The Risks OF HODL-ing

Lamborghini Urus
Alexander Migl, CC BY-SA 4.0

Traditionally, the big risk in HODL-ing cryptocurrencies has been their volatility. Fortunately, now the US goverenment is all-in on cryptocurrencies, this risk is greatly reduced. Progress moon-wards is virtually guaranteed, so it is reasonable to invest a small part of your portfolio into Lamborghinis. HODL-ers can rest easy while the rest of the coins in their wallets appreciate because they are protected by strong cryptography (at least until the advent of a sufficiently powerful quantum computer). But progress moon-wards exacerbates some other risks to HODL-ers, as I explain below the fold.

There is no need to wait while the semiconductor industry develops quantum computers in order to defeat the cryptography protecting the HODL-ers wallets. Several effective techniques are already available. North Korea's recent record-breaking $1.5B heist illustrates that deploying malware via a Software Supply Chain Attack is capable of compromising even industrial-strength multi-signature wallets.

The North Korean's haul was big, but slightly smaller heists are routine. For example, Molly White reports that on 27^th April 2025 $330 million in Bitcoin apparently stolen; laundering spikes Monero price by over 40%:

3,250 BTC (~$330 million) were apparently stolen from a bitcoin holder and then quickly moved through multiple exchanges and swapped for the Monero privacycoin. Such a massive swap into Monero was apparently enough to cause the Monero price to spike from around $230 to as high as around $330, before retracting somewhat.

Another remarkably effective technique is social engineering. A group of scammers used it last August 18^th, posing as members of Google's and Gemini's security teams to social-engineer "an early investor in cryptocurrency" into downloading malware. He lost more than 4,100BTC, then "worth" about $230M. Mitch Moxley has a fascinating, detailed account of what happened over the next month in They Stole a Quarter-Billion in Crypto and Got Caught Within a Month. The scammers immediately started laundering the loot through a series of mixers and sketchy exchanges. These transactions attracted attention from a famed cryptocurrency sleuth:

Minutes after the D.C. resident’s funds were liquidated, ZachXBT was walking through the airport on his way to catch a flight when he received an alert on his phone about an unusual transaction. Crypto investigators use tools to monitor the global flows of various coins and set alerts for, say, any transaction over $100,000 that goes through certain exchanges that charge a premium for having few security safeguards. The initial alert that day was for a mid-six-figure transaction, followed by higher amounts, all the way up to $2 million. After he cleared airport security, ZachXBT sat down, opened his laptop and began tracing transactions back to a Bitcoin wallet with roughly $240 million in crypto. Some of the Bitcoin in the wallet dated back to 2012. “At that point it didn’t make sense,” he told me. “Why is a person who held their Bitcoin for this long using a sketchy service that typically sees a lot of illicit funds flow through it?”

He added the wallets associated with the transactions to his tracking and boarded the plane. Once he connected to in-flight internet, more alerts arrived. Throughout the day, the Bitcoin traced to the wallet was being liquidated through more than 15 different high-fee cryptocurrency services.

It turned out that one of the group of scammers couldn't resist showing off:

The source sent ZachXBT several screen-share recordings, which he said were taken when one of the scammers livestreamed the heist for a group of his friends. The videos, which totaled an hour and a half, included the call with the victim. One clip featured the scammers’ live reaction when they realized they’d successfully stolen $243 million worth of the D.C. resident’s Bitcoin. A voice can be heard yelling: “Oh, my god! Oh, my god! $243 million! Yes! Oh, my god! Oh, my god! Bro!”

In private chats they used screen names like Swag, $$$ and Meech, but they made a crucial mistake. One of them flashed his Windows home screen, which revealed his real name in the start icon pop-up at the bottom of the screen: Veer Chetal, an 18-year-old from Danbury

Chetal lived in Danbury, CT. His father Sushil Chetal was a vice-president at Morgan Stanley. He was an incoming freshman at Rutgers. In his senior year he had developed a lavish lifestyle:

Classmates remember Chetal as shy and a fan of cars. “He just kind of kept to himself,” says Marco Dias, who became friends with Chetal junior year. According to another classmate named Nick Paris, this was true of Chetal until one day in the middle of his senior year, when he showed up at school driving a Corvette. “He just parked in the lot. It was 7:30 a.m., and everyone was like, What?” Paris says. Soon Chetal rolled up in a BMW, and then a Lamborghini Urus. He started wearing Louis Vuitton shirts and Gucci shoes, and on Senior Skip Day, while Paris and many of his classmates went to a nearby mall, Chetal took some friends, including Dias, to New York to party on a yacht he had rented, where they took photos holding wads of cash.

On 25^th August, a week after the $230M heist, Chetal's parents were house-hunting in Danbury in the Lamborghini Urus he had driven to school when:

the Lamborghini was suddenly rammed from behind by a white Honda Civic. At the same time, a white Ram ProMaster work van cut in front, trapping the Chetals. According to a criminal complaint filed after the incident, a group of six men dressed in black and wearing masks emerged from their vehicles and forced the Chetals from their car, dragging them toward the van’s open side door.

When Sushil resisted, the assailants hit him with a baseball bat and threatened to kill him. The men bound the couple’s arms and legs with duct tape. They forced Radhika to lie face down and told her not to look at them, even as she struggled to breathe, pleading that she had asthma. They wrapped Sushil’s face with duct tape and hit him several more times with the bat as the van peeled off.

XKCD #538

Years ago, Randall Munroe explained a much simpler but only slightly less effective technique for defeating strong cryptography in XKCD #538. In 2021's Can We Mitigate Cryptocurrencies' Externalities? I referred to Jamison Lopp's list of people applying XKCD's technique entitled Known Physical Bitcoin Attacks, which started in 2014 and is still going strong. Already this year Lopp documents 21 attacks, or more than one a week. Among last year's entries we find the kidnapping of Veer Chetal's parents.

