Hacker News new | past | comments | ask | show | jobs | submit login

Let's play hypotheticals.

If you were the attacker and you now have the ETH in your wallet, how do you cash out without anyone identifying you and maximising your profits?

Also has the attacker broken a law by exploiting a bug in the contract?




Change to BTC, use mixers to mix coins. Take a flight to Asia for few months/half a year. Open a bank account in some less regulated jurisdiction (some tax haven) - better yet open several bank accounts like these. Travel around and keep using localbitcoins to change BTC for cash.

Keep sending cash to bank accounts you have opened by depositing cash in person. Use round robin to distribute money across multiple of your hidden bank accounts so suspiciously large volumes of incoming money doesn't get noticed.

Keep moving around, mixing coins and using localbitcoins to get cash and deposit. Also diversify outside of cash to not raise suspicion of the banks by depositing every day / regularly.

Buy physical gold from pawn shops. Then you can turn gold into cash in banks and deposit it to your account like that. You can also use cash to buy prepaid travel debit cards with like 5k on them at a time from post offices or so. Use that for daily expenses.

That might work. If you are not a US citizen but let's say citizen of China that makes it easier to pull off.

Of course, getting that money back to US to your home bank account would be near impossible (without some way to launder the money).

But you could live off your hidden bank account in tax haven. Just don't flash your millions too publicly so people don't get suspicious. Be humble and pretend to live regular life.

Also you could try to launder the money via setting up some fake ICO project and investing your mixed coins into your own ICO, then cash out your custom tokens on exchanges. Just make sure to do this from some unregulated tax haven and it should work (most of these ICOs create their businesses in dodgy tax havens for this reason).

This is how I'd imagine these scammers are doing it.


> If you were the attacker and you now have the ETH in your wallet, how do you cash out without anyone identifying you and maximising your profits?

Exchange to BTC, mix it, exchange to USD.

> Also has the attacker broken a law by exploiting a bug in the contract?

There are no laws. Only contracts.


This won't work in the US. It's very hard to get USD out of Bitcoin. And then the IRS will want to know where you are suddenly getting a huge amount of money from.

You could use localbitcoins to offload one coin at a time on an as-needed basis. That'd be pretty sweet, and the IRS won't be able to know anything strange is happening if you avoid depositing your USD into a bank. But paying rent in all-cash is rather sketchy. I wonder if drug dealers deal with similar problems.

I don't know how plausible this is, but the localbitcoins route might also open you up to being kidnapped. You'd need some pretty decent opsec to avoid revealing that you have a massive amount of BTC you're trying to offload.


Why is it very hard? Can't one simply use Coinbase?

> And then the IRS will want to know where you are suddenly getting a huge amount of money from.

In my experience, the IRS is largely unconcerned with where you are getting money from. They just want you to declare it, and pay taxes on it.

If you treat Bitcoin as ordinary income and pay taxes on it at the highest available rate, the IRS will largely be satisfied. If you treat Bitcoin as a long term investment and attempt to only pay capital gains tax.... well then the IRS will become curious enough to ask for 'proof of origin'.


You're saying you could declare "I now have $30 million in assets" on your IRS forms and it wouldn't trip any alarms?

I mean, I don't personally know which alarms would be tripped, or what effect that would have. But that just seems so unlikely.

It'd be fascinating if this were true, though, so any info would be appreciated.

Re: coinbase, it'd be foolish to use them because they have a history of disabling accounts for any reason they feel like. A friend of mine had their account disabled, so I know firsthand this is true. Also it's unlikely they'd send you such a large amount of money unless you were a business in good standing or had a long history with them. (I'm just guessing, though.)


>You're saying you could declare "I now have $30 million in assets" on your IRS forms and it wouldn't trip any alarms?

Technically, it's illegal for the IRS to do so without third parties coming to them or suspicions of terrorism. In practice, they probably rat people out to LE agencies regularly.


Tax forms don't have a place to declare assets, iirc, only income.


Right, so I guess I was asking: If you cash out everything as quickly as possible, no one from the government will ask where your millions came from?


