February 27, 2024 • 43 mins
Imagine discovering that the very foundations of your financial security have been compromised by one of the most infamous crypto-heists in history. That's the chilling tale we unravel from the 2016 Bitfinex breach, with a staggering $4.5 billion at stake. We join forces with cybersecurity experts and dive into the cutting-edge blockchain forensics that led to the recent arrests, providing a glimmer of hope in the dark abyss of stolen digital assets. As your guide, I share invaluable strategies for fortifying your cryptocurrency investments—think cold wallets and micro-transactions—not just to protect your wealth, but to ensure its rightful transfer to your heirs.
But the perils lurking in the crypto-verse don't end with exchange hacks. Have you ever had the feeling that something's too good to be true? We dissect the 'pig butchering' scams that prey on investors through sophisticated social engineering, and I'll recount a personal brush with these cunning con artists. The episode becomes a stark warning about the craftiness of digital predators, while also equipping you with the armory of knowledge needed to build a fortress around your digital assets—multi-signature wallets, encrypted physical backups, and all.
As we round off our journey, we scrutinize the influence that glitters from the world of crypto influencers, where not all that shines is gold. We question the hype, dissect the endorsements, and underline the importance of due diligence. I emphasize the unique strengths of Bitcoin and the trustless technologies that underpin it, urging listeners to embrace self-reliance in the wake of rampant cyber threats. So, if you're ready to navigate the complex currents of cryptocurrency and cybersecurity, this episode is your beacon in the storm,
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com.
Thanks for listening—and remember, the future favors the bold.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https:/
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Blake (00:02):
Hey everybody, welcome to another episode here of
Cybersecurity with CraigPetronella.
Obviously, I have my boss andfriend, craig Petronella.
We're going to try a new formathere.
I think Me and Craig have beentalking a lot about breaches and
how things happened.
Obviously, here at theCybersecurity Company, we focus
more on a defensive approach.
(00:23):
What we think we're going totry doing here in these next
follow-up episodes is we aregoing to be analyzing breaches,
things that have happenedrecently, looking at them under
a microscope and seeing howobviously hindsight is 2020.
But what could have beenimplemented to prevent things
like that.
(00:43):
Hopefully you guys will havesome great takeaways from that
and hopefully you guys willlearn.
Today, craig thought it'd be agreat idea to talk about the
Bitfinex, which is a huge, huge,huge security breach.
I think they took at the timeit was $71 million in crypto,
(01:03):
but now that is worth $4.5billion because this happened a
while ago.
Craig, give us a littleexecutive summary of what
happened with Bitfinex and whythis is important to cover.
Craig (01:18):
Sure.
So Bitfinex was a popularcryptocurrency exchange where
people would buy, sell, tradeBitcoin and other
cryptocurrencies.
Back in 2016, they suffered ahack of approximately 120,000
Bitcoins stolen.
We wanted to bring you up tospeed of what happened with that
(01:39):
hack because obviously 2016 isa long time ago.
We're in 2024 now, so why arewe talking about this now?
Back last year, around August of2023, special Agent IRS, as
well as a team effort with theFBI because the blockchain and
distributed ledger technology isall public record they were
(02:02):
able to analyze and trace thecrypto that was stolen and they
basically traced it down to acouple in New York Heather
Morgan and how do you say thename?
Eila Lichentine, something likethat.
So they traced it down to thoseof the folks that stole it.
Like Blake said, it was about$4.5 billion worth roughly on
(02:26):
August 3rd of 2023.
With Bitcoin's recent rise ofabout $57K per coin, I'm sure
that's a lot more now.
The point is that we wanted tokind of take a different
perspective on giving you guysmore insights from a crypto and
cybersecurity forensic lens,opposed to just kind of giving
(02:46):
you highlights in news, becausewe were talking and basically
concluded that you guys areprobably getting the news
already.
We like to give our take on thenews, but I thought, and Blake
thought, it would be interestingto kind of see if we dove a
little bit deeper into thedepths of how we would view from
a forensic lens and from acybersecurity and, in this case,
(03:08):
a crypto lens around.
What happened, who suffered,what is our take on it?
What could you do as a consumerto protect yourself?
All that fun stuff.
So, basically, these guys gotcaught because, like I said, all
the crypto trading is onblockchain, which you can't
(03:29):
fudge or fake.
It's all immutable and anybodythat uses cryptocurrency for
cybercrime basically, your daysare numbered, because they will
find out where the breadcrumbslead to.
And oftentimes, like withBitfinex, they actually didn't
(03:52):
require what's called KYC orknow your customer.
So, at the beginning of whenthe cryptocurrency exchange was
very active, they didn't reallyknow a lot about the people
using the exchange, which, forobvious regulatory and
compliance reasons, is a big redflag, because if the exchange
(04:13):
was being used for illicitactivities, if you don't know
who your customers are, that's aproblem, right?
So how could you prove thatthere wasn't funding of
terrorist organizations orsanctioned countries or all
sorts of bad stuff, right?
So, circling back to thisparticular topic here,
everything was traced back tothis couple.
(04:35):
They're put in prison, Ibelieve, and the government
seized most of the Bitcoin thatwas stolen and the people that
were on this exchange thatsuffered the hack and left
crypto on the exchange.
They suffered losses.
So they're trying to much likewhat happened with the FTX
(04:56):
exchange.
The regulatory authorities aretrying to work together to
basically make the people wholeagain.
Well, giving our take on this,first of all, the cardinal rule
is you shouldn't really storeyour crypto on an exchange.
If you're trading crypto on anexchange, you should avoid
storing your crypto there,wherever or whenever possible.
(05:19):
And again, none of this is anykind of financial advice.
We're just giving you ourcybersecurity perspective on
best practices and security.
But any questions, blake?
So far, I mean.
Blake (05:33):
Something that I think is really important is, obviously,
we know what happened, but wedon't know why it happened, and
so, for some of you out there,bitfinex failed to distribute
their security tokens, so theyhad put two security tokens out
of a total of three on the samedevice, so only took that hacker
(05:55):
or this couple gaining accessto one device which, in lead,
compromising millions andmillions of dollars.
I think it's pretty importantthat maybe we should hammer home
on how you can properly storeyour security keys I mean, we
talked about cold wallets beforein the past Maybe any other
(06:17):
steps that you might take todistribute the security tokens
or the past phrases, thesecurity keys for said wallets.
Craig (06:30):
Sure.
So obviously, what Blake'stalking about is called a cold
wallet, basically acryptocurrency wallet that is
not connected to the internet.
There are differentmanufacturers makes models, etc.
We're not going to endorse anyspecific company or, you know,
we're not making commissions orany kind of thing like that.
(06:50):
By recommendation, you know,providing a recommendation to
you, I'll kind of give you myperspective and my take on it
and you can kind of take it forwhat it's worth.
So the majority of crypto usersthat trade crypto, they're
probably not the mosttechnically savvy and if that is
(07:11):
the listener, my best advicewould probably be to use
something like what's called atangent wallet.
I don't know if Blake, ifyou've ever seen them.
They look like kind of like ametal credit card.
I don't even know if they'remetal, they might be plastic,
but they kind of look that way.
They're kind of the 1.0 versionwas black with white graphics
(07:33):
on it, and I think the 2.0version has all black.
Anyway, it's an NFC, nearfrequency type of card that you
tap, like to the back of yourphone to authenticate
transactions.
Okay, now there has beenspeculation and some concern
about this particular tangentwallet and company.
(07:53):
Because here's the deal, folkswhen you are putting your money
on, or crypto on, a cold wallet,you do have to have some kind
of trust with that vendor.
Right?
And I don't know about you,blake, but you may have heard
about the recent stories withledger ledgers another you know
make a manufacturer of a cryptowallet.
(08:13):
The problem with ledgerrecently has been with their
communication around.
They were trying to I thinkthey were trying to do something
good by giving users that useledger devices a way to recover
their seed phrase if they wereto use it.
So they they launched this likerecovery service, but it
(08:35):
spooked a lot of people becauseof the way they went about
communicating the launch andbasically they lost a lot of
trust in the community becausepeople thought that, hey, if
they can recover wallets forpeople for a fee, they must have
access to my private key, andthat spooked a lot of people,
including myself.
So again, going back to tandem,tangums are super easy, super
(09:00):
inexpensive solution.
I think you can get like athree pack of them for less than
a hundred bucks, which is cheapin the crypto world.
If you want something verytechnical and high end or
extreme, they have a product, adifferent brand, called engrave.
There's an engrave and agraphene model which a graphene
(09:21):
is is a metal plate that youstore and punch your seed phrase
onto.
God forbid if you had a fire orsomething that destroyed your,
your crypto seed phrase.
If you don't have thatsomewhere else as a backup, then
you're dead.
You're, you know you're goingto lose your money.
So there's different.
You don't have to buy anengrave just to get that
(09:42):
technology.
You can certainly go on Amazon.