Fortunately:

Several witnesses saw the attack and called 911. Some of them, including an off-duty F.B.I. agent who lived nearby and happened to be at the scene, trailed the van and the Honda, relaying the vehicles’ movements to the police. The F.B.I. agent managed to obtain partial license plate numbers.

Danbury police officers soon located the van. A patrol vehicle activated its emergency lights and tried to make a stop, but the driver of the van accelerated, swerving recklessly through traffic.

About a mile from where the chase began, the driver careered off the road and struck a curb. Four suspects fled on foot. The police found one hiding under a bridge and apprehended him after a brief chase. Within a couple of hours, the other three were located hiding in a wooded area nearby. The police, meanwhile, found the shaken Chetals bound in the back of the van.

In this case the "$5 wrench" technique was applied indirectly. It appears that Chetal and his accomplices were part of the Com, a group that started scamming on Minecraft servers:

In an affidavit from an unrelated case, an F.B.I. agent described the Com as “a geographically diverse group of individuals, organized in various subgroups, all of whom coordinate through online communication applications such as Discord and Telegram to engage in various types of criminal activity.”
...
When the price of Bitcoin began to rise rapidly in 2017, Com members made an easy shift from Minecraft fraud to crypto theft.

The kidnappers clearly:

targeted the Chetals to hold them ransom for the money their son had. Independent investigators think that at least one member of the group, Reynaldo (Rey) Diaz, who they say went by the alias Pantic, was a member of the Com; ZachXBT speculates that the thieves might have made themselves targets by sharing stories of their spending with other Com members.

Source

Chetal's accomplices are alleged to include "Malone Lam, a known figure in the Com" and Jeandiel Serrano. They also couldn't resist enjoying the fruits of their labors:

On Sept. 10, after a 23-day party spree in Los Angeles, Lam headed to Miami on a private jet with a group of friends. There, he rented multiple homes, including a 10-bedroom, $7.5 million estate. Within a few days, Lam had filled the driveway with more luxury cars, including multiple Lamborghinis, one with the name “Malone” printed on the side.

ZachXBT and others were easily able to track Lam's activities on social media:

Malone was filmed wearing a white Moncler jacket and what appeared to be diamond rings and diamond-encrusted sunglasses. He stood up on the table and began showering the crowd with hundred-dollar bills. As money rained down, servers paraded in $1,500 bottles of Champagne topped with sparklers and held up signs that read “@Malone.” He spent $569,528 in one evening alone.

According to the authorities Serrano made a mistake:

neglecting to use a VPN when he created an account with TradeOgre, a digital currency exchange, which connected to an I.P. address that was registered to a $47,500-per-month rental home in Encino, Calif. It was leased to Jeandiel Serrano, ... By the time the authorities identified Serrano, he was on vacation in the Maldives with his girlfriend.

On Sept. 18, Serrano flew back from the Maldives to Los Angeles International Airport, where the authorities were waiting for him. He was wearing a $500,000 watch at the time of his arrest. ... Serrano admitted that he owned five cars, two of which were gifts from one of his co-conspirators, given to him with proceeds from a previous fraud. He also confessed to having access to approximately $20 million of the victim’s crypto on his phone and agreed to transfer the funds back to the F.B.I.

Lam and others were arrested when:

Later that day, a team of F.B.I. agents working with the Miami police raided a mansion near Miami Shores. Agents blew open the front metal gate while another group entered by boat via a small saltwater canal in the rear. The sound of flashbangs rang in the neighborhood as the agents entered the home.

In an instance of synchronicity, while I was writing this Nate Anderson was writing We have reached the “severed fingers and abductions” stage of the crypto revolution:

French gendarmes have been busy policing crypto crimes, but these aren't the usual financial schemes, cons, and HODL! shenanigans one usually reads about. No, these crimes involve abductions, (multiple) severed fingers, and (multiple) people rescued from the trunks of cars—once after being doused with gasoline.

This previous weekend was particularly nuts, with an older gentleman snatched from the streets of Paris' 14th arrondissement on May 1 by men in ski masks. ... The abducted man was apparently the father of someone who had made a packet in crypto. The kidnappers demanded a multimillion-euro ransom from the man's son.

According to Le Monde, the abducted father was taken to a house in a Parisian suburb, where one of the father's fingers was cut off in the course of ransom negotiations. Police feared "other mutilations" if they were unable to find the man, but they did locate and raid the house this weekend, arresting five people in their 20s.

Anderson fails to credit Lopp, who has been tracking the problem for more than a decade. He does note the root of the problem:

Or there's the Belgian man who posted online that "his crypto wallet was now worth €1.6 million." His wife was the victim of an attempted abduction within weeks.

HODL-ers need to understand that the speed, immutability and (pseudo) anonymity of cryptocurrency transactions eliminates many of the difficulties in applying the "$5 wrench" technique. Once it is known that you (or your son) hold the key to a cryptocurrency wallet with even a few tens of Bitcoin, you (or your son) become a target for theft. You (or your son) should hope that the threat comes from social engineers like Veer Chetal and his accomplices, in which case your loss will be expensive but painless. But, as Jamison Lopp records, it may well come from people like Rey Diaz.

The solution is "security through obscurity". If you (or your son) rarely transact and maintain a modest lifestyle, lacking Lamborghinis and $569,528 bar bills, it isn't likely that your wallet address will be deemed worth deanonymizing. But what is the point of HODL-ing for HODL-ings sake alone? The temptation to "buy the Lambo" is really hard to resist, and the risk seems remote.