Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm curious - if someone was able to develop a new type of computing (or phishing) to get the private keys and simply took them, would that be stealing? Do people who own Bitcoin have any legal right to the coins? What if the person who "stole" them claimed they mined it themselves. How could you disprove this?


Solo-mined coins are recognizable as outputs of special coinbase transactions. Pool-mined coins tend to have a very short history as pool payout from recent coinbases. So any mining claim to coins with a longer history are obviously false.


IANAL but I would be surprised if any jurisdiction didn’t find that was the case.

Difficulty in proving something happened doesn’t suddenly make it legal.

As the thief, you could only plausibly claim you mined it if you stole it from someone who did (as otherwise there would be a history of UTXOs). Depending on the history of the coins in question, it could be used as evidence.

Ie if one of the last prior UTXO was associated the gov airdropping it to Alice, 65yo non-techie, still having those keys on her iPhone, and then maybe sending some to her nephew and spending it on a webshop order shipped to her home address, and then Bob, 35yo CS Phd with addiction problems... I’d say that’s more evidence than what’s needed to put someone in jail in many places. But I think as with many things legal it’d depend a lot on the circumstances in the individual case.

People have been found guilty of defrauding people of cryptocurrency. It’s not that exotic.

This made me thinking, if you want to “insure” yourself for such a potential future situation, construct a hash of an arbitrary secret, sign it with your private key, and publish it on-chain. If you’d end up as the victim in that scenario, you could present the preimage, thereby presenting proof you had control of the keys at that point in time, as opposed to gaining access to them recently.

I wonder if the Lightning wallet they’re using has enough information for its internal database to already have that, considering how Lightning channels and payments work.


What if the person 'stealing' the bitcoin didn't 'hack' or 'phish' the private key, but instead guessed it?

There's been documented cases of coins being sent to wallets generated with empty-string seed phrases, or people using seed phrases that are easily guessable.

If I guess your private key/seed phrase, I've not accessed any network or equipment I don't have authorisation to access, I've not tricked or defrauded anyone, what crime have I actually committed?

Certainly stealing bitcoin this way would be morally wrong, but I don't see what crime you could charge me with.


IANAL but in the United States that would still be wire fraud because you interact with a network to move the bitcoin into a wallet you would control. You can disprove the other actions by looking at Bitcoin's distributed ledger but for certain transactions if they liquidate the coins it can be a great deal of work to figure out where the money went.


How would you distinguish this "bad" behavior from the good? It seems inherently intractable without centralization.


How is it any different than determining if a credit card charge was fraudulent? Either way, someone "figured out a way" to extract funds.


Credit cards are centralized and it's trivial because of that.


I went to a presentation where Capital one has an anomaly detection system for credit card fraud that could process a transaction below 1ms or even lower than that. They had a system with around a Terabyte of memory using a streaming data system (I think it was spark).

This is a nontrivial system that has false positives and negatives.


False positives or negatives don't really matter with credit card systems because you have recourse from the perspective of the end-user. Obviously Capital One incurs costs around such things and so they have complicated infrastructure developed, sure.

However from the end user perspective:

If you have a credit card and a fraudulent charge appears you call the credit card, they freeze the transaction, contact the vendor who may or may not be able to corroborate the legitimacy of the charge, and it's done.

The alternative would be using cash, where it is not possible at all. So in comparison to the alternative, I do believe it's "trivial." That being said I regret using that word, I should've used "straightforward", instead.


The merchant is also an end user, and they lose the money.


How is it trivial to determine if a charge was fraudulent? Fraudulent charges are made in the exact same way as genuine ones.


Depends on the nature of it - if the locale is different for example you can immediately reverse it and ask the vendor the fraudulent charge came from for details regarding the transaction and cross reference with the details about the owner of the card.

However if you were using stolen cash it wouldn't really be possible. In this scenario the stolen private key and corresponding bitcoin is like stealing the cash. There's not really anyway to determine anything.


Maybe fraudulent wire transfers would be a better analogy, but I don't think this is fundamentally different than traditional banking. You determine if a charge was fraudulent by whether or not you authorized it.


If you stole the private key how would you be able to determine who the original authorized user is?

More simply: how can you distinguish someone who ceded their Bitcoin voluntarily to someone else vs someone who had it stolen from them with no centralized entities involved?


My point is that you distinguish it in the exact same way as you distinguish a charge from a cloned credit card, or a bank transfer with a stolen password, or cash swiped out of a wallet.

In all cases, the fraudulent money is used