They sell plates that you canbuy to store your seed phrase.
So obviously you never want tostore your seed phrase and you
don't ever want to take apicture of it.
You never want to store itonline anywhere.
Don't put it anywhere digitaland whenever you're writing the
seed phrase down, make sure youdo it in a very private area
with no cameras and nothingthat's near you to you know, to
(10:05):
prevent any kind of compromise.
So tandem is probably the youknow the the best recommendation
for your everyday average user.
Right, I can say at this moment, ledger I have concerns about
uh.
Treasure is a another popularone.
There's some limitations.
(10:26):
If I had to kind of give mytake on it, I would probably
choose a treasure based on theclimate, um over a ledger at
this very moment.
Um, that's just my opinion.
I have a treasure.
I have multiple wallets.
Part of what I do is I vet andtest all different security
products and tools.
Um, I had some issues with thetreasure model T with the touch
(10:48):
screen.
It was kind of finicky to me,in my opinion.
Um, the tandem I've used.
I like it.
I did have valid concerns withtandem because, um, the first
version of tandem, you don'tknow your seed phrase.
They generate it.
They claim to generate itencrypted when you open the box,
(11:09):
like when you do it, but you'restill trusting the company with
this right, so you're trustingthat the app developers.
There's nothing happeningbehind the scenes.
You know you're trusting.
You have this trust in not onlythe software but the vendor,
and you're just taking riskswith pretty much every company
that you choose.
So you just have to kind ofchoose carefully.
(11:29):
So, in my opinion, opposed tojust choosing one vendor, I
choose all of them.
I choose many different onesand kind of spread things around
this way.
If one of them were like, let'ssay, ledger gets, you know,
hacked or something and maybesomebody exploited their
recovery service and then all ofa sudden, everybody loses their
crypto that has a ledger wallet.
(11:50):
Well, at least I don't have allmy eggs in one basket.
So that's my best advice foryou guys listening, you know,
don't choose one making model,kind of distribute your your,
and I recommend the same withbanks too.
I mean with with normal money.
You shouldn't have all yourmoney with one bank.
You should have multiple bankaccounts for FDIC insurance and
all that fun stuff.
But the end grave is probablythe most secure that I've heard.
(12:14):
It is an air guy wallet thathas a built in camera, that that
uses the QR, qr codefunctionality, so that one.
But again, it is cool, it has anice screen, it's a hardened,
embedded device.
But again, you're stilltrusting end grave.
Like you, like the averageperson's not going to know the
(12:35):
code that's happening behind thescenes, right?
So you're still trusting thevendor and all these scenarios.
So anyway, the summary here isstory or crypto on some type of
cold wallet, maybe one of theones that I mentioned.
I do not recommend a software ora hot wallet that like what was
the?
You remember the one that thepopular one that people would
(12:58):
download, electrum.
I don't know if you guys heard,but Electrum is a software
wallet and I've doneinvestigations where I actually
found a bug in the software thatcaused unspendable tokens.
So what that means is, when youopen or set up a brand new
(13:19):
wallet, the first thing, as abest practice, you're always
supposed to do, is send amicrotransaction out and in to
make sure the functionality ofthe wallet works Well.
A lot of newbies and new users,and sometimes seasoned users,
they skip that step.
They don't do that.
They just buy crypto and thenthey store it.
Well, in this case, with thisparticular software, there is a
(13:40):
bug and it caused what's calledan unspendable wallet.
So all the coins that peoplewere storing they're unspendable
.
You can't move them out of thewallet, so they're locked up
forever.
So that is a really badeye-opening experience.
Blake (13:56):
So obviously we know a lot of people out there have
crypto, but not a lot of peopleknow how to protect it.
So if you could give obviouslywe talked about cold wallets and
storing the past phrases If youcould give top five, maybe
takeaways, to our listeners,here's things you need to make
sure you've put in layers wealways talk about cybersecurity
(14:18):
and layers like the onion If youcould give them five different
things that they could use totake away.
Obviously we know about using asecure platform.
Stay away from shady cryptoexchanges.
Take your crypto off theexchange, bring it into the cold
(14:39):
wallet.
Obviously, don't use one, two,three, four, five as your
password, of course, enabling2FA, but beyond that, what else
would you recommend?
Craig (14:53):
Well, at first you have to check your rules and
regulations of your countryright.
So in certain countries, likein our country in America, you
have to use a KYC enabledexchange and you have to go
through that process of provingyour identity and working with
the exchange.
And when you move your currencyfrom your bank to your account,
(15:16):
like Blake said, you definitelywant to have best practices
with security, so try to use avery long, complex password that
is unique to that platform.
Don't reuse that passwordanywhere else.
Ideally, use a password managerthat's encrypted.
Use multi-factor authentication, but do not use SMS for the
(15:38):
tokens.
Use like Google Authenticatoror Microsoft Authenticator.
Those apps are much, much moresecure.
When buying the cryptocurrencyof your choice on the exchange,
they typically have a waitingperiod.
I forget what it is.
I think it depends on the levelof KYC that you do, but I think
(16:00):
it also depends on how muchmoney might be in your account.
There's some restrictions thereand there's a waiting period
before, like you can't just gobuy Bitcoin and then move it
immediately off.
They make you wait a period oftime, and I can't remember
exactly if it's two weeks orsomething, maybe a little longer
.
It may depend on your KYCdetails, but once the time
(16:22):
period is done I know a popularexchange like Coinbase, for
example they have what's calleda vault function.
I have tested and used the vault.
In my opinion, I don't like thevault.
I think it's a good and it maybe a good step for some people,
but basically, what it does isit locks up your crypto in a
secure area called a vault,where you have to do not just
(16:46):
multi-factor, like to yourGoogle authenticator, but then
you have to have a second factorto your email, and then you
have to have another emailaddress that's not your main
email.
You have to do another tokenthere, and then you have to wait
24 or 48 hours before and youhave to re-authenticate all that
stuff again, and then you canget your crypto out.
(17:09):
So I mean, in my opinion, acold wallet is much better.
It gives you more control.
I could see certain instanceswhere maybe somebody might like
the vault function, but that'sjust my opinion on that.
So, anyway, after you gothrough all those steps, you
move your crypto to a coldwallet, like one of the ones
(17:29):
that we recommended, and then,when you do that, though, you
have to really study the processaround how to properly transfer
that, because if you make amistake when you're moving it
from Coinbase, for example, toTangem, if you type something
wrong or you've got malware onyour device and they kind of
(17:52):
middle man attack and intercept,you're subject to losing that
transfer and there's nobody thatcan help you.
So you have to be reallycareful about your privacy and
where you do this and triplecheck everything and always do
micro transactions first.
I mean, it's not going to hurtto do like a.001 or small, like
(18:12):
$20 or $30 of a transfer andthen make sure the wallet works
and then transfer more.
There's a cool function that Iknow Coinbase has that it'll
actually remember.
So if you have a cold wallet,it'll say, oh, you sent this
wallet before.
So there's some kind of checksthere that are handy, I think.
(18:33):
I think also it's good to havemultiple exchange accounts so
that if there was an issue Iknow that in the past, in 2021,
when things got crazy, therewere some issues with exchanges
getting overloaded and thingslike that.
So you never want to be stuckin a position where you just
can't either sell or get out ifyou want to sell or transfer and
you're stuck.
(18:53):
So you always want to havemultiple options.
So again, like I said before,multiple exchanges are good,
making sure you leverage, likeBlake said, the layers.
You want to have good antivirussoftware.
You want to have good what'scalled EDR or more modern
antivirus that has heuristicaland AI based scanning tools.
We have some different layersin our stack that we recommend.
(19:15):
You want to have XDR, ideallyon your network to make sure
that there's nothing youbasically have to do like a lot
of prerequisite layeredcybersecurity to kind of get
yourself up to security standardbefore you should attempt any
of this stuff, because if youskip all that it's kind of like
(19:36):
flying blind and then if you'rein trouble then you've got a big
problem.
So it's better to have a lot ofthese layers in place as
foundational.
Blake (19:44):
Something that I don't hear a lot of people talk about.
What I think definitely shouldbe talked about more is,
obviously, I mean, there arecomputer cafes.
People still do rely oncomputer cafes for accessing the
internet sometimes.
You know, obviously you're notgonna, you know I wouldn't
access your bank account or any,you know, secure financial
information from said cafes.
(20:06):
You know, obviously, publicWi-Fi also is the same.
So if you bring your laptop toa library, you know obviously
Avoid accessing your bankaccount and your, you know, your
cryptocurrency or your, yourcrypto exchange through that.
And something that I don'treally hear a lot of people talk
about is, obviously we a lot ofthink about.
You know, obviously, people whoare considering, who are
(20:28):
keeping crypto or preservingcrypto for the long period of
time, like we're, we're, we'rebullish and we're holding right
most of us, um, but you knowsomething that we I've never
really heard you I talk about isyou know, let's just say, for
example, something happens toyou.
