Ian Balina Wallet Hack and a Lesson in Crypto-security: Why Publicizing Your Portfolio Online is a Bad Idea
In an ironic development, Ian Balina – the cryptocurrency and ICO marketer known for his ‘ICO spreadsheet’ – ended a live stream on April 16 after commenters notified him about unusual fund transfers from his ETH wallet. The hack is a perfect example of how important is crypto-security, and how publicizing crypto holdings online is a poor decision indeed.
Hack Occurred During YouTube Live Stream
Speaking to viewers via live stream – which has since been taken down – Balina rang alarm bells when he realized he had to sign-in again to his Google spreadsheet – which he was editing moments ago. Soon enough, the ICO promoter abruptly left the live stream, and tweeted after a while:
Crypto Family, I need you now more than ever. I ended today's live stream b/c I am being hacked. I'm not worried about the money. I learned my lesson. I only care about catching the hacker. Please email any information to [email protected] Thank you all the support. $ETH $BTC
— Ian Balina (@DiaryofaMadeMan) April 16, 2018
However, the development quickly turned from genuine sympathy to suspicion, as Balina deleted his second tweet which stated that his missing coins were about to be sold on crypto exchange KuCoin:
“Hacker has stolen my funds and is about to sell on @kucoincom.Please help in contacting them. $ETH $BTC $KCS.”
Social Media Communities Find Discrepancies
Instantly, Reddit and Twitter communities discussed this discrepancy, with several comments suggesting the hack was an elaborate move by the promoter to avoid taxes; since the fiasco occurred only 24 hours before the tax deadlines set by US Internal Revenue Service (IRS).
Found the hacker – you avoiding taxes. What's the reward?
— Bob Arctor (@Bob__Arctor) April 16, 2018
Bitcoin Foundation founder Charlie Shrem was apprehensive of his claims as well:
So he moved all the tokens and ether into 1 account last week and that’s the account that got hacked ?
— Charlie Shrem (@CharlieShrem) April 16, 2018
Reddit user shanecorry commented that Balina’s tweet about KuCoin was posted when no coins had been moved to KuCoin from the alleged hackers’ wallets:
“I was more of the opinion before that happened that he was just being stupid, holding millions of $ in crypto with poor security but this points more towards the more dodgy behavior that others have suggested.”
However this is no definite proof of the hack, as cyber-thefts are quick with their movements and would never store hacked coins on an exchange – as observed from the addresses – in fact, any hacker with a basic understanding of cryptocurrencies would move the stolen coins for a privacy coin, such as Monero.
Crypto-security is a Serious Matter
Dealing with cryptocurrencies in their present state should be an elaborate, well-informed approach until highly-secure and easy-use-wallets are developed.
To avoid an Ian Balina-like situation, BTCManager notes a list of things to do, and what not to:
DO Use a Cold Wallet
Storing your portfolio almost exclusively on crypto-exchange wallets is not recommended, as the level of exchange security is unknown. Furthermore, hackers attack large organizations; which understandably are valued much higher than an average person’s crypto wallet.
In simple terms, cold wallets are offline wallets and come in both paper and hardware form.
A lot of altcoins – especially the major ones – offer their own wallets and although they are not very user-friendly and intuitive, using a coin’s own dedicated wallet – developed by its own team – is highly recommended.
DO NOT Use Generic Cloud Services
As per claims, Ian Balina’s wallet was hacked due to his email password being stored on Evernote, a free cloud storage platform. However, such services are best used when limited to college project and general reminders and carrying around the key that holds millions of dollars is asking for trouble.
For cryptocurrencies, it is best to stay away from centralized cloud storages, until military-grade decentralized cloud security servers are launched.
DO Implement Two-factor Authentication (2FA)
Without a 2FA, all that hackers need is your username and password, which makes it very simple once the password is gained.
However, with a 2FA enabled, exchange and wallet logins require the input of the six-digit code – which changes every 30 seconds – and is only available on a user’s personal phone. Hence, even if a user’s phone is hacked and remotely controlled – which is very difficult to execute – only a 30-second window exists for hackers to log in.
Also, a secure mail service is ProtonMail — it has two password layers, almost impossible to get hacked. Infinitely more secure than Gmail.
DO NOT Publicize Your Wallet/Portfolio Online
Seriously, this is asking for trouble!
Always remember – owning exchange keys isn’t a measure of security; private keys are. Cryptocurrencies are a tool for you to be your own bank, and being a bank necessarily requires basic security measures.