The IRS has this interesting FAQ on their webpage

> https://www.irs.gov/publications/p17/ch12.html#en_US_2016_pu...

Illegal activities. Income from illegal activities, such as money from dealing illegal drugs, must be included in your income on Form 1040, line 21, or on Schedule C or Schedule C-EZ (Form 1040) if from your self-employment activity.


Sure they will ask. And you can say something like "I was an early bitcoin investor". Or "I trade cryotcurrencies".

It is perfectly reasonable to be a cryto trade that never withdraws to USD, and just makes money by transferring between crypto currencies and ICOs or something.

I am sure there are a whole lot of people out there who spent a thousand dollars or so back in 2009, and now they have 10 mill in the bank. It is not like any of that could be tracked.

And then you pay long term capital gains on that money, and you are set.


I guess I'm skeptical of the idea that they won't ask for proof of your trades, which would lead to discovering you were a thief. But I suppose that's highly unlikely.


I suppose but this sub thread was a reaction to someone mentioning that it was hard to get USD out of Bitcoin. It's not about laundering money from illicit transactions.


I think coinbase's withdrawal limits aren't quite high enough for this amount of cash


A bit. They limit to 10,000 per day which would be 300 transactions total for $30 million.

I'd personally call them and get a contract out before funneling this kind of money through their system.

Though that's pretty normal. A regular brick and mortar bank would likely want additional assurances before funneling $30 million into or out of an account that doesn't see that regular volume.


Someone I know tried depositing btc sale proceeds to their wells fargo bank account. The bank promptly froze all their accounts. It eventually worked out I believe but it doesn't seem as easy as 'just sell them.'


If you buy all your food, drinks, and lunch in cash for life. That's pretty good savings.


Given that you don't need to work anymore, there's no issues with just moving out of the US


There are presumably still actual nation-state like laws that apply. Heck, laws still apply to contracts.


Tumbler or transfer to another currency (possibly at a markdown). Specifically for ethereum: https://ethereum.stackexchange.com/questions/2699/is-there-a...


I suspect that when you steal this amount of money, the law is the least of your worries. There are likely people who will hunt these hackers to the ends of the earth for what they've done. For their sake, they better cover their tracks well.


IANAL but if someone leaves their front door open, it's still illegal to walk in and take their possessions. I would imagine this falls under a similar ruling.


In most cases yes, but isn't ethereum all about "the code _is_ the contract"? If you as the owner of a house put an ad in the paper saying "if you can manage to enter my house feel free to take whatever you want", should you complain if someone did exactly that?


Yes because that would still be a crime. Expanding on your analogy - if I declare right now that it's ok to murder me, it's still not ok to come and murder me. Same principle applies to EULAs and Terms of Service, you're not bound to it just because it's in there.

If the hacker was entitled to those funds based on the agreement between the concerned parties (implicit OR explicit in the contract) it would not be theft. But it clearly isn't their Ether and the implicit agreement behind the contract stands.

Basically human ethics, morals and the legal system will always trump code.


> Yes because that would still be a crime. Expanding on your analogy - if I declare right now that it's ok to murder me, it's still not ok to come and murder me.

The comparison to murder doesn't work because you can't consent to murder, but you can consent to theft.

It's not clear to me whether that situation would be taken as consent, but unless you know something I don't, it probably shouldn't be clear to you either.


How do you consent to theft?


By giving something to someone.

I mean, legally, what happens is not "consenting to theft". Unlike say assault, which you can consent to, and legally speaking an assault actually happens but consent makes it okay; but with theft, if you consent what happens is not legally theft. (IANAL, but this is my recollection from law A-levels.)

But that distinction is irrelevant here. The point is that there's basically no way for someone to deliberately kill someone and have it not be a crime. But there are ways for someone to take someone else's stuff and have it not be a crime, and one way is if the owner consents.


and in this case the owner didn't consent, regardless of the contract's contents


Under US law, I think that's probably true, but a) it's not what I was talking about, and b) I don't think you should be as confident as you seem to be.