You know, um, you know,obviously, handing.
You know making sure thatwealth gets transferred, you
(20:49):
know, to your children or yourfamily, yeah, so those are good.
Craig (20:52):
So touch on both of those real quick before you you go on
more depth.
So the first one the reason whyyou don't want to do crypto
trading or bank bank accountwork in a cafe or an airport or
a busy area is because hackershave been known to Transmit fake
(21:14):
cell towers and fake Wi-Finetworks that mimic what you
think is real.
So, like, let's say, you're atStarbucks and Starbucks has a
Starbucks guest network, hackersare known to Put their like,
set up their own network thatbroadcast the same name and Get
you to join their networkInstead of the real Starbucks
(21:37):
network, and the reason whythat's bad is, once you join
their network, they can then runpenetration tools and hacker
sniffing tools to then sniff outyour Transmissions and your
communications.
So this is why you want to useencryption, like keystroke
encryption and VPNs, and ideallynot connect to One of those
(21:59):
networks.
You want to connect to aprivate network, like your cell
phone provider or a business VPNor something that you know you
can control, because in theevent that a hacker is still on
the network, that makes it muchharder for them to penetrate
through those layers.
Right, so that that's why youdon't want to do those things
unless you have those additionalsafeguards and layers in place,
(22:20):
and then it's still risky, butyou're.
But the more layers you have on, then the less likely you are
to get hacked and the more thehacker has to work harder to get
to you.
So you know, your mileage mayvary, but the point is the more
layers you have in place, thebetter protection that you have.
And then, moving on to theother point around Crypto and
(22:42):
your family and your spouse, isabsolutely valid points.
The nice thing about tandem andother cold wallet solutions is I
don't know if you know this,but let's say you have a ledger
device, a cold wallet, and youyou can actually take a
different brand Cold wallet andclone that ledger device.
(23:05):
Did you know that?
I didn't?
So you can take a ledger that,let's say, has a 12 or 24 word
seed phrase, which is a bit 39standard seed phrase.
Right, you can take that, wall,those 12 words and I can buy
the new tangent 2.0 does supportseed phrases.
I can restore a wallet toTangent so I can have a ledger
(23:26):
on my left side and a tandem onmy right side, and there are the
exact same wallet, but justyou're using two different
manufacturers to communicatewith that wallet.
Does that make sense?
Yeah, yeah.
So in that context you can thenclone like two or three of them
and then give them the familymembers and then give them the
Pin or whatever.
So then in the event that youget hit by a bus God forbid
(23:49):
something happens they cancontrol your funds.
Obviously, you have to trustthem because you don't want
something to happen that Whileyou're live, you know.
But my point is that that's alayer of redundancy that you can
choose.
With tangium you can buy thethree packs.
You could have three differentbackups and you can distribute
(24:09):
those in different places, solike family member, another part
of the country, whatever, andyou can do that.
They have what's calledmulti-sig wallets where with a
multi-sig wallet, you actuallyit's kind of like two keys to
open the lock, so both sideshave to have to submit.
There's a.
Have you ever heard of Shamir?
I haven't.
(24:30):
No, shamir is a is a type ofmulti-sig.
So if you, if you look that up,it's, I forget it's a.
It's longer than your typical.
It's longer than your typical Cphrase.
Blake (24:51):
Okay, here it is yeah.
Craig (24:57):
Here we go.
So Trezor has a model thatsupports the Shamir.
So basically you need to havehow many.
It's called two of three and,okay, 20 words.
That's what I was looking for.
So Shamir backup uses 20 wordshares with 128 bits in strength
, and then you could also do a33-word share.
(25:19):
So basically, in this context,you have multiple seed phrases
and you have to put themtogether to be able to control
the said wallet.
So that's another option forfamily members, or you could do
like a two of three.
So this way, like two peoplewould have to be able to be
controlled, in control to beable to make a transfer.
(25:41):
So that's an option, obviously,at its bare-bone minimum, you
could put that seed phrase inyour will or somewhere safe and
secure.
Again, you have to reallyprotect that thing, because you
don't want to even put that withlike a law firm, because if the
law firm gets hacked, then yourwallet's going to get drained.
(26:02):
So just be real careful.
The graphing plates that wetalked about they have some
encryption options as well,where you can get multiple
plates that have to be stackedtogether to get to your seed
phrase.
So if you give one plate likeif I give one plate to Blake and
I have a two.
I have the second plate.
He can't do anything with thatfirst plate without my plate,
(26:25):
right?
Blake (26:26):
So that's another option.
I like that.
That's a great option.
Craig (26:30):
Yeah, so that's my favorite, my opinion.
But yeah, those are all waysthat you know.
There's another thing that'sgoing on which gives a good
segue into this topic.
Have you ever heard of pigbutchering?
Blake (26:43):
Well, I think we talked about it briefly, but you
probably need to refresh my mindbecause you know I'm running at
110% right now.
Craig (26:50):
Yeah, so it's a weird name.
Pig butchering is a nasty scamthat's going around where you
get a text message.
typically it starts with and itsays something like hey, and
then you write back and you'relike I remember or whatever you
know, and so the person tries tosocial engineer you and trick
(27:13):
you into roping you into thisconversation and relationship,
and then the hacker persuadesyou to move off a text to
something like telegram orsignal and then get to know you
more there and then introduceyou to a oftentimes a
cryptocurrency investmentopportunity of a lifetime, where
(27:37):
they paint this story aroundgetting you access to insider
information, where you can getaccess to coins that the public
doesn't know about and you canmake all this money.
Well, long story short, afterthey rope you in, then they show
you and invite you, they getyou to buy crypto on a popular
exchange and then move yourcrypto into the system, and then
(28:00):
they get you to what you thinkis put on an app on your phone,
but it's actually not an app.
It's actually a maliciouswebsite that looks just like an
app.
And then they fund it and thenin a couple of days, you see all
these returns.
You think you see all thesereturns and how much money you
made, and they persuade you intothinking that you're making all
this money.
And then you try to cash outand then they're like oh no, you
(28:23):
can't cash out, you have to pay10% of whatever your balance
shows.
So let's say you put in like$10,000 and fictitiously, you
know, grows to a million dollarsand you want to cash out.
Then they say, well, you needto pay 10% of a million dollars
to get you money, and so theykeep bleeding you dry of all
this money and then the wholething is a scam and it's all
(28:45):
called pig butchering.
It's all over the news.
Some people have lost tens ofthousands, some people have lost
hundreds and some people havelost millions of dollars to
these scams and it's really sadhow a lot of people get tricked
into this stuff, but it's anasty thing going around.
Blake (29:01):
I wanted to touch on that because this you refresh my
mind and I told you about myexperiences with this, and so
there's certain ways that atleast it happened to me I didn't
never get butchered, right, Iknew what I was doing, but I
essentially was stringing themalong to see this scam unravel
and a lot of people.
(29:21):
What they'll do is they'll goon Facebook and they'll create a
copy of your friend, right, andit'll be like you know, craig
Petronella, my Facebook friend,and then he'll do the same
picture and the same bio andthen he'll go in and add the
same friends and then they'll belike oh, you know, how have you
been?
All of a sudden, they'restriking out this conversation
(29:43):
with you.
Oh, how have you been?
Like, I've been doing thisreally well, you know.
Then they'll lead you into thecrypto investment opportunity,
or the other one, in my case,was somebody just randomly added
me I've never seen them beforeand it so happened to be just,
you know, just a random usernameor the random picture.
(30:04):
And, yeah, you know, they wantedme to go into cash app by
Bitcoin, which I did.
And then they're like oh,register for this exchange and
this exchange was.
It was like based off some typeof Singapore exchange or
something or some type of crypto.
I'd never heard of them.
But yeah, I mean, you logged in, you had the opportunity, you
(30:25):
can go there and click fund youraccount.
Whenever you fund your account,you have to reach out to support
.
Support will generate a walletfor you and then, of course, you
fund that wallet and then, andthen, yeah, you know, obviously,
like Craig said, I never gotinto the part where I'm not, I'm
not going to fund this wallet.
Of course, I just wanted to seethe wallet address.
That was where it ended for me.
(30:47):
But, yeah, you fund the wallet.
You know, like Craig said, theyshow prompt, they fake returns.
You know, oh, your $1,000 isnow 10,000, 20,000.
Oh, let me take out 5,000 or,even worse, add more.
Oh man, oh, my God, I made$10,000.
Like, let me add another 5,000.
Yeah, so that's what they do.
Craig (31:08):
First they get you to add more, to double down, double
down, keep in growing it, sothey milk you dry on adding more
.
And then when you're ready tocash out, they're like, yeah,
yeah, go ahead and cash out.
Then you get hit with the oh,you got to pay 10% of the
balance to get you at the end.
And then that's usually whereit stops.
And that's usually at thatpoint where people are like, oh,
(31:30):
I think I've been scammed, butthey've already lost all the
money that they put it in thefront end.
