An Adelaide dad’s plan to pay off his mortgage and retire early has backfired after discovering a devastating truth when he looked at his crypto account.
An Adelaide family has been left devastated after they lost $93,000 they were planning to put towards their children’s education and their mortgage in a shocking scam.
Rajendra Yadav, 45, works in the IT industry to support his wife and two kids and decided to invest some of his hard-earned money into cryptocurrency.
In March 2018, he put $14,000 worth of bitcoin into a “cold” wallet, a secure offline way to store savings that don’t connect to any online network and so cannot be hacked.
The money sat there for several years and in October 2021, Mr. Yadav decided to cash out.
By then, the price of bitcoin had soared and his money had ballooned to be worth $93,000.
But when the dad-of-two opened his account, which he had kept offline for years in the belief the money was steadily growing, the balance stood at zero dollars.
“I was shaking, I was in a panic mode,” Mr. Yadav told news.com.au. “I was literally crying inside.
“I couldn’t show that to my sons and my family [so] I walked out of my house at 10 o’clock at night and I was walking alone on the road.”
His worst fears were realized when the wallet provider informed him that a hacker had cleaned out the account in July 2019 – even though this should have been impossible.
Mr. Yadav first heard about bitcoin in 2015 but held off buying any because he wasn’t sure how legitimate it was.
During the 2017 cryptocurrency boom, he jumped on the bandwagon and spent $6000 on an entire bitcoin in September of that year.
He bought the top-ranked digital currency through the Australian crypto exchange BTC Markets but wanted to make his account more secure. By this point, the single bitcoin he owned was worth $14,000.
After more research, the IT expert came across a $119 device from French company Ledger called the Nano S, described as a secure hardware wallet for crypto assets.
He received the wallet in the post in March 2018, buying it from a verified retailer, Coinstop, then transferring his funds over to it.
“The device is kind of a USB drive that you plug into your system. It doesn’t work by itself, we had to download these extensions into the browser and hook it up to the [crypto] exchange,” he said.
“The set-up required a passphrase of 24 words, I had to write those in a leaflet. After putting in those 24 phrases I had to put in a pin as well. Only then would I be able to get into the device.”
He then hid the USB-like contraption in a cupboard along with the leaflet.
What Mr. Yadav didn’t know was just over a year after setting up the device, a cybercriminal gained control and stole his money, by then worth $17,000.
Frantically, in October 2021 when he realized the money was gone, the Adelaide man got in touch with Ledger, the company that invented the secure wallet.
After trying a lot of different things to see if there had been some mistake and if he could restore the money, he finally got the answer he’d been dreading.
“After a lot of email exchanges, I was able to explain the problem to the support team and then they mentioned the wallet was hacked, which made absolutely no sense to me,” Mr. Yadav recalled.
“How could an offline wallet get hacked if it was not brought online in years?”
In conversations with the Ledger support team seen by news.com.au, Mr. Yadav wrote in a desperate message: “This is getting excruciating and depressing to see my saving[s] gone.
“I have started to feel I was better off to have this in [a crypto] exchange than to have it [in] Ledger Nano S.
“My hopes are dying with each passing day. I am not sure if there [is] anything else left to try.”
His money would be worth more than 15 times his initial investment had he cashed out in October last year as planned, were it not for the theft.
“[The money] was a substantial amount and I had big plans,” he said.
“I wanted to put it towards the mortgage and my kids’ school fees. This would help me to retire soon, I would have financial freedom, and I wouldn’t have to work so many days a week.”
Mr. Yadav reported the crime to SA Police in December, who confirmed to news.com.au that an investigation is ongoing.
But when he went into his local station, a police officer dashed his hopes even further when they said the outgoing bitcoin was untraceable.
The transaction is visible on the blockchain but there’s no way of knowing who it belongs to unless it is transferred into a legitimate cryptocurrency exchange.
Mr. Yadav is demanding compensation from Ledger and has been left scratching his head about how the hack occurred in the first place.
The company claims someone must have got their hands on his 24-word passphrase, which would have allowed them to derive the key to his wallet and then hack the account, but he says this is impossible.
He wrote down his password on a leaflet provided by Ledger and put it with his USB-device then hid it in the back of his cupboard, where it remains.
His password was never written down anywhere else, so even if his emails or other accounts were compromised, the hacker never would have laid eyes on his wallet key.
During the month of July 2019, no friends or family were staying at his place.
He has never had a break-in at his home to date.
The police department handling Mr. Yadav’s case said: “There is no information to indicate that the physical wallet has been compromised or accessed in any way.”
In a conversation with news.com.au, Matt Johnson, a chief information security officer at Ledger, acknowledged that what had happened to Mr. Yadav was “traumatic”.
A former Australian Federal Police officer himself, Mr. Johnson said: “Given my background in law enforcement, I get frustrated when I hear about people falling victim to this sort of thing.”
He explained how this kind of thing may have happened.
“The 24 words derive a combination that provides you with your private key. It stores the key in a very secure fashion, keeps it isolated from the internet,” he said.
“Those 24 words are the keys to the kingdom. If somebody else can get those 24 words, they don’t need the pin.
“You want to keep those 24 words safe. You never, ever, ever share them, never put it in a place where it could be discovered or seen.”
In the past, Mr. Johnson said customers had lost all their money after writing down the passphrase in a draft email or putting it in the cloud which was later hacked.
Some cyber criminals immediately know the significance of finding a string of 24 words in someone’s private files.
Mr. Johnson recommended storing your 24 words in a safe or a safety deposit box at a bank and has even heard of cases of people storing their Ledger Nano S key in flameproof material that cannot be burned down.
Unfortunately, Ledger is not budging, adamant that Mr. Yadav’s breach did not come from their end.
“No compensation has ever been given, the hardware wallets work as advertised,” he said.
“We have never seen the successful hack of a Ledger hardware wallet. What we have seen are thefts related to the mismanagement of private keys.”
$750 million worth of crypto stolen globally
A report from crypto data company Chainalysis released in February found that cryptocurrency-based crime soared in 2021.
Over $750 million worth of cryptocurrency was stolen from people last year.
North Korea-affiliated fraudsters were the worst, responsible for $400 million worth of cryptocurrency hacks in those 12 months.
Most of these scammers used legitimate centralized cryptocurrency exchanges to send the stolen funds to, then transferred them to another untraceable account.