My NNS has been stolen,Please help me

Hi @xiaobing ,

Here’s the memo that summarized what happened. Apologize for the long wait and appreciate your patience.

Executive Summary

This memo follows up to the original post titled “My NNS has been stolen, Please help me” , that first appeared on Oct 14, 2021 at DFINITY’s official forum by user @xiaobing (hereafter referred to as “OP”) . It’s gathered 99 replies with 1.6K views involving 17 forum users as of Dec 14, 2021, and has caused a lot of anxiety and question marks from the IC community regarding the security measures of the NNS. OP is now planning to submit an NNS proposal to regain access to the neuron he used to own, which has staked 32,000 ICPs for 8 years. This planned proposal, if successfully submitted by OP and adopted by the community, will be the first of its kind for the IC ecosystem, setting up a precedent where the owner of a stolen account tries to recover through decentralized governance. It is drawing a lot of interest and attention from the community. This memo shares the efforts by the DFINITY team to help OP gather facts and the investigation findings from the DFINITY engineering team. It aims to shed some light on the possible causes of this incident. In short, the result from DFINITY’s investigation suggested that:

  1. This was not caused by any bug in the Internet Computer/ Network Nervous System
  2. OP’s computer was most likely hacked and the hacker very likely had physical access to his laptop and Yubi-key

1/ The Stake

OP lost access to his Internet Identity (“II”) account 171674, which has staked 32,000 ICPs in one single neuron for 8 years on the NNS (as of Oct 2021 this was valued at roughly $1.5M). Based on third party explorer ic.rocks and the principle ID OP still keeps, the ICPs are still intact in this neuron - so regardless who now takes control of this neuron, the ICPs locked up in the neuron have not and will not move in the next 7+ years. OP has currently no access to the neuron and it’s not clear who is the current owner.

2/ The History

OP registered this II account in July. He bought 2 Yubikeys, directly from yubico.com. Yubikey is not available in China, so OP had the Yubikeys shipped to Hong Kong and asked a friend to bring them into China. Both Yubikeys are of the same model (likely to be 5C Nano) that can be directly plugged into a laptop.

OP used 3 methods to access this II account including 2 Yubikeys and 1 seed phrase. He used a digital camera (not a cell phone) to take a photo of the seed phrase and hand-wrote it down on a piece of paper. This piece of paper was locked up in a safe.

OP accessed this II account on 4 machines (2 Windows and 2 Macs). There were two known users who had access to this II account, OP and the manager he worked for (hereafter referred to as “BOSS”). BOSS is the owner of the company, which has a portfolio of crypto tokens and employs a small team of engineers. It’s beyond the capability of DFINITY to differentiate which specific action was carried out by OP vs BOSS. This memo would assume by default OP was the one that executed all activities mentioned, though in reality OP and BOSS might be the owner of different actions.

On a Friday in August (hereafter referred to as “Incident Day”), all of a sudden OP’s Yubikey no longer worked. OP tried the other Yubikey and the seed phrase. None of them worked. His last successful login was about 2-3 days prior to the Incident Day, on one of the Macs. OP went to DFINITY’s official forum and created the original post on Oct 14.

Initially the NNS could still recognize the II account 171674 and prompted him to use the Yubikey/seed phrase. At some point later, OP found that the error message on NNS had changed. NNS could no longer recognize this II account and would just say “Unknown Identity Anchor” without even prompting him for inserting Yubikey. It seems that whoever is now controlling this neuron has removed all the 4 devices that OP used and also changed the seed phrase.

3/ The Investigation

@Fulco , Support Specialist from DFINITY, tried to help out OP on the forum and maintained a continuous dialogue to help him find recovery solutions. Fulco even created a custom-made script to help him verify the account details. Many other engineers and leaders in DFINITY’s R&D team have been involved behind the scene that led to the eventual conclusion of the investigation.

@zire (Herbert) , Director of China Operations for DFINITY, reached out to OP to help. A first phone call between Herbert and OP took place on Oct 20, 2021 where basic facts were gathered and a meeting was arranged in Shanghai for Oct 28, 2021 in DFINITY’s local office. OP and BOSS traveled to Shanghai and attended the meeting with Herbert in person. @PaulLiu , Staff Engineer from DFINITY’s R&D team, dialed in via Zoom from the US.

In this first Zoom call (that involved both OP and BOSS), many scattered details mentioned above were confirmed. Additional details worth noting are: 1) OP and BOSS took comprehensive security measures around their office. They appeared pretty tech savvy in terms of handling crypto assets. 2) There was another incident of losing crypto tokens at the end of 2020 in the same office, for a different coin. Based on the description of OP and BOSS, it appeared that the account was not secure in the first place before being given to them. They were using a hardware wallet, but the wallet short-cuited. On the next day the tokens got moved to a Binance account and they couldn’t get it back. Paul pointed out that it might not be caused by a hardware malfunction but sounded like hacking by an insider.

Herbert/Paul let OP/BOSS know that DFINITY would escalate this issue internally and try to deploy engineering resources to see if we could recover the II account’s operation histories from block backups. There could be 3 possible outcomes from this analysis:

  • Case A. It shows that their recovery key never matched anything;
  • Case B. It shows that their recovery key matched something in the history but later there wasn’t any operation to remove it and somehow it just ended up like this with no more access for OP;
  • Case C. It shows that their recovery key matched some record in the history, but later it was replaced.

Case A would call OP/BOSS’ credibility into question out right; Case B would suggest a potential bug in the NNS; and Case C would suggest that, somebody hacked the account, either knowingly or unknowingly, and this person could be just anyone, as far as DFINITY can tell.

During the following few weeks, DFINITY engineers analyzed the history of transactions on the blockchain to understand all changes related to OP’s identity anchor. The conclusion is:

  • On Jul 12, an initial recovery phrase was added, as was a second web authentication device “Tiger-backup”.
  • Both the initial device and “Tiger-backup” were used frequently until Jul 26.
  • On Jul 26, “Tiger-backup” was used to delete the existing recovery phrase and replace it by a new one.
  • Both the initial device and “Tiger-backup” were used frequently until Aug 14.
  • On Aug 14, the new recovery phrase was used to remove both the initial device and “Tiger-backup”. A new recovery key was also added.
  • Since then, there were three sequences of transactions: 1) the recovery phrase was used to add a new device; 2) the new device was used to log into the NNS frontend dapp; 3) the new device was removed right after. The last transaction occurred on Oct 27.

It could be established that:

  • Someone is still controlling the II account. There is no data that can pinpoint who that person is.
  • The current owner uses the new recovery phrase.
  • The new recovery phrase was added from the device “Tiger-backup”
  • Case C (from the above) is what happened

On Nov 11, a second Zoom call was arranged among Herbert, Paul, OP and BOSS. All joined the call remotely from their respective offices.

Paul shared the investigation result from the engineering team and let them know that both Case A and B were categorically eliminated. Paul also pointed out that it was highly probable that the person would have physical access to both the laptop AND the Yubikey. Paul/Herbert also highlighted to OP/BOSS that beyond this point, there was nothing more DFINITY, as a technology contributor to the IC ecosystem, could further do to verify who is the rightful owner. Though OP/BOSS would very much want to provide all the paperwork to prove their identities, legitimacy and even transaction history, playing the role of courtroom judge is beyond the scope and responsibility of DFINITY. The NNS is not a court of law and more importantly, DFINITY is not a judge.

OP/BOSS agreed with the result and suggested that this account might be stolen by an insider who used to work for the company. OP/BOSS said they would go back to check the video surveillance. In the meanwhile, OP/BOSS still want to submit an NNS proposal to recover their account. If OP/BOSS can gather enough votes in favor of this proposal, technically speaking this is not entirely impossible. Herbert/Paul also pointed out that, while DFINITY would be happy to provide general technical guidance to OP/BOSS, if the same assistance will be provided to all other IC users fair and square, it cannot be involved in drafting this proposal per se. The proposal would have to be written and submitted by the ICP holder him/herself, not the DFINITY Foundation.

Thank you for reading this long memo. Appreciate your attention to this matter and all the suggestions so far.

18 Likes

Wow, this is some serious work.

I want to say thank you to @PaulLiu, @zire and to the dfinity team for the gathering of these facts. It shows a great care that the dfinity team has taken on this matter.

@zire Thanks for the write-up and for the specifics. I have one question so far, you mentioned that:

and

How is it possible that the II account 171674 was not able to be recognized by the II-service ? Is it possible to change or delete an identity-anchor?

2 Likes

Thanks again to @zire, @PaulLiu and the folks at Dfinity for working so hard to help me out.

3 Likes

I’m going to publish my evidence here, and sometime in the next few days, I’m going to propose a proposal that says, "Reset the mnemonic of the Internet identity anchor number 171674, neuron ID 9957861823581357722 back to the beginning

1 Like

A screenshot of my neurons

No problem @levi . We owe this to @xiaobing and the community to help him find out what happened.

The anchor 171674 can still be recognized by the II-service/NNS. It’s still there, along with the neuron and the ICPs in it. It’s just that the devices owned by @xiaobing can no longer be recognized because the current owner has apparently removed them.

1 Like

This is the neuron in question:
https://dashboard.internetcomputer.org/neuron/9957861823581357722

2 Likes

Thank you for adding that. It was very helpful

1 Like

This is my withdrawal record, the pledge reward generated by the neurons









Would be also helpful for if you provide links to the transactions on the explorer.

First of all, I feel empathy for the OP

This sounds like an issue that should be addressed by the local authorities, e.g., police, instead of the IC community. Is there any evidence of who the thief is? Did the video surveillance catch the face? Did the ICPs belong to OP or OP’s company? Was there any related content in the suspect’s employment contract? There are many legal nuances here and I don’t think IC community is appropriate to make the decision.

If OP’s proposal is passed, what will the community do if more similar cases pop up in the future?

Again, I feel empathy for the OP, but I will vote no. I encourage OP to gather as much as evidence and go to police or find a lawyer

6 Likes

Thanks for your suggestion. I’ll send it as soon as I’ve sorted it out

1 Like

The proposal is our best hope at this point, but unfortunately there’s no valuable information from the surveillance video, so we can’t identify the suspect

Just collecting some facts.

July 26 seems to be a pivotal date. On July 26 , someone(say PARTYA) , using “tiger back up”, changed the recovery phrase. That someone, I presume , was NOT OP. (OP to confirm)

The loss of access was not effective on July 26; but on or around August 14. Is that correct?

7.26 Modified the mnemonic, 8.14 deleted the previous login device

Now I fully understand the reason why you lost your account. And I am sorry to see what happened.

Truth be told, I would suggest you and your company must try your best to find the thief first, with the help of the company or maybe the police rather than ask the community. You must know that in this crypto world, seed phrase means everything, if you lost it, you don’t have a chance to get it back, if so, many ppl may lost faith on this token and may cause many issues. As per many ICP holders’ opinions (Almost everyone I talked with), this kind of things should not be made decision by the IC community.

Spend more time on catch the thief maybe a better choice.

8 Likes

These evidences can also be produced by Binance Exchange. If they are allowed to be retrieved in this way, the entire secondary market will be in danger. Imagine what would happen if the exchange cooperated with the local government to commit evil

https://dashboard.internetcomputer.org/transaction/0504ac1ad5e79280337d95e8e687c8b9ab71b6f7c0e61a6fecfd3727754e6c45

https://dashboard.internetcomputer.org/account/799682d240f68e2a40422baeb9baca5108c299cd73d5f0c2313319b1bc5f742d
This is my ICP address