And then here's the thing likeif you hire a company like ours,
we can trace it to where thejourney goes, okay, but then you
have to open you know a casewith law enforcement and open a
police and that's fine.
You should do that if you'vebeen subject to a scam like this
(31:50):
.
But sadly law enforcement is sooverwhelmed that, unless it's
like a huge amount of money,oftentimes the cases will go
cold and they won't.
You know they'll get stuck andit's expensive and a lot of work
to do the tracing part, but notonly that, but to actually get
law enforcement to take theseguys.
(32:11):
So the reason why theseransomware groups and cyber
crime gangs and the.
You know, when the money getsso high, where it's like
millions or billions of dollars,that's when IRS, special agents
, fbi, because they want to takethem down, because the money is
so much, that's where they putso much effort towards it and
(32:32):
they take them down.
So it's not that it'softentimes, especially with
blockchain technology and howit's all on the ledger, it's not
that it can't be traced, it'sthat it's so much work for those
little.
It's sad to say, but the littleamount, like the $10,000 scam,
it's just so much work.
It often is just, you know, toomuch for law enforcement.
Blake (32:55):
Yeah, I hate to be the bearer of bad news here on this,
but If it's too good to be true, then it is.
I mean, that's just rule numberone.
If you're a family member, ifyou're a grandma who's 67 years
old, somehow becomes a cryptotrading specialist.
Oh, I made $20 million trading.
(33:17):
You know what I mean.
Like, come on, guys, like I,hope.
Craig (33:20):
Here's the other thing that I thought of, too, when I
was talking about wallets.
You definitely want to usemultiple wallets If you're going
to mess with crypto and eitherhold it or whatever, and you
never want to connect like yourwallet that you have like a lot
of savings in to like a Web3website.
(33:41):
Like if you get involved withwhat's called distributed DApps
and decentralized finance andthese Web3.0 websites, you can
certainly go down those rabbitholes and that's up to you to
kind of investigate but getsomething like a Tangem or a
Trezor or one of these walletsthat we talked about and put
just a really small amount ofcrypto to mess with that stuff.
(34:03):
Like never connect like yourlife savings wallet to that.
Because there was an issue Ican't remember Was it.
Did you see the one where theyconnected to a Web3, they
connected their main wallet to aWeb3 website.
Oh, it was a Drainer script.
Did you see that?
(34:23):
That was like a few months agonow.
There was a Drainer script.
I want to say it was with Ledger.
Let me confirm that before wesay that, live here.
Blake (34:32):
Yeah, I have a Ledger and yeah, I don't keep a lot of
crypto.
Yeah, it was Ledger, sorry.
And yeah, I mean it's all up toyou, right, like everything,
investment is risk-based.
There's never a guarantee likemoney making, money printing,
(34:54):
investment.
So for me, right now, there'sjust a lot of validity and
crypto and this is just mystance, so I don't have the
means to be following itregularly, of course.
I mean, I'm here incybersecurity so I follow
breaches and attacks and clientsand things like that.
So for me, right now, I havevery little crypto assets and I
(35:19):
have it in my nano.
I think I have some NFTs whichare probably worthless now.
Back in the day, this thingused to be hot, but yeah, so
that's just my perspective.
And you said something thatreally struck and resonated with
me was having some of my lifesavings in crypto.
That, to me, just made mecringe a little bit, because I
(35:44):
personally don't think and again, this is not investment or
financial advice I don't thinkyou should put your life savings
into anything, distribute it,and even from an investment
perspective, I am one of thoseguys that use a lot of ETFs just
because, again, I don't havetime to manage it.
So essentially, you are payingthat small nominal fee for
(36:07):
somebody who's way more talentedand way more skilled than me to
manage that, and I mean itdoesn't have as much validity.
And you've seen cryptos go 50%overnight or 100% or 200% or
1,000% overnight, going fromthese little altcoins to these
behemoths right, and that's notrealistic.
(36:28):
That happens in a really smallpercentage of crypto coins.
And something I've noticed alot is especially when you start
to get the influencerperspective, like a lot of
influencers when they're talkingabout crypto, like those are
cryptocurrencies you probablyneed to stay away from you know?
Craig (36:49):
Yeah, so I think what you're talking about is a lot of
the like.
Blake (36:53):
back in the day, it was ICOs and it was new coins and
get your airdrop and One coin orthe more popular one now that a
lot of people is Monero, whicha lot of people are talking
about, a lot of influencers, andI mean look at Ethereum, max,
right, you know that's anotherone that Kim Kardashian was
(37:14):
promoting.
Jake Paul, they used it forthese boxing matches, these
YouTube boxing matches, to buytickets or whatever, and that
thing went down.
I mean anything that aninfluencer is talking about,
like, obviously, put yourmagnifying lenses on, you know
your high prescription glassesand do your own homework.
(37:36):
You know, just don't buy itbecause somebody else says it's
a great token or an altcoin orthey're making money doing it.
You know, you need to be very,very, very cautious of that,
because the last thing thatsomebody would do is, if they're
making a shit ton of moneydoing it is, you know, promote
it, right.
That doesn't seem to be thesmart thing to do, like, hey, if
(37:59):
I've got a money printer here,the last thing I'm gonna do is,
you know, in my garage, I'mgonna leave my garage door open
with my money printer, soeverybody knows I'm printing
money.
You know what I mean.
Craig (38:08):
So Well, I think, I mean, I think that's good advice and
again, not financial advice orany direction or these are
strictly our opinions but Ithink that, at least from my
opinion, in my perspective, Ithink Bitcoin, specifically with
the fixed supply of 21 millionand with all the people that
have been hacked or you heardabout the guy that was diving
(38:31):
through the trash and dumpstersthat lost his.
Oh yeah, there was a guy thatlost thousands of bitcoins.
He had them on his computerhard drive.
Blake (38:39):
Oh yeah the dump.
Yeah, yeah the dump.
He recycled his computer, yeah,yeah.
Craig (38:44):
Anyway, there's tons and tons of people.
That's just the people thathave come forward.
There's tons of people likethat.
The point is that Bitcoin isthe only cryptocurrency that has
that fixed finite supply.
It's truly decentralized.
There's no person, nation stateor any central authority
control, and that's what makesBitcoin so unique and different.
(39:07):
And in the world we live in wetalked about in cyber and
compliance, about trustlesstechnologies and how you can't
really rely on one vendor to dosomething.
Or I mean, look at the solarwinds hack, Look at Microsoft
was hacked a few days agoMicrosoft Azure.
It was like the worst hack inMicrosoft's history.
We trust these vendors that weall are in our ecosystem.
(39:31):
We have to rely on thesecompanies in some way, shape or
form.
But, as a listener, assume thatthey've been hacked and try to
put layers on your own stuff andtry to embrace trustless
technology to protect yourselfand monitor on your own, Because
if they haven't been hackedalready, they probably will be
(39:52):
in the future and you wannamitigate your damages as much as
possible.
But, specifically, going back toBitcoin, Bitcoin's the one that
has that truly unique finitesupply and with the ETFs that
all came out, were launched theETFs with the big companies like
BlackRock and Fidelity, thepeople.
These companies have billionsor trillions of dollars, as
(40:14):
people like Blake mentioned.
He likes ETFs.
That gives the average personan easy on ramp to buying
Bitcoin.
It's not the same as holdingyour own Bitcoin in a cold
wallet.
However, it does give youexposure to it and it's
traditional exposure, like youmight have a 401K or you might
have stocks or a brokerageaccount, and you can easily buy
(40:36):
and invest just like you wouldany other stock.
So that's a huge, huge thingthat we've never had before and
that's why I think Bitcoinspecifically is the one that's
so unique and different andthat's why it's got all the
headlines.
Blake (40:51):
Yeah, yeah.
I think we're kind of wrappingit up here.
I think we have a lot of greattakeaways on this episode.
Of course, in the future we'regonna do similar.
We're gonna try and do more ofa frequency here, up our
frequency and provide as muchvalue as we possibly can.
Craig (41:09):
Obviously, we're also gonna have some more guest
speakers too.
Yeah, we're gonna introducesome more guests that are
pioneers in their area ofexpertise.
Just one last thing I will sayon the Bitcoin stuff.
Just again, do not use yourphone number for SMS text pins.
We talked about this onepisodes and in our trainings
(41:30):
around SIM swap attacks.
A lot of people have lost tensof thousands, hundreds of
thousands of dollars from SIMswap attacks because they had
their tokens going to SMS.
So then the hackers take overtheir phone, they social
engineer the carrier and thenthey get your tokens and then
they drain the wallet.
So the takeaway here is, ifyou're gonna dabble and mess
with crypto, make sure you doyour own research, get your own
(41:53):
education around that and makeyour own strategies and use a
cold wallet.
And I'll let Blake take it fromhere.
Blake (42:01):
Yeah, yeah, I mean, those are all great takeaways.
Hopefully you had your notepadto you while you were listening,
guys, or you might be driving.
Yeah, we're gonna save somemore great, great information
for our next podcast.
Obviously, I'm Blake Gray.
This is Craig Petronella.
We both work, obviously, atPetronella Cybersecurity and
Digital Forensics.
You can reach us onlinePetronellaTechcom.
(42:22):
I'm here, craig's here.
We're both here to helpanything that you guys need with
.
You know, obviously, don't bescared to reach out.
I happily talked to a lot ofcustomers.
I know Craig does as well.
We are here for you.
We don't feel like you're doingthis by yourself.
If there's anything at all youneed, don't be ashamed to reach
out.
And until next time, we'll seeyou on the next one.
Craig (42:44):
Thanks guys.
Hey everybody, welcome to another episode here of
Cybersecurity with CraigPetronella.
Obviously, I have my boss andfriend, craig Petronella.
We're going to try a new formathere.
I think Me and Craig have beentalking a lot about breaches and
how things happened.
Obviously, here at theCybersecurity Company, we focus
more on a defensive approach.
(00:23):
What we think we're going totry doing here in these next
follow-up episodes is we aregoing to be analyzing breaches,
things that have happenedrecently, looking at them under
a microscope and seeing howobviously hindsight is 2020.
But what could have beenimplemented to prevent things
like that.
(00:43):
Hopefully you guys will havesome great takeaways from that
and hopefully you guys willlearn.
Today, craig thought it'd be agreat idea to talk about the
Bitfinex, which is a huge, huge,huge security breach.
I think they took at the timeit was $71 million in crypto,
(01:03):
but now that is worth $4.5billion because this happened a
while ago.
Craig, give us a littleexecutive summary of what
happened with Bitfinex and whythis is important to cover.
Craig (01:18):
Sure.
So Bitfinex was a popularcryptocurrency exchange where
people would buy, sell, tradeBitcoin and other
cryptocurrencies.
Back in 2016, they suffered ahack of approximately 120,000
Bitcoins stolen.
We wanted to bring you up tospeed of what happened with that
(01:39):
hack because obviously 2016 isa long time ago.
We're in 2024 now, so why arewe talking about this now?
Back last year, around August of2023, special Agent IRS, as
well as a team effort with theFBI because the blockchain and
distributed ledger technology isall public record they were
(02:02):
able to analyze and trace thecrypto that was stolen and they
basically traced it down to acouple in New York Heather
Morgan and how do you say thename?
Eila Lichentine, something likethat.
So they traced it down to thoseof the folks that stole it.
Like Blake said, it was about$4.5 billion worth roughly on
(02:26):
August 3rd of 2023.
With Bitcoin's recent rise ofabout $57K per coin, I'm sure
that's a lot more now.
The point is that we wanted tokind of take a different
perspective on giving you guysmore insights from a crypto and
cybersecurity forensic lens,opposed to just kind of giving
(02:46):
you highlights in news, becausewe were talking and basically
concluded that you guys areprobably getting the news
already.
We like to give our take on thenews, but I thought, and Blake
thought, it would be interestingto kind of see if we dove a
little bit deeper into thedepths of how we would view from
a forensic lens and from acybersecurity and, in this case,
(03:08):
a crypto lens around.
What happened, who suffered,what is our take on it?
What could you do as a consumerto protect yourself?
All that fun stuff.
So, basically, these guys gotcaught because, like I said, all
the crypto trading is onblockchain, which you can't
(03:29):
fudge or fake.
It's all immutable and anybodythat uses cryptocurrency for
cybercrime basically, your daysare numbered, because they will
find out where the breadcrumbslead to.
And oftentimes, like withBitfinex, they actually didn't
(03:52):
require what's called KYC orknow your customer.
So, at the beginning of whenthe cryptocurrency exchange was
very active, they didn't reallyknow a lot about the people
using the exchange, which, forobvious regulatory and
compliance reasons, is a big redflag, because if the exchange
(04:13):
was being used for illicitactivities, if you don't know
who your customers are, that's aproblem, right?
So how could you prove thatthere wasn't funding of
terrorist organizations orsanctioned countries or all
sorts of bad stuff, right?
So, circling back to thisparticular topic here,
everything was traced back tothis couple.
(04:35):
They're put in prison, Ibelieve, and the government
seized most of the Bitcoin thatwas stolen and the people that
were on this exchange thatsuffered the hack and left
crypto on the exchange.
They suffered losses.
So they're trying to much likewhat happened with the FTX
(04:56):
exchange.
The regulatory authorities aretrying to work together to
basically make the people wholeagain.
Well, giving our take on this,first of all, the cardinal rule
is you shouldn't really storeyour crypto on an exchange.
If you're trading crypto on anexchange, you should avoid
storing your crypto there,wherever or whenever possible.
(05:19):
And again, none of this is anykind of financial advice.
We're just giving you ourcybersecurity perspective on
best practices and security.
But any questions, blake?
So far, I mean.
Blake (05:33):
Something that I think is really important is, obviously,
we know what happened, but wedon't know why it happened, and
so, for some of you out there,bitfinex failed to distribute
their security tokens, so theyhad put two security tokens out
of a total of three on the samedevice, so only took that hacker
(05:55):
or this couple gaining accessto one device which, in lead,
compromising millions andmillions of dollars.
I think it's pretty importantthat maybe we should hammer home
on how you can properly storeyour security keys I mean, we
talked about cold wallets beforein the past Maybe any other
(06:17):
steps that you might take todistribute the security tokens
or the past phrases, thesecurity keys for said wallets.
Craig (06:30):
Sure.
So obviously, what Blake'stalking about is called a cold
wallet, basically acryptocurrency wallet that is
not connected to the internet.
There are differentmanufacturers makes models, etc.
We're not going to endorse anyspecific company or, you know,
we're not making commissions orany kind of thing like that.
(06:50):
By recommendation, you know,providing a recommendation to
you, I'll kind of give you myperspective and my take on it
and you can kind of take it forwhat it's worth.
So the majority of crypto usersthat trade crypto, they're
probably not the mosttechnically savvy and if that is
(07:11):
the listener, my best advicewould probably be to use
something like what's called atangent wallet.
I don't know if Blake, ifyou've ever seen them.
They look like kind of like ametal credit card.
I don't even know if they'remetal, they might be plastic,
but they kind of look that way.
They're kind of the 1.0 versionwas black with white graphics
(07:33):
on it, and I think the 2.0version has all black.
Anyway, it's an NFC, nearfrequency type of card that you
tap, like to the back of yourphone to authenticate
transactions.
Okay, now there has beenspeculation and some concern
about this particular tangentwallet and company.
(07:53):
Because here's the deal, folkswhen you are putting your money
on, or crypto on, a cold wallet,you do have to have some kind
of trust with that vendor.
Right?
And I don't know about you,blake, but you may have heard
about the recent stories withledger ledgers another you know
make a manufacturer of a cryptowallet.
(08:13):
The problem with ledgerrecently has been with their
communication around.
They were trying to I thinkthey were trying to do something
good by giving users that useledger devices a way to recover
their seed phrase if they wereto use it.
So they they launched this likerecovery service, but it
(08:35):
spooked a lot of people becauseof the way they went about
communicating the launch andbasically they lost a lot of
trust in the community becausepeople thought that, hey, if
they can recover wallets forpeople for a fee, they must have
access to my private key, andthat spooked a lot of people,
including myself.
So again, going back to tandem,tangums are super easy, super
(09:00):
inexpensive solution.
I think you can get like athree pack of them for less than
a hundred bucks, which is cheapin the crypto world.
If you want something verytechnical and high end or
extreme, they have a product, adifferent brand, called engrave.
There's an engrave and agraphene model which a graphene
(09:21):
is is a metal plate that youstore and punch your seed phrase
onto.
God forbid if you had a fire orsomething that destroyed your,
your crypto seed phrase.
If you don't have thatsomewhere else as a backup, then
you're dead.
You're, you know you're goingto lose your money.
So there's different.
You don't have to buy anengrave just to get that
(09:42):
technology.
You can certainly go on Amazon.
They sell plates that you canbuy to store your seed phrase.
So obviously you never want tostore your seed phrase and you
don't ever want to take apicture of it.
You never want to store itonline anywhere.
Don't put it anywhere digitaland whenever you're writing the
seed phrase down, make sure youdo it in a very private area
with no cameras and nothingthat's near you to you know, to
(10:05):
prevent any kind of compromise.
So tandem is probably the youknow the the best recommendation
for your everyday average user.
Right, I can say at this moment, ledger I have concerns about
uh.
Treasure is a another popularone.
There's some limitations.
(10:26):
If I had to kind of give mytake on it, I would probably
choose a treasure based on theclimate, um over a ledger at
this very moment.
Um, that's just my opinion.
I have a treasure.
I have multiple wallets.
Part of what I do is I vet andtest all different security
products and tools.
Um, I had some issues with thetreasure model T with the touch
(10:48):
screen.
It was kind of finicky to me,in my opinion.
Um, the tandem I've used.
I like it.
I did have valid concerns withtandem because, um, the first
version of tandem, you don'tknow your seed phrase.
They generate it.
They claim to generate itencrypted when you open the box,
(11:09):
like when you do it, but you'restill trusting the company with
this right, so you're trustingthat the app developers.
There's nothing happeningbehind the scenes.
You know you're trusting.
You have this trust in not onlythe software but the vendor,
and you're just taking riskswith pretty much every company
that you choose.
So you just have to kind ofchoose carefully.
(11:29):
So, in my opinion, opposed tojust choosing one vendor, I
choose all of them.
I choose many different onesand kind of spread things around
this way.
If one of them were like, let'ssay, ledger gets, you know,
hacked or something and maybesomebody exploited their
recovery service and then all ofa sudden, everybody loses their
crypto that has a ledger wallet.
(11:50):
Well, at least I don't have allmy eggs in one basket.
So that's my best advice foryou guys listening, you know,
don't choose one making model,kind of distribute your your,
and I recommend the same withbanks too.
I mean with with normal money.
You shouldn't have all yourmoney with one bank.
You should have multiple bankaccounts for FDIC insurance and
all that fun stuff.
But the end grave is probablythe most secure that I've heard.
(12:14):
It is an air guy wallet thathas a built in camera, that that
uses the QR, qr codefunctionality, so that one.
But again, it is cool, it has anice screen, it's a hardened,
embedded device.
But again, you're stilltrusting end grave.
Like you, like the averageperson's not going to know the
(12:35):
code that's happening behind thescenes, right?
So you're still trusting thevendor and all these scenarios.
So anyway, the summary here isstory or crypto on some type of
cold wallet, maybe one of theones that I mentioned.
I do not recommend a software ora hot wallet that like what was
the?
You remember the one that thepopular one that people would
(12:58):
download, electrum.
I don't know if you guys heard,but Electrum is a software
wallet and I've doneinvestigations where I actually
found a bug in the software thatcaused unspendable tokens.
So what that means is, when youopen or set up a brand new
(13:19):
wallet, the first thing, as abest practice, you're always
supposed to do, is send amicrotransaction out and in to
make sure the functionality ofthe wallet works Well.
A lot of newbies and new users,and sometimes seasoned users,
they skip that step.
They don't do that.
They just buy crypto and thenthey store it.
Well, in this case, with thisparticular software, there is a
(13:40):
bug and it caused what's calledan unspendable wallet.
So all the coins that peoplewere storing they're unspendable
.
You can't move them out of thewallet, so they're locked up
forever.
So that is a really badeye-opening experience.
Blake (13:56):
So obviously we know a lot of people out there have
crypto, but not a lot of peopleknow how to protect it.
So if you could give obviouslywe talked about cold wallets and
storing the past phrases If youcould give top five, maybe
takeaways, to our listeners,here's things you need to make
sure you've put in layers wealways talk about cybersecurity
(14:18):
and layers like the onion If youcould give them five different
things that they could use totake away.
Obviously we know about using asecure platform.
Stay away from shady cryptoexchanges.
Take your crypto off theexchange, bring it into the cold
(14:39):
wallet.
Obviously, don't use one, two,three, four, five as your
password, of course, enabling2FA, but beyond that, what else
would you recommend?
Craig (14:53):
Well, at first you have to check your rules and
regulations of your countryright.
So in certain countries, likein our country in America, you
have to use a KYC enabledexchange and you have to go
through that process of provingyour identity and working with
the exchange.
And when you move your currencyfrom your bank to your account,
(15:16):
like Blake said, you definitelywant to have best practices
with security, so try to use avery long, complex password that
is unique to that platform.
Don't reuse that passwordanywhere else.
Ideally, use a password managerthat's encrypted.
Use multi-factor authentication, but do not use SMS for the
(15:38):
tokens.
Use like Google Authenticatoror Microsoft Authenticator.
Those apps are much, much moresecure.
When buying the cryptocurrencyof your choice on the exchange,
they typically have a waitingperiod.
I forget what it is.
I think it depends on the levelof KYC that you do, but I think
(16:00):
it also depends on how muchmoney might be in your account.
There's some restrictions thereand there's a waiting period
before, like you can't just gobuy Bitcoin and then move it
immediately off.
They make you wait a period oftime, and I can't remember
exactly if it's two weeks orsomething, maybe a little longer
.
It may depend on your KYCdetails, but once the time
(16:22):
period is done I know a popularexchange like Coinbase, for
example they have what's calleda vault function.
I have tested and used the vault.
In my opinion, I don't like thevault.
I think it's a good and it maybe a good step for some people,
but basically, what it does isit locks up your crypto in a
secure area called a vault,where you have to do not just
(16:46):
multi-factor, like to yourGoogle authenticator, but then
you have to have a second factorto your email, and then you
have to have another emailaddress that's not your main
email.
You have to do another tokenthere, and then you have to wait
24 or 48 hours before and youhave to re-authenticate all that
stuff again, and then you canget your crypto out.
(17:09):
So I mean, in my opinion, acold wallet is much better.
It gives you more control.
I could see certain instanceswhere maybe somebody might like
the vault function, but that'sjust my opinion on that.
So, anyway, after you gothrough all those steps, you
move your crypto to a coldwallet, like one of the ones
(17:29):
that we recommended, and then,when you do that, though, you
have to really study the processaround how to properly transfer
that, because if you make amistake when you're moving it
from Coinbase, for example, toTangem, if you type something
wrong or you've got malware onyour device and they kind of
(17:52):
middle man attack and intercept,you're subject to losing that
transfer and there's nobody thatcan help you.
So you have to be reallycareful about your privacy and
where you do this and triplecheck everything and always do
micro transactions first.
I mean, it's not going to hurtto do like a.001 or small, like
(18:12):
$20 or $30 of a transfer andthen make sure the wallet works
and then transfer more.
There's a cool function that Iknow Coinbase has that it'll
actually remember.
So if you have a cold wallet,it'll say, oh, you sent this
wallet before.
So there's some kind of checksthere that are handy, I think.
(18:33):
I think also it's good to havemultiple exchange accounts so
that if there was an issue Iknow that in the past, in 2021,
when things got crazy, therewere some issues with exchanges
getting overloaded and thingslike that.
So you never want to be stuckin a position where you just
can't either sell or get out ifyou want to sell or transfer and
you're stuck.
(18:53):
So you always want to havemultiple options.
So again, like I said before,multiple exchanges are good,
making sure you leverage, likeBlake said, the layers.
You want to have good antivirussoftware.
You want to have good what'scalled EDR or more modern
antivirus that has heuristicaland AI based scanning tools.
We have some different layersin our stack that we recommend.
(19:15):
You want to have XDR, ideallyon your network to make sure
that there's nothing youbasically have to do like a lot
of prerequisite layeredcybersecurity to kind of get
yourself up to security standardbefore you should attempt any
of this stuff, because if youskip all that it's kind of like
(19:36):
flying blind and then if you'rein trouble then you've got a big
problem.
So it's better to have a lot ofthese layers in place as
foundational.
Blake (19:44):
Something that I don't hear a lot of people talk about.
What I think definitely shouldbe talked about more is,
obviously, I mean, there arecomputer cafes.
People still do rely oncomputer cafes for accessing the
internet sometimes.
You know, obviously you're notgonna, you know I wouldn't
access your bank account or any,you know, secure financial
information from said cafes.
(20:06):
You know, obviously, publicWi-Fi also is the same.
So if you bring your laptop toa library, you know obviously
Avoid accessing your bankaccount and your, you know, your
cryptocurrency or your, yourcrypto exchange through that.
And something that I don'treally hear a lot of people talk
about is, obviously we a lot ofthink about.
You know, obviously, people whoare considering, who are
(20:28):
keeping crypto or preservingcrypto for the long period of
time, like we're, we're, we'rebullish and we're holding right
most of us, um, but you knowsomething that we I've never
really heard you I talk about isyou know, let's just say, for
example, something happens toyou.
You know, um, you know,obviously, handing.
You know making sure thatwealth gets transferred, you
(20:49):
know, to your children or yourfamily, yeah, so those are good.
Craig (20:52):
So touch on both of those real quick before you you go on
more depth.
So the first one the reason whyyou don't want to do crypto
trading or bank bank accountwork in a cafe or an airport or
a busy area is because hackershave been known to Transmit fake
(21:14):
cell towers and fake Wi-Finetworks that mimic what you
think is real.
So, like, let's say, you're atStarbucks and Starbucks has a
Starbucks guest network, hackersare known to Put their like,
set up their own network thatbroadcast the same name and Get
you to join their networkInstead of the real Starbucks
(21:37):
network, and the reason whythat's bad is, once you join
their network, they can then runpenetration tools and hacker
sniffing tools to then sniff outyour Transmissions and your
communications.
So this is why you want to useencryption, like keystroke
encryption and VPNs, and ideallynot connect to One of those
(21:59):
networks.
You want to connect to aprivate network, like your cell
phone provider or a business VPNor something that you know you
can control, because in theevent that a hacker is still on
the network, that makes it muchharder for them to penetrate
through those layers.
Right, so that that's why youdon't want to do those things
unless you have those additionalsafeguards and layers in place,
(22:20):
and then it's still risky, butyou're.
But the more layers you have on, then the less likely you are
to get hacked and the more thehacker has to work harder to get
to you.
So you know, your mileage mayvary, but the point is the more
layers you have in place, thebetter protection that you have.
And then, moving on to theother point around Crypto and
(22:42):
your family and your spouse, isabsolutely valid points.
The nice thing about tandem andother cold wallet solutions is I
don't know if you know this,but let's say you have a ledger
device, a cold wallet, and youyou can actually take a
different brand Cold wallet andclone that ledger device.
(23:05):
Did you know that?
I didn't?
So you can take a ledger that,let's say, has a 12 or 24 word
seed phrase, which is a bit 39standard seed phrase.
Right, you can take that, wall,those 12 words and I can buy
the new tangent 2.0 does supportseed phrases.
I can restore a wallet toTangent so I can have a ledger
(23:26):
on my left side and a tandem onmy right side, and there are the
exact same wallet, but justyou're using two different
manufacturers to communicatewith that wallet.
Does that make sense?
Yeah, yeah.
So in that context you can thenclone like two or three of them
and then give them the familymembers and then give them the
Pin or whatever.
So then in the event that youget hit by a bus God forbid
(23:49):
something happens they cancontrol your funds.
Obviously, you have to trustthem because you don't want
something to happen that Whileyou're live, you know.
But my point is that that's alayer of redundancy that you can
choose.
With tangium you can buy thethree packs.
You could have three differentbackups and you can distribute
(24:09):
those in different places, solike family member, another part
of the country, whatever, andyou can do that.
They have what's calledmulti-sig wallets where with a
multi-sig wallet, you actuallyit's kind of like two keys to
open the lock, so both sideshave to have to submit.
There's a.
Have you ever heard of Shamir?
I haven't.
(24:30):
No, shamir is a is a type ofmulti-sig.
So if you, if you look that up,it's, I forget it's a.
It's longer than your typical.
It's longer than your typical Cphrase.
Blake (24:51):
Okay, here it is yeah.
Craig (24:57):
Here we go.
So Trezor has a model thatsupports the Shamir.
So basically you need to havehow many.
It's called two of three and,okay, 20 words.
That's what I was looking for.
So Shamir backup uses 20 wordshares with 128 bits in strength
, and then you could also do a33-word share.
(25:19):
So basically, in this context,you have multiple seed phrases
and you have to put themtogether to be able to control
the said wallet.
So that's another option forfamily members, or you could do
like a two of three.
So this way, like two peoplewould have to be able to be
controlled, in control to beable to make a transfer.
(25:41):
So that's an option, obviously,at its bare-bone minimum, you
could put that seed phrase inyour will or somewhere safe and
secure.
Again, you have to reallyprotect that thing, because you
don't want to even put that withlike a law firm, because if the
law firm gets hacked, then yourwallet's going to get drained.
(26:02):
So just be real careful.
The graphing plates that wetalked about they have some
encryption options as well,where you can get multiple
plates that have to be stackedtogether to get to your seed
phrase.
So if you give one plate likeif I give one plate to Blake and
I have a two.
I have the second plate.
He can't do anything with thatfirst plate without my plate,
(26:25):
right?
Blake (26:26):
So that's another option.
I like that.
That's a great option.
Craig (26:30):
Yeah, so that's my favorite, my opinion.
But yeah, those are all waysthat you know.
There's another thing that'sgoing on which gives a good
segue into this topic.
Have you ever heard of pigbutchering?
Blake (26:43):
Well, I think we talked about it briefly, but you
probably need to refresh my mindbecause you know I'm running at
110% right now.
Craig (26:50):
Yeah, so it's a weird name.
Pig butchering is a nasty scamthat's going around where you
get a text message.
typically it starts with and itsays something like hey, and
then you write back and you'relike I remember or whatever you
know, and so the person tries tosocial engineer you and trick
(27:13):
you into roping you into thisconversation and relationship,
and then the hacker persuadesyou to move off a text to
something like telegram orsignal and then get to know you
more there and then introduceyou to a oftentimes a
cryptocurrency investmentopportunity of a lifetime, where
(27:37):
they paint this story aroundgetting you access to insider
information, where you can getaccess to coins that the public
doesn't know about and you canmake all this money.
Well, long story short, afterthey rope you in, then they show
you and invite you, they getyou to buy crypto on a popular
exchange and then move yourcrypto into the system, and then
(28:00):
they get you to what you thinkis put on an app on your phone,
but it's actually not an app.
It's actually a maliciouswebsite that looks just like an
app.
And then they fund it and thenin a couple of days, you see all
these returns.
You think you see all thesereturns and how much money you
made, and they persuade you intothinking that you're making all
this money.
And then you try to cash outand then they're like oh no, you
(28:23):
can't cash out, you have to pay10% of whatever your balance
shows.
So let's say you put in like$10,000 and fictitiously, you
know, grows to a million dollarsand you want to cash out.
Then they say, well, you needto pay 10% of a million dollars
to get you money, and so theykeep bleeding you dry of all
this money and then the wholething is a scam and it's all
(28:45):
called pig butchering.
It's all over the news.
Some people have lost tens ofthousands, some people have lost
hundreds and some people havelost millions of dollars to
these scams and it's really sadhow a lot of people get tricked
into this stuff, but it's anasty thing going around.
Blake (29:01):
I wanted to touch on that because this you refresh my
mind and I told you about myexperiences with this, and so
there's certain ways that atleast it happened to me I didn't
never get butchered, right, Iknew what I was doing, but I
essentially was stringing themalong to see this scam unravel
and a lot of people.
(29:21):
What they'll do is they'll goon Facebook and they'll create a
copy of your friend, right, andit'll be like you know, craig
Petronella, my Facebook friend,and then he'll do the same
picture and the same bio andthen he'll go in and add the
same friends and then they'll belike oh, you know, how have you
been?
All of a sudden, they'restriking out this conversation
(29:43):
with you.
Oh, how have you been?
Like, I've been doing thisreally well, you know.
Then they'll lead you into thecrypto investment opportunity,
or the other one, in my case,was somebody just randomly added
me I've never seen them beforeand it so happened to be just,
you know, just a random usernameor the random picture.
(30:04):
And, yeah, you know, they wantedme to go into cash app by
Bitcoin, which I did.
And then they're like oh,register for this exchange and
this exchange was.
It was like based off some typeof Singapore exchange or
something or some type of crypto.
I'd never heard of them.
But yeah, I mean, you logged in, you had the opportunity, you
(30:25):
can go there and click fund youraccount.
Whenever you fund your account,you have to reach out to support
.
Support will generate a walletfor you and then, of course, you
fund that wallet and then, andthen, yeah, you know, obviously,
like Craig said, I never gotinto the part where I'm not, I'm
not going to fund this wallet.
Of course, I just wanted to seethe wallet address.
That was where it ended for me.
(30:47):
But, yeah, you fund the wallet.
You know, like Craig said, theyshow prompt, they fake returns.
You know, oh, your $1,000 isnow 10,000, 20,000.
Oh, let me take out 5,000 or,even worse, add more.
Oh man, oh, my God, I made$10,000.
Like, let me add another 5,000.
Yeah, so that's what they do.
Craig (31:08):
First they get you to add more, to double down, double
down, keep in growing it, sothey milk you dry on adding more
.
And then when you're ready tocash out, they're like, yeah,
yeah, go ahead and cash out.
Then you get hit with the oh,you got to pay 10% of the
balance to get you at the end.
And then that's usually whereit stops.
And that's usually at thatpoint where people are like, oh,
(31:30):
I think I've been scammed, butthey've already lost all the
money that they put it in thefront end.
And then here's the thing likeif you hire a company like ours,
we can trace it to where thejourney goes, okay, but then you
have to open you know a casewith law enforcement and open a
police and that's fine.
You should do that if you'vebeen subject to a scam like this
(31:50):
.
But sadly law enforcement is sooverwhelmed that, unless it's
like a huge amount of money,oftentimes the cases will go
cold and they won't.
You know they'll get stuck andit's expensive and a lot of work
to do the tracing part, but notonly that, but to actually get
law enforcement to take theseguys.
(32:11):
So the reason why theseransomware groups and cyber
crime gangs and the.
You know, when the money getsso high, where it's like
millions or billions of dollars,that's when IRS, special agents
, fbi, because they want to takethem down, because the money is
so much, that's where they putso much effort towards it and
(32:32):
they take them down.
