Honestly this seems like a success story.
He recovered his funds and the attacker failed to steal, despite a successful social engineering campaign. It's true he lost the node of course, but with a sizeable amount on it, the funds are more important.
However vultr (afair one of the cheaper hosting providers) proved themselves incompetent here. A good recommendation to never use them for anything that even slightly matters.
reply
For the record, their node had 3,238,406,111 satoshi:
Or in other words 32 BTC / almost a million USD in today's rate:
Smart people always tell me they are not into bitcoin because they are afraid of ECDSA, SHA256; a Software Developer friend is even afraid of "primes" (lol).
The truth is that many big, important systems can be easily broken with a few social tricks.
reply
Whey do you mean "afraid"?. Afraid to understand and it or the fact that it exists and is being used?
reply
Afraid ECDSA and particularly the curve used is already cracked by the NSA or has backdoors. Afraid that SHA is not mathematically "proven" to be cryptographically safe.
etc. etc. etc. Basically even though they are engineers, little time has been invested to understand the cryptographic functions used so they default to MSM and FUD. I can't say I understand them fully, by no means, but I try to learn a bit more about them every day.
reply
'Not your hardware not your node'
reply
The victim has an excellent point: Why didn’t Vultr simply send an email to at least notify the account is being reported as compromised.
Same solution could be used to avoid SIM swaps. Send email/text notifying owner that another party claims to be locked out of account. Give 48 hours to respond.
reply
Thanks for this, @k00b! A terrible reminder of just how important it is to remain aware of where and with whom you are storing your Bitcoin/Lightning data.
reply
Couldn't he have disabled username/password login and only accessed via SSH? Doesn't that solve the problem?
reply
No, the attacker used social engineering (getting info about the guy) to answer security questions from Vultr. This gave him access not to one container / server but to the guy's entire Vultr web-panel. From there you can get into any box, even in emergencies where you've disabled root login etc, there are recovery consoles.
reply
seems that way
reply
What does it mean in this context that "the wallet was locked"? Couldn't the attacker have used the admin.macaroon to transfer funds?