The analogy is if you accidentally leave the door of your house unlocked, it doesn't make it legal fir someone to walk in and steal your piano


This comment fails to address the point of the comment it is replying to... you simply repeated the original point, but the person you responded to worked within that analogy and then modified it to try to address the statements by Ethereum.


Right, I am saying the analogy I responded to is flawed. Ethereum doesn't invite people to violate the intended use of the contract. It's like claiming that if a corporation got hacked due to lax security, then those hacking are in the clear because that corporation invited them in


I don't know if that analogy holds in the context of ethereum which is marketed as "code as law". I think it could be reasonably argued that this individual was fairly participating within the terms of the contract.


True but there are lots of cases of people exploiting real world contracts (eg. Insurance) to their own benefit. I imagine this is probably a new frontier as far as laws go.


Exchange as much as possible via Shapeshift (accessed via Tor) and other exchanges that don't care about KYC to Zcash, Monero, and BTC. BTC is not anonymous but it's unlikely that BTC transactions are blocked and it will allow to convert to other currencies later on. Once you got Zcash and Monero you can anonymously convert to BTC and cash out via Coinbase. Make sure to only move small amounts at a time, so that the exchange can't block all of your funds.


There are mixers where you can get close to not being traced and then can move through monero and then to bitcoin.


Monero is the ONLY cryptocurrency where full privacy is enforced by default. No mixers, no opt-in mode, no super-nodes, no tumblers, it's all obfuscated by default. I'm very bullish on Monero long-term.


What I don't like about monero, and why I think it'll ultimately lose to another anon product, is that the transaction history is written to the blockchain, albeit in obfuscated form. But there is no proof on the bounds of what a sophisticated blockchain analysis can uncover given enough information. Roughly speaking, its conceivable that given enough transaction information downstream from a transaction of interest might reveal a "most likely" pairing of an address with a transaction. Or perhaps a global analysis of the monero blockchain along with traditional blockchain analysis could reveal a most likely pairing of all transactions with addresses. The point is that without such a proof I'm not sure how much people will trust it compared to a protocol with such a proof (say zcash). Your exposure to future analysis is essentially indefinite.


What I don't like about Zcash is that privacy is optional and address balances are public. This means that a blockchain analysis company could correlate what is public (all the other transactions and all the address balances) to deduce who the sender, receiver, and amounts were in private transactions.


What you said is essentially meaningless though. "I don't like a blockchain-based currency because the record of transactions is permanent." Well...yeah, that's the whole point of blockchains. The strength in Monero's case is that everything is so obfuscated (and amounts + addresses are encrypted) that it's the best option out there. It doesn't have to be perfect, it just has to be better than its competitors.

e.g. Facebook isn't perfect, but it sure obliterated MySpace.


Not meaningless as the links between sender and receive can be eliminated completely depending on the protocol in place. The record of a transaction has to be on chain, but not necessarily who participated in it, or the nature of their participation.

It's true that a system doesn't have to be perfect to win, but I don't see how monero has the edge on any dimension. It's not necessarily the most secure, its not the furthest along in development, not the most user friendly, not the fastest mover, etc. The overall bullishness people have for monero is because its supposedly better in terms of privacy than its rivals. But this is dubious without the right kinds of proofs when the competition does have proofs.


That was essentially the case for an earlier version of Monero (before some updates and RingCT).

https://news.ycombinator.com/item?id=14129613


The only? There is Zec. And then there is the possibility of forking monero into your own cryptocurrency name.


Zec is the company that runs zcash. Zcash does not has full privacy and is not enforced by default.


Trade ETH with some other cryptocurrency that is anonymous (Zcash?). Then trade that into BTC. Then cash out.


While Zcash allows for keeping the sender, receiver, and amount private, making that optional and having the ability to analyze address balances will allow for blockchain analysis to potentially figure out the sender, receiver, and amount by correlating all public transactions and address balances. A better cryptocurrency would be Monero which forces all transactions to be private and keeps all address balances private, preventing a blockchain analysis company or government agency from figuring out transaction details.


You move to somewhere in the third world with lax banking regulations.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: