Saturday, December 21, 2024

Digital Napalm

We love the smell of napalm in the GM.

Uncategorized

Exclusive Interview: CipherBlade’s Richard Sanders

CipherBlade’s Richard Sanders, recently seen in Coinbase, has a lot of wisdom to drop about everything from basic security precautions for noobs,  BlockFi, the Hugh Karp Metamask hack, why he started CipherBlade and more.   

 

Profile photo of Richard Sanders

 

The Cryptory: OK. First question:  What’s the best way to dodge taxes when liquidating crypto gains? Really kidding.. sorta..maybe..kinda…

Richard Sanders: I get asked this at least once a week unironically and have had people try to hire me for it….

The Cryptory:  It’s been said that people go into this crypto thing not even knowing what a private key is.  I’m sure your clients are pretty significant financially due to the nature of your work.  Do you really find this to be the case, even in top tier clients?  

Richard Sanders:  That is absolutely correct, and that’s a major issue. Andreas (Antonopoulos) identified this too: most people don’t care about the tech, they want “coin go up” and are better placed buying ETFs. I don’t think this has anything to do with net worth, though. There are plenty of people that threw darts and got lucky, then lost that money because of failing to take the 60 seconds to set up Google Authenticator or fell for an obvious scam that could’ve been identified given baseline diligence/research, etc. And to be clear, from there, those folks really have one of two choices: own their mistake and consider it a valuable lesson, or blame everyone but themselves. I see people that blame (teleco provider, exchange, you name it) and those people are hopeless. 

“Be your own bank” isn’t a meme, and if people can’t embrace that, this is not the place for them. People lose funds because they are greedy, lazy, or both. It is NOT impossibly difficult to self-custody. This has been demonstrated time and time again, and not just by me. I don’t care if someone has $1,000 or $1,000,000,000 — if the baseline security measures described, for example here,  are not understood by them, that is 100% a them problem, because the information is out there, they’re choosing not to read it and leverage it. It is a choice. Decisions are made at every turn. Wallets say “write this seed phrase down and do not store it online” during setup — often multiple times. Such warnings are not included for the lulz. People CHOOSE to ignore these warnings. If anyone is investing (time or money — BOTH apply) in cryptocurrencies, they need to invest time into learning about the tech and how to secure their investment. If somebody spends hours on end shitposting about “when moon when lambo” or better yet researching/asking “what is the next 100x coin” but can’t be bothered to learn what a private key is or to download Google Authenticator, that is 100% a them problem. You can’t browse Reddit, Twitter, or most anywhere else crypto is discussed without having some article or guide about security be something you scroll past. The knowledge is there. These people know it is there. They choose not to read it/heed it. The horse has been led to water. This isn’t a net worth issue, it’s a shit priorities issue. 

On the clients front, we service quite a few different types, so it’d depend who you’re talking about, but even for our investigative cases (where people lose funds because of not securing credentials), at least those people are reasonable enough to self-reflect and look inward; they wouldn’t be our clients if they were blaming everyone else. If you’re not talking about our investigative clients, it depends what service. Obviously, exchange clients know what private keys are. So ‘top tier’ to me would suggest you might mean inner-industry clients and that would be an “of course they know that.” If you mean legal clients, huge variance. I’ve had cases where, as an example, the Judge had never even heard of Bitcoin. I work with attorneys, on the other extreme, that do know what a change address is.. Massive variance.

The Cryptory:  We’ve all heard the term “Not your keys, not your Bitcoin.” But then you have platforms like Nexo and BlockFi who are lenders that give interest and claim to be secure. Do you think they are?  Are you a staunch cold walleter?  

Richard Sanders:  I wouldn’t entrust anyone with my cryptocurrency unless there was a damn good reason, so no. It’s sensible to keep not more than a small portion of your stack with those companies. There is no such thing as risk-free interest, and it doesn’t take a security guy like me to explain why that is; it can be explained financially. From the security/solvency lens, though: have BlockFi/Nexo been audited? Guess who else wasn’t audited? Cred. (Side note, people shit themselves over the Ledger -data breach- ; know what people don’t seem to care about? BlockFi employees getting SIM-swapped. Just because funds weren’t stolen doesn’t mean data wasn’t. I’m highly skeptical that BlockFi was honest about this.)

The people shilling things like BlockFi, at an absolute minimum, have financial interest via ref links, and for some particular people have financial interest in the company itself. It is not honest endorsements (they have a motive, and it’s not just to be “helpful” to people/their followers), it’s not looking out for people’s best interests sincerely, it is to line their pockets. It’s predatory. I’m not suggesting that BlockFi is insolvent like, say, HitBTC (nowhere even close to in the same galaxy), but for these people to suggest this is “risk-free” is dishonest. In fact, they can be 100% solvent and verify that but I’d still not entrust someone with my crypto for some interest, the tradeoff is just not worth it. People need to learn to be okay with just holding and not growing a stack. These people are the same ones that want to daytrade, focus all efforts on finding the next 100x, and would save themselves a lot of stress (and in more cases than not, money) by just letting it be. Celsius was at least audited (albit for one area, and that audit could be entirely irrelevant the day after it was done), so it probably says everything you need to know when certain people shill BlockFi over an at least partially-audited platform. (But these people have made a living off of “moon lambo” talk on Twitter, 10/10 “careers” btw.)

If people keep more than a slice of their stack in those platforms, to me, that says their risk appetite describes their motives: they’re in this for coingoup and getrichquick, so it’s probably not even worth trying to explain to them why it’s risky… a lot of these people won’t listen until SHTF. It’s impossible to save everyone from themselves… take it from someone that tries.

Mr. Sanders is a US Army veteran at the vanguard of leading the war against child porn on the cryptoturf.  See the Coinbase article about Huobi and OKX here.  

The Cryptory:  There is so much information and opinion out there regarding security measures and it’s really overwhelming. Since you are a trusted expert I think it’s important to ask if you were telling an utter noob / coingoup guy waking up about wallets and security, what links would you send them to?

Richard Sanders:  The SIM Swapping Bible covers everything they’d need. Seriously, it does. <$200 and <5 hours at MOST of money and time can prevent any retail hack I’ve seen. Ever. 100%.

Put more simply: they need to follow the darn instructions. I set up another Trezor yesterday, There are so many freaking warnings about “write this down” “don’t store it online” “don’t give it to anyone ever”. MyEtherWallet makes you click through… I lost count of how many warnings on this. I appreciate there is a lot to digest for a newcomer, so if a company is putting something right in front of your face, repeatedly, making you check “I agree”, bolded, red text, saying it multiple times… to state the obvious, it’s not their fault if you don’t follow those instructions. You can lead a horse to water, you can put the horse’s face in front of the water multiple times, but you can’t force hydration, so if they want to die due to price-obsessed thirst traps, that’s on them.

The Cryptory:  What was your Eureka point when you realized you really needed to create Cipher Blade?

Richard Sanders:  CipherBlade was born because it was plain to me that investigating digital asset theft was something law enforcement was lacking in, and as a believer in blockchain tech (and a believer in the future increased adoption), someone had to innovate. And holy moly, I was more right than I ever thought I’d be, because we get a multiplier more of requests than we can service. In these stages of industry growth, someone needs to be a first-mover and establisher of best practices. Someone needs to prove “this IS doable.” Someone needs to prove “this is impossible” wrong. We do that every day. The recent Cubits turnover (a case where Mr. Sanders’ testimony helped get his clients back a large portion of Bitcoin that was stolen from them) is one of many examples of exactly that.

The Cryptory: Has the court decided the outcome of that case yet?

Richard Sanders:  The court has decided.  They got their money.  Can’t say how much but it’s nothing to sneeze at and it establishes that bringing in crème de la crème investigators yields results.

The Cryptory:  It looks like the crooks were really stupid!  They ripped off an exchange just to leave it on another exchange?

Richard Sanders:  It’s a bit more complicated than that. Some of the folks that had funds seized at exchanges (the account holders specifically) were “unaware” (debatable) it was hack proceeds (not to say they were not jackasses, because why on earth would any reasonable person find it not suspicious that some rando asked them to deposit funds, trade, w/d and keep 10% for no reason?).

The Cryptory: I’m sure you know about Hugh Karp of Nexus getting hacked for 24 million dollars.  Metamask is so commonly used, so I guess it shouldn’t be shocking that someone was able to compromise its security.  What do you think is the most secure wallet out there?

Richard Sanders:  Well see, that’s the exact point. Metamask itself was not compromised. so to say their wallet is not secure on this is factually off-base. The recent wave of issues (malicious extension via Google adverts) is a -rare- situation where  will say there is some fault in some company. That fault is not with Metamask, but with Google, and a known issue that they have fallen short on (Youtube “giveaway” videos being promoted). Metamask has their shit together. Google does not. When a company the size of Google can’t be assed to bring on ONE person with even 10% of my knowledge to squash this, it tells you all you need to know about their priorities. They are pocketing ad revenue. YOLO. 

As for the Nexus guy, here is what isn’t emphasized.

If you’re going to transact such a large amount of money… do a test transfer.  This is especially true if you’ve recently changed anything (updated a browser/extension/changed device/farted/etc).  (Karp’s) situation is not in the galaxy of stupid I usually review, but was still avoidable, and still not Metamask’s fault. I’ve no doubt Karp is a smart dude, and people make mistakes, but when you’re handling this amount of money, you gotta really dot your i’s and cross your t’s.

The Cryptory: Also, if you’re able to share, what was the craziest case you ever worked on?

Richard Sanders:  I can’t talk about the craziest ones. And there are plenty of cringe-meme cases that are already well published. Check out Oyster Pearl/Bruno Block. Our industry is a “is this real life” meme with (as a current example) NFTs. Investigations are often no different. 

Learn more about CipherBlade and everything they do at their site.  And be sure to check out The Sim Swap Bible.

CipherBlade is looking to hire blockchain experts to meet demand for their services.  Learn more about the positions here.  

Leave a Reply

Your email address will not be published. Required fields are marked *