> Despite tracking those transfers, Bednarek has no real idea of who the blockchain bandit might be. "I wouldn’t be surprised if it’s a state actor, like North Korea, but that's all just speculation,"
Given how "easy" the attack actually is, I see no reason to suspect a state actor. This is a genuine question: why don't people start by suspecting some kind of criminal organizations like the mafia instead?
Or more generally, why do so many people attribute particular competence to, uh, state actors?
While he was at the NSA, Edward Snowden complained that it stores more information on Americans than on Russians. He complained that that's illegal, but there's another remarkable facet to it: How good is the NSA at collecting information from Russia, then? I can hardly believe that the NSA tries to collect more data on Americans than on its actual mission, so how good is the NSA at its mission?
There are many other examples, like the German service that's supposed to monitor the nazis and missed the a group that made and sold a DVD about its killings.
It seems so strange to assume higher-than-average competence in organisations like that.
In general, it makes sense to assume that stuff which irrespective of competence would require large amounts of resources, access to intercepts or the ability to flagrantly breach local laws without anyone stepping in might have state involvement, especially if there's an obvious motive for the state to target that person/organization.
Not convinced that guessing private keys of anonymous randoms for a few million in assets of limited fungibility falls into that category. I'm not sure it's a question of competence in this case so much as why would a state be the ones tackling these accounts, when a lone criminal with relevant knowledge of cryptography would have the ability and a lot more motivation to do it?
Why would a criminal leave the coins to sit in the final wallet undisturbed? The article said the wallet only had incoming transactions and never sent any coins anywhere. Surely if you're a criminal organization stealing cryptocurrency you'd want to actually use it.
It's not necessarily the only wallet a criminal has access to, and most people don't draw on their savings account all the time. Can't fathom why a government would want to write algorithms that quietly steal tokens from thousands of random individuals unfortunate enough to have particularly crackable private keys and send them to a particular dormant account either. It's not like there's a lack of other crypto-heist stories out there.
A government has a much more plausible reason to be willing to siphon off and stockpile large amounts of cryptocurrency without using it, just in case they ever do need to have a bunch of coins on hand for something.
The NSA is probably better at domestic surveillance because it's much easier and/or cheaper than foreign surveillance. If people of the same ability level work on both, the domestic results will be better. That doesn't meant the NSA is incompetent.
Collecting data, and further, processing that collected data, is fundamentally different than executing a difficult, targeted attack.
State level actors have massive amounts of resources, which makes them uniquely situated to perform difficult tasks like cracking encryption keys or developing insanely complex exploits.
So - the particular competence people give state actors generally has to do with that level of resources, while the same state actors are accurately attributed the incompetence that comes with large bureaucracies.
Why not a 15 year old script kiddie? All you need to coordinate this attack is some anonymous server power that cannot be linked to you, and it's not something that's very hard to come by.
Depends on how weak the keys are. They say some were trivial, but it's possible others still had enough entropy to require a lot of brute forcing. Most 15-year-olds don't have a lot of capital to deploy.
Yeah.... if the first ones were trivial and acted as a proof of concept, that would generate enough money for them to invest in better servers with more distance from the actual person running it.
> why don't people start by suspecting some kind of criminal organizations like the mafia instead?
Same logic as you've just used: it's so easy you don't need to be the mob. What would their edge be anyway? All you need is enough money to rent some cloud servers.
Because they haven't cached out? If you don't cash out, then the point is something other than just getting the money. The amount seems excessive for someone that is just a researcher, so a state actor that is trying to destabilise the whole system makes a bit of sense.
Given how "easy" the attack actually is, I see no reason to suspect a state actor. This is a genuine question: why don't people start by suspecting some kind of criminal organizations like the mafia instead?