need to find the person who uploaded it, despite him hosting said data.


I think you misunderstood the comment. Or maybe I did.

My understanding: the rubberhose crypto-analysis, even if unsuccessful, will result in some major damage done. Determined attacker might try to apply it regardless of any online statements on the off chance that the statements are wrong.


You understand correctly. I suspect that in the experience of such attackers, it's not even an "off chance". They're probably up against exaggerated claims of security more often than truly well-founded ones.


And you really think that people who routinely use torture to extract information, and for whom claims that "I don't know it!" is basically the standard obstacle to overcome, will just believe him without even trying, because it's "math" and therefore true?

The reality is, in the xkcd Rubberhose cryptanalysis scenario, being actually unable to give up the information is a MUCH WORSE situation to be be in than having a key to give up before they permanently maim/kill you. It might be better for a third party who benefits from the information remaining secret, but not for the person unable to divulge it.

But thinking you're safe because the attackers will read, understand, and believe your claims of uncompromisable cryptographic security is dangerously naive.


Ah okay, I get what you mean now. I thought your comment was suggesting he actually can access the information.

I still believe, which might indeed be naive, that this is the best way. It results in a failed mission lowering the risks for others and if applied for all theses services (again naive), in a general understanding.


Stay safe out there.

Personal and physical security for founders, operators, and investors

[0] https://a16zcrypto.com/posts/article/personal-physical-secur...


Pretty rich coming from a16z, someone who famously rug pulled Solana investors.

Maybe there should be a version for investors to stay safe from a16z also


What’s the back story behind this?


There was an article in the Atlantic about this (https://www.theatlantic.com/ideas/archive/2025/05/extreme-pe...) mentioning crypto founders and whales who go to quite extraordinary lengths to keep their home addresses and other information private.


This is said to happen in Russia all the time, except the police never intervene and the bodies are just incinerated once the keys are tortured out.


Related ongoing thread:

Wrench Attacks: Physical attacks targeting cryptocurrency users (2024) [pdf] - https://news.ycombinator.com/item?id=44087183 - May 2025 (50 comments)


Great job score one for crypto holders who plan on not revealing their key under torture.



This story is unreal.



Had Satoshi known the impact his innovation would have had on the world, all said and done, I bet he would have chosen to keep it under covers.


The problem is not the crypto, that kind of things develop is happening for everyone easily if you are known to be rich.

The real problem is that developed countries that used to be safe enough are becoming as unsafe a mexico.


People have been kidnapping other people to force them to give up their valuables for millennia. It's far from a new or unique thing in this context.


True, but crypto is easier to launder. I feel safer with my money at a brokerage or a bank.


Normal banks can also recall transactions.


To some extent. Wire fraud happens pretty often, and after a day or so the money's usually unrecoverable after going through several foreign countries. Home real estate and B2B transactions have been particular targets.


You can leave your crypto at a bank


This comment must be parody. Certainly you can't be serious. In the off chance hat you are, obviously, I must state. Crimes happen as a result of incentive structures. If there were a huge aftermarket for stolen iPhones, iPhone thefts would increase (something that Apple obviously realizes and combats).

Because of crypto, the incentive to kidnap people with crypto wealth has surfaced as a real problem. These are kidnappings that, obviously, wouldn't exist if the crypto hadn't existed at all.

My larger point is; although crypto has made some people quite wealthy, it's mostly disenfranchised a larger part of the broader society. It's essentially been a wealth transfer from stupid people to opportunistic people. Has wealth been created? I'd argue that although some has been generated, it's a pittance in comparison to the amount of press crypto gets, and the amount of wealth that has been unfairly distributed from the stupid to the opportunistic.


Not parody. Although all these breathless stories pretending this is unprecedented sure are.

>These are kidnappings that, obviously, wouldn't exist if the crypto hadn't existed at all.

And would Frank Sinatra, Jr. never have been kidnapped if money didn't exist?

>It's essentially been a wealth transfer from stupid people to opportunistic people.

This is not entirely wrong. But it also describes the stock market. We allow the stock market because of it's obvious usefulness. The same is true for a non-centralized currency like bitcoin in a fractured world where nationstates keep going rogue and breaking down.


> Inside the home, the police found Polaroid pictures showing the man bound and being assaulted, the law enforcement official said.

... Why on earth would you document this?

> Two butlers who worked at the home were also present and agreed on Friday to be interviewed by the police, the official said.

... Why on earth would you do this in a place where you weren't the only person present?! (Also, butlers, wtf?)

I suppose, much like the crypto people are slowly rediscovering why the modern financial system is as it is, maybe they're also figuring out how to do crimes by trial and error.


Theres alot of really rich crypto people in nyc that are up to no good.


>Man known as 'crypto king of Kentucky' arrested for alleged kidnap, torture of man in New York City

Source: https://www.wlwt.com/article/john-woeltz-arrested-for-kidnap...


"Brute force attack"?


Of course there's an XKCD about this: https://xkcd.com/538/


Man Charged with Kidnapping and Torturing Crypto Investor for Weeks

considering that the crypto investor was a man and assuming that the man acquired the wallet he was tortured for by investing in crypto.


This would have been a much more accurate phrasing.


Bring back the penny. A bag of them can be used to stop an attacker.


> Bring back the penny. A bag of them can be used to stop an attacker.

You'll just have to use a sock fulla nickels now I guess ... :shrug:


If the title read 'human charged with kidnapping a d torturing a man' instead does that mean all humans are bad? I fail to see the linkage here


The whole point of the kidnapping and torture was to steal bit coin cryptocurrency.

Of course it's material to the story. It'd be conpletely artificial to pretend otherwise.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: