My NNS has been stolen,Please help me

I’m very curious to see if this neuron will vote in thr proposal. If votes we would know that the user has been reading the forum and this thread.

@xiaobing

Thank you for working so extensively with Dfinity on this issue and making your case. You do have compelling evidence and this is an issue that any one of us can face. Certainly this proposal will set a precedent and there will be a divided community on how it should be handled. Personally, I don’t know how I would vote yet, but I do have empathy for your situation and I would like to offer some suggestions that I think might give you the best chance of success. It’s totally your decision how to proceed and you are free to ignore these suggestions.

A) There might be risk if you ask for the seed phrase to be reset to the original seed phrase. It doesn’t sound like you can rule out the possibility that someone else knows the original seed phrase. You might be better off creating a new internet identity and asking the NNS to assign neuron ownership to that new principal ID.

B) There is evidence that someone controls the internet identity that owns the neuron. Hence, there is a person on the other side of this story that will be affected if your proposal is successful. A lot of arguments against this proposal will come from the perspective of “how do we know that you didn’t transfer, sell, etc this neuron / internet identity?” These are fair questions, so your proposal should account for how justice can be served if someone else really is the rightful owner of the neuron. This discussion has been going on in the forum and on social media for a while now and nobody has come forward as the other side of the story. Maybe your proposal should involve actions that will force them to come forward if they are the rightful owner.

Your proposal could include the following:

1. Change the dissolve state to not dissolving,
2. Change the dissolve delay to 8 years,
3. Remove all followees from the voting configuration of this neuron;
4. Remove the recovery and devices from the internet identity,
5. Wait 1 year to give the current owner time to come forward with a claim to the ownership of the frozen neuron,
6. If someone comes forward with proof of ownership within 1 year, then add the current devices back to the internet identity, otherwise, transfer the neuron to your new internet identity.

There could be other mechanics for how to accomplish the goal, but the point is to suspend the account in a way that forces the current owner to contact Dfinity for support. If they are the rightful owner, then they will have the same anxiety that you felt when you first lost access and will come forward with evidence of ownership. You have clearly demonstrated original ownership of the neuron. You need to give the current owner an opportunity to defend themselves if they can make a claim of current ownership. Once they have been identified, then you can invite your local legal system to get involved in arbitration of the dispute as well.

I don’t know if this suggestion is technically feasible, but I’m just trying to think creatively about ways that you and others can potentially recover from stolen identities in a way that gives the NNS governing body higher confidence that this recovery process is fair to both sides. I would like to see improvements to the recovery process for internet identity as suggested in other forum topics, but we have to deal with our current system. That system assumes that we carefully protect and restrict access to our devices and recovery mechanisms. Since you are claiming that someone other than yourself gained access to your internet identity without your permission, it seems reasonable that recovery of your account should be hard and time consuming. My hope is that you set a precedent for how we can all regain access to stolen identities.

Sorry to say but 4 laptops with 2 yubikeys and two people with access, doesn’t sound like the safest way to deal with this amount of money. I’m actually quite surprised people would even consider this to be a safe approach.
I’m all for discussing saftey mechanisms that could be implemented to deal with issues like this, identity theft is a real problem and everything that can be done, should be done. Things like delay time when deleting devices/seedphrases, or ranking of recovery mechanisms sound like a good approach.(edit: even having to enter the seedphrase to be able to change it, could be an approach worth thinking about)

What’s about having additional layers of security woven in, something like PrivIC from the hackathon?
Whoever wants that additional layer of security can opt-in. DFINIHack 2021 Demo Day | PrivIC - YouTube

This account generates more than 20 ICPs per day, so we should freeze this account before confirming the ownership. Do not allow anyone to control this account. When the person who controls the account now finds out that he can’t log in, I’m sure if it’s him, he will be as anxious as I am to go around and ask for help, contact Dfinity so that he can know that this proposal exists, so that he can submit his evidence. The rest is up to the community to decide who to trust. So can I make a proposal for a long time, say three months or six months?

Theft in the real world should be dealt with in the real legal system, but what about virtual money? Virtual currency has its particularity, which makes it easier for criminals to commit crimes, but it is difficult to find out the evidence of their crimes. We live in this crypto world, and almost every few days we hear about the theft of funds from a certain project, which is only well-known, and there are countless unknown virtual currency crimes that we don’t know about. If the real world legal system worked, I’m sure there wouldn’t be so much crime.

After the proposal is launched, we can know whether this account has participated in the vote. The account I set is to vote with the foundation, but the foundation will not vote for this proposal, so once there is the voting record of this account, it must be operated by thieves

Based on the analysis of the historical block information, the staff can determine that the mnemonic word is not leaked. Of course, the possibility of leakage is not ruled out. Your proposal is good, and I agree that it is fair to give the person currently in possession of the account the opportunity to submit his evidence. Therefore, I wonder if we can extend the voting time of this proposal, or freeze the login of this account first.

“Virtual money” wasn’t stolen though, your Identity was. It was a yubikey that was physically stolen(borrowed?), it seems. And someone had access to your laptop aswell, right? This doesn’t sound like a cyber-crime like the things you mentioned, where people get robbed online. You got robbed from someone physically close to you.

Under the current evidence, the biggest possibility comes from the people around me. I used one of the two Yubikeys to update the mnemonic without noticing, and then deleted the login device, and I lost control. If you have offended please forgive me, I don’t think you in bit jue word, I am stolen 32000 icp and generate revenue, if I yuan had been stolen, so our country’s police can easily help me find by the thief, but theft is a virtual currency, now you tell me how to check, the police should monitor with no useful information we have ever seen. All we know is that Dfinity people analyze historical blocks. That’s all. I don’t know why you’re obsessed with whether this is a cybercrime, but isn’t our first job to stop it?

Sorry but now I’m confused.

Anyway, I really feel sorry for your loss, I just don’t think this is something the NNS should touch however long the pole. If this Pandora’s box is opened, and every action/transaction can be reverted by the NNS by popular vote, we are in for a world of pain, imho.

I’m sorry. This is my only chance right now. NNS because of its pledge property no one can take away the ICP pledge, just let us have the opportunity to discuss the stolen account recovery problem here. I think the Dfinity community should be happy to seek justice if the people they help are actually victims. So let’s talk about how we can make sure we help the real victims. I’m sure you want to help the victim, too, don’t you? @wpb His plan is good. It gives both sides a chance to present evidence.

The login device was removed on August 14, and I contacted the official support on August 18, for which I have been anxious for four months. I’m about to see the light. Please support me, ok? It’s okay if you vote no, and thank you for working on my behalf. I will hold out until I regain control.

微信截图_202112152245111834×912 42.3 KB

微信截图_202112152245451767×914 45.8 KB

As much as I want you to get your money back, for me it is a question of what implications it could have.

I want you to know that I really want you to regain access to your neuron. But this should be achieved through other means. There has to be due-process, and there doesn’t seem to be a way for this right now on the IC.

Dfinity did a good job looking into this issue and investigating to see if there is any flaw in the system.
But, as tough as it sounds, the system is fine and the mishap happened on the human-layer.

Just as a little thought-experiment:
If I put a suitcase full of cash in a vault, and somebody with access to the vault knows the pin, opens the vault and changes the pin. Do I go to the vault manufacturer and ask them to change back my pin to the original one? If I don’t try to get to know who is the bad actor, how do I know I’m not getting robbed again, since assumingly the original pin was compromised in the first place?

I don’t think the NNS is ready to play court for real-word crimes, it arguably should never be.

And again, nothing personal, I understand there might be reasons you feel like going through the legal system wouldn’t serve your case.

Two very, very good points that need more attention on this thread.

No wonder you want to go ahead with the NNS proposal. You want to smoke him out.

IF
you can gather enough support in the IC community prior to the vote AND
DFINITY will sit out of the vote

THEN
THIEF has to detach his vote from DFINITY and cast a No vote to block your proposal

His vote will be visible under the sun as per @Dylan 's post above.

What happens next could be interpreted in a few different ways, but it’s getting a bit too Kobayashi.

I’ve been thinking about these two points as well. “Not your keys, not your crypto” is a common crypto principle, but when it is applied to BTC and ETH is doesn’t affect anyone other than the victim and the thief. With ICP, the theft of certain neurons could affect everyone if the neuron is large enough or if it has significant followers. The thief is only going to be interested in maximizing economic value instead of voting in the long term best interest of the internet computer. It is impossible to trace reward liquidity back to the stolen neuron, so its a continuous flow of ICP value for the thief while at the same time they could offer the voting power to the highest bidder on a black market. There could be some serious attack vectors around theft of key internet identities. In my opinion, these are arguments in favor of seriously considering recovery mechanisms in these cases.

Agreed. There are a lot of implications beyond the loss of funds. I suspect this will only get worse with time. Luckily Dfinity has identified recovery methods as a future R&D effort.

@zire i don’t understand, how can this sentence be true then?

Hi everyone, my ICP pledged to NNS has been stolen, and now I’m sponsoring a NNS proposal to reset the mnemonic to its original state, My evidence posted on My NNS has been stolen,Please help me, Bill address is Internet Computer Network Status. I hope anyone who has pledged ICP can help me vote to regain control of my account. Thank you

(post deleted by author)