So it's not that it'softentimes, especially with
blockchain technology and howit's all on the ledger, it's not
that it can't be traced, it'sthat it's so much work for those
little.
It's sad to say, but the littleamount, like the $10,000 scam,
it's just so much work.
It often is just, you know, toomuch for law enforcement.
Blake (32:55):
Yeah, I hate to be the bearer of bad news here on this,
but If it's too good to be true, then it is.
I mean, that's just rule numberone.
If you're a family member, ifyou're a grandma who's 67 years
old, somehow becomes a cryptotrading specialist.
Oh, I made $20 million trading.
(33:17):
You know what I mean.
Like, come on, guys, like I,hope.
Craig (33:20):
Here's the other thing that I thought of, too, when I
was talking about wallets.
You definitely want to usemultiple wallets If you're going
to mess with crypto and eitherhold it or whatever, and you
never want to connect like yourwallet that you have like a lot
of savings in to like a Web3website.
(33:41):
Like if you get involved withwhat's called distributed DApps
and decentralized finance andthese Web3.0 websites, you can
certainly go down those rabbitholes and that's up to you to
kind of investigate but getsomething like a Tangem or a
Trezor or one of these walletsthat we talked about and put
just a really small amount ofcrypto to mess with that stuff.
(34:03):
Like never connect like yourlife savings wallet to that.
Because there was an issue Ican't remember Was it.
Did you see the one where theyconnected to a Web3, they
connected their main wallet to aWeb3 website.
Oh, it was a Drainer script.
Did you see that?
(34:23):
That was like a few months agonow.
There was a Drainer script.
I want to say it was with Ledger.
Let me confirm that before wesay that, live here.
Blake (34:32):
Yeah, I have a Ledger and yeah, I don't keep a lot of
crypto.
Yeah, it was Ledger, sorry.
And yeah, I mean it's all up toyou, right, like everything,
investment is risk-based.
There's never a guarantee likemoney making, money printing,
(34:54):
investment.
So for me, right now, there'sjust a lot of validity and
crypto and this is just mystance, so I don't have the
means to be following itregularly, of course.
I mean, I'm here incybersecurity so I follow
breaches and attacks and clientsand things like that.
So for me, right now, I havevery little crypto assets and I
(35:19):
have it in my nano.
I think I have some NFTs whichare probably worthless now.
Back in the day, this thingused to be hot, but yeah, so
that's just my perspective.
And you said something thatreally struck and resonated with
me was having some of my lifesavings in crypto.
That, to me, just made mecringe a little bit, because I
(35:44):
personally don't think and again, this is not investment or
financial advice I don't thinkyou should put your life savings
into anything, distribute it,and even from an investment
perspective, I am one of thoseguys that use a lot of ETFs just
because, again, I don't havetime to manage it.
So essentially, you are payingthat small nominal fee for
(36:07):
somebody who's way more talentedand way more skilled than me to
manage that, and I mean itdoesn't have as much validity.
And you've seen cryptos go 50%overnight or 100% or 200% or
1,000% overnight, going fromthese little altcoins to these
behemoths right, and that's notrealistic.
(36:28):
That happens in a really smallpercentage of crypto coins.
And something I've noticed alot is especially when you start
to get the influencerperspective, like a lot of
influencers when they're talkingabout crypto, like those are
cryptocurrencies you probablyneed to stay away from you know?
Craig (36:49):
Yeah, so I think what you're talking about is a lot of
the like.
Blake (36:53):
back in the day, it was ICOs and it was new coins and
get your airdrop and One coin orthe more popular one now that a
lot of people is Monero, whicha lot of people are talking
about, a lot of influencers, andI mean look at Ethereum, max,
right, you know that's anotherone that Kim Kardashian was
(37:14):
promoting.
Jake Paul, they used it forthese boxing matches, these
YouTube boxing matches, to buytickets or whatever, and that
thing went down.
I mean anything that aninfluencer is talking about,
like, obviously, put yourmagnifying lenses on, you know
your high prescription glassesand do your own homework.
(37:36):
You know, just don't buy itbecause somebody else says it's
a great token or an altcoin orthey're making money doing it.
You know, you need to be very,very, very cautious of that,
because the last thing thatsomebody would do is, if they're
making a shit ton of moneydoing it is, you know, promote
it, right.
That doesn't seem to be thesmart thing to do, like, hey, if
(37:59):
I've got a money printer here,the last thing I'm gonna do is,
you know, in my garage, I'mgonna leave my garage door open
with my money printer, soeverybody knows I'm printing
money.
You know what I mean.
Craig (38:08):
So Well, I think, I mean, I think that's good advice and
again, not financial advice orany direction or these are
strictly our opinions but Ithink that, at least from my
opinion, in my perspective, Ithink Bitcoin, specifically with
the fixed supply of 21 millionand with all the people that
have been hacked or you heardabout the guy that was diving
(38:31):
through the trash and dumpstersthat lost his.
Oh yeah, there was a guy thatlost thousands of bitcoins.
He had them on his computerhard drive.
Blake (38:39):
Oh yeah the dump.
Yeah, yeah the dump.
He recycled his computer, yeah,yeah.
Craig (38:44):
Anyway, there's tons and tons of people.
That's just the people thathave come forward.
There's tons of people likethat.
The point is that Bitcoin isthe only cryptocurrency that has
that fixed finite supply.
It's truly decentralized.
There's no person, nation stateor any central authority
control, and that's what makesBitcoin so unique and different.
(39:07):
And in the world we live in wetalked about in cyber and
compliance, about trustlesstechnologies and how you can't
really rely on one vendor to dosomething.
Or I mean, look at the solarwinds hack, Look at Microsoft
was hacked a few days agoMicrosoft Azure.
It was like the worst hack inMicrosoft's history.
We trust these vendors that weall are in our ecosystem.
(39:31):
We have to rely on thesecompanies in some way, shape or
form.
But, as a listener, assume thatthey've been hacked and try to
put layers on your own stuff andtry to embrace trustless
technology to protect yourselfand monitor on your own, Because
if they haven't been hackedalready, they probably will be
(39:52):
in the future and you wannamitigate your damages as much as
possible.
But, specifically, going back toBitcoin, Bitcoin's the one that
has that truly unique finitesupply and with the ETFs that
all came out, were launched theETFs with the big companies like
BlackRock and Fidelity, thepeople.
These companies have billionsor trillions of dollars, as
(40:14):
people like Blake mentioned.
He likes ETFs.
That gives the average personan easy on ramp to buying
Bitcoin.
It's not the same as holdingyour own Bitcoin in a cold
wallet.
However, it does give youexposure to it and it's
traditional exposure, like youmight have a 401K or you might
have stocks or a brokerageaccount, and you can easily buy
(40:36):
and invest just like you wouldany other stock.
So that's a huge, huge thingthat we've never had before and
that's why I think Bitcoinspecifically is the one that's
so unique and different andthat's why it's got all the
headlines.
Blake (40:51):
Yeah, yeah.
I think we're kind of wrappingit up here.
I think we have a lot of greattakeaways on this episode.
Of course, in the future we'regonna do similar.
We're gonna try and do more ofa frequency here, up our
frequency and provide as muchvalue as we possibly can.
Craig (41:09):
Obviously, we're also gonna have some more guest
speakers too.
Yeah, we're gonna introducesome more guests that are
pioneers in their area ofexpertise.
Just one last thing I will sayon the Bitcoin stuff.
Just again, do not use yourphone number for SMS text pins.
We talked about this onepisodes and in our trainings
(41:30):
around SIM swap attacks.
A lot of people have lost tensof thousands, hundreds of
thousands of dollars from SIMswap attacks because they had
their tokens going to SMS.
So then the hackers take overtheir phone, they social
engineer the carrier and thenthey get your tokens and then
they drain the wallet.
So the takeaway here is, ifyou're gonna dabble and mess
with crypto, make sure you doyour own research, get your own
(41:53):
education around that and makeyour own strategies and use a
cold wallet.
And I'll let Blake take it fromhere.
Blake (42:01):
Yeah, yeah, I mean, those are all great takeaways.
Hopefully you had your notepadto you while you were listening,
guys, or you might be driving.
Yeah, we're gonna save somemore great, great information
for our next podcast.
Obviously, I'm Blake Gray.
This is Craig Petronella.
We both work, obviously, atPetronella Cybersecurity and
Digital Forensics.
You can reach us onlinePetronellaTechcom.
(42:22):
I'm here, craig's here.
We're both here to helpanything that you guys need with
.
You know, obviously, don't bescared to reach out.
I happily talked to a lot ofcustomers.
I know Craig does as well.
We are here for you.
We don't feel like you're doingthis by yourself.
If there's anything at all youneed, don't be ashamed to reach
out.
And until next time, we'll seeyou on the next one.
Craig (42:44):
Thanks guys.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.