My NNS has been stolen,Please help me

I reached out to dfinity, and the guy told me to use my seedphrase to restore my account. Tried and it didn’t work. I have the anchor id and the 24 seedphrase written on a paper.

1 Like

When I was searching to solve this I came across a few people with the same problem, but didn’t see if the solved their issues.

Dfinity’s technical staff analyzed the historical block information and knew that my account was stolen. I wonder if this is an external function that allows all people to query their history records. So you can see what’s going on to cause the mnemonic failure.

Is there the possibility of user defined security options such as “send me an email when account is accessed”, or “limit the location of the access device”? They could go some way to make it harder for other people to steal an account

1 Like

Also some time delay when you want to change mnemonic would be nice

Come here and tell it : Internet Identity Lack Of Security - #99 by wpb

Come here and speak : Internet Identity Lack Of Security - #99 by wpb

I am not an expert at all.

All I know about the case is from this thread.
I am so sorry for you, and I really hope you get back your fund.

I am just still curious about one thing and I really hope you clear it up. A skeptical view about the case would be the possibility that the staked ICPs were sold, and removal of the seller access was the buyer guarantee. I hope that this hypothesis helps you with preparing the proposal as voters would not be experts.

I will be grateful if you or any expert here help to refute this skeptical view.

1 Like

Thank you, your point is very good, someone put forward a similar point, so I will publish the evidence I have when I launch the proposal, assuming the ICP pledge is sold, then the buyer can post his evidence. The rest is up to the voters of the community to decide whom they should trust. And assuming the buyer doesn’t know I made the proposal, the buyer can make his proposal in the same way.

2 Likes

Another option is to lock the account down for three or six months, during which no one can access the account, giving the community enough time to determine whether the account has been stolen or sold

1 Like

Thank you. This really make sense. Good luck

1 Like

Hi @xiaobing ,

Here’s the memo that summarized what happened. Apologize for the long wait and appreciate your patience.

Executive Summary

This memo follows up to the original post titled “My NNS has been stolen, Please help me” , that first appeared on Oct 14, 2021 at DFINITY’s official forum by user @xiaobing (hereafter referred to as “OP”) . It’s gathered 99 replies with 1.6K views involving 17 forum users as of Dec 14, 2021, and has caused a lot of anxiety and question marks from the IC community regarding the security measures of the NNS. OP is now planning to submit an NNS proposal to regain access to the neuron he used to own, which has staked 32,000 ICPs for 8 years. This planned proposal, if successfully submitted by OP and adopted by the community, will be the first of its kind for the IC ecosystem, setting up a precedent where the owner of a stolen account tries to recover through decentralized governance. It is drawing a lot of interest and attention from the community. This memo shares the efforts by the DFINITY team to help OP gather facts and the investigation findings from the DFINITY engineering team. It aims to shed some light on the possible causes of this incident. In short, the result from DFINITY’s investigation suggested that:

  1. This was not caused by any bug in the Internet Computer/ Network Nervous System
  2. OP’s computer was most likely hacked and the hacker very likely had physical access to his laptop and Yubi-key

1/ The Stake

OP lost access to his Internet Identity (“II”) account 171674, which has staked 32,000 ICPs in one single neuron for 8 years on the NNS (as of Oct 2021 this was valued at roughly $1.5M). Based on third party explorer ic.rocks and the principle ID OP still keeps, the ICPs are still intact in this neuron - so regardless who now takes control of this neuron, the ICPs locked up in the neuron have not and will not move in the next 7+ years. OP has currently no access to the neuron and it’s not clear who is the current owner.

2/ The History

OP registered this II account in July. He bought 2 Yubikeys, directly from yubico.com. Yubikey is not available in China, so OP had the Yubikeys shipped to Hong Kong and asked a friend to bring them into China. Both Yubikeys are of the same model (likely to be 5C Nano) that can be directly plugged into a laptop.

OP used 3 methods to access this II account including 2 Yubikeys and 1 seed phrase. He used a digital camera (not a cell phone) to take a photo of the seed phrase and hand-wrote it down on a piece of paper. This piece of paper was locked up in a safe.

OP accessed this II account on 4 machines (2 Windows and 2 Macs). There were two known users who had access to this II account, OP and the manager he worked for (hereafter referred to as “BOSS”). BOSS is the owner of the company, which has a portfolio of crypto tokens and employs a small team of engineers. It’s beyond the capability of DFINITY to differentiate which specific action was carried out by OP vs BOSS. This memo would assume by default OP was the one that executed all activities mentioned, though in reality OP and BOSS might be the owner of different actions.

On a Friday in August (hereafter referred to as “Incident Day”), all of a sudden OP’s Yubikey no longer worked. OP tried the other Yubikey and the seed phrase. None of them worked. His last successful login was about 2-3 days prior to the Incident Day, on one of the Macs. OP went to DFINITY’s official forum and created the original post on Oct 14.

Initially the NNS could still recognize the II account 171674 and prompted him to use the Yubikey/seed phrase. At some point later, OP found that the error message on NNS had changed. NNS could no longer recognize this II account and would just say “Unknown Identity Anchor” without even prompting him for inserting Yubikey. It seems that whoever is now controlling this neuron has removed all the 4 devices that OP used and also changed the seed phrase.

3/ The Investigation

@Fulco , Support Specialist from DFINITY, tried to help out OP on the forum and maintained a continuous dialogue to help him find recovery solutions. Fulco even created a custom-made script to help him verify the account details. Many other engineers and leaders in DFINITY’s R&D team have been involved behind the scene that led to the eventual conclusion of the investigation.

@zire (Herbert) , Director of China Operations for DFINITY, reached out to OP to help. A first phone call between Herbert and OP took place on Oct 20, 2021 where basic facts were gathered and a meeting was arranged in Shanghai for Oct 28, 2021 in DFINITY’s local office. OP and BOSS traveled to Shanghai and attended the meeting with Herbert in person. @PaulLiu , Staff Engineer from DFINITY’s R&D team, dialed in via Zoom from the US.

In this first Zoom call (that involved both OP and BOSS), many scattered details mentioned above were confirmed. Additional details worth noting are: 1) OP and BOSS took comprehensive security measures around their office. They appeared pretty tech savvy in terms of handling crypto assets. 2) There was another incident of losing crypto tokens at the end of 2020 in the same office, for a different coin. Based on the description of OP and BOSS, it appeared that the account was not secure in the first place before being given to them. They were using a hardware wallet, but the wallet short-cuited. On the next day the tokens got moved to a Binance account and they couldn’t get it back. Paul pointed out that it might not be caused by a hardware malfunction but sounded like hacking by an insider.

Herbert/Paul let OP/BOSS know that DFINITY would escalate this issue internally and try to deploy engineering resources to see if we could recover the II account’s operation histories from block backups. There could be 3 possible outcomes from this analysis:

  • Case A. It shows that their recovery key never matched anything;
  • Case B. It shows that their recovery key matched something in the history but later there wasn’t any operation to remove it and somehow it just ended up like this with no more access for OP;
  • Case C. It shows that their recovery key matched some record in the history, but later it was replaced.

Case A would call OP/BOSS’ credibility into question out right; Case B would suggest a potential bug in the NNS; and Case C would suggest that, somebody hacked the account, either knowingly or unknowingly, and this person could be just anyone, as far as DFINITY can tell.

During the following few weeks, DFINITY engineers analyzed the history of transactions on the blockchain to understand all changes related to OP’s identity anchor. The conclusion is:

  • On Jul 12, an initial recovery phrase was added, as was a second web authentication device “Tiger-backup”.
  • Both the initial device and “Tiger-backup” were used frequently until Jul 26.
  • On Jul 26, “Tiger-backup” was used to delete the existing recovery phrase and replace it by a new one.
  • Both the initial device and “Tiger-backup” were used frequently until Aug 14.
  • On Aug 14, the new recovery phrase was used to remove both the initial device and “Tiger-backup”. A new recovery key was also added.
  • Since then, there were three sequences of transactions: 1) the recovery phrase was used to add a new device; 2) the new device was used to log into the NNS frontend dapp; 3) the new device was removed right after. The last transaction occurred on Oct 27.

It could be established that:

  • Someone is still controlling the II account. There is no data that can pinpoint who that person is.
  • The current owner uses the new recovery phrase.
  • The new recovery phrase was added from the device “Tiger-backup”
  • Case C (from the above) is what happened

On Nov 11, a second Zoom call was arranged among Herbert, Paul, OP and BOSS. All joined the call remotely from their respective offices.

Paul shared the investigation result from the engineering team and let them know that both Case A and B were categorically eliminated. Paul also pointed out that it was highly probable that the person would have physical access to both the laptop AND the Yubikey. Paul/Herbert also highlighted to OP/BOSS that beyond this point, there was nothing more DFINITY, as a technology contributor to the IC ecosystem, could further do to verify who is the rightful owner. Though OP/BOSS would very much want to provide all the paperwork to prove their identities, legitimacy and even transaction history, playing the role of courtroom judge is beyond the scope and responsibility of DFINITY. The NNS is not a court of law and more importantly, DFINITY is not a judge.

OP/BOSS agreed with the result and suggested that this account might be stolen by an insider who used to work for the company. OP/BOSS said they would go back to check the video surveillance. In the meanwhile, OP/BOSS still want to submit an NNS proposal to recover their account. If OP/BOSS can gather enough votes in favor of this proposal, technically speaking this is not entirely impossible. Herbert/Paul also pointed out that, while DFINITY would be happy to provide general technical guidance to OP/BOSS, if the same assistance will be provided to all other IC users fair and square, it cannot be involved in drafting this proposal per se. The proposal would have to be written and submitted by the ICP holder him/herself, not the DFINITY Foundation.

Thank you for reading this long memo. Appreciate your attention to this matter and all the suggestions so far.

18 Likes

Wow, this is some serious work.

I want to say thank you to @PaulLiu, @zire and to the dfinity team for the gathering of these facts. It shows a great care that the dfinity team has taken on this matter.

@zire Thanks for the write-up and for the specifics. I have one question so far, you mentioned that:

and

How is it possible that the II account 171674 was not able to be recognized by the II-service ? Is it possible to change or delete an identity-anchor?

2 Likes

Thanks again to @zire, @PaulLiu and the folks at Dfinity for working so hard to help me out.

3 Likes

I’m going to publish my evidence here, and sometime in the next few days, I’m going to propose a proposal that says, "Reset the mnemonic of the Internet identity anchor number 171674, neuron ID 9957861823581357722 back to the beginning

1 Like

A screenshot of my neurons

No problem @levi . We owe this to @xiaobing and the community to help him find out what happened.

The anchor 171674 can still be recognized by the II-service/NNS. It’s still there, along with the neuron and the ICPs in it. It’s just that the devices owned by @xiaobing can no longer be recognized because the current owner has apparently removed them.

1 Like

This is the neuron in question:
https://dashboard.internetcomputer.org/neuron/9957861823581357722

2 Likes

Thank you for adding that. It was very helpful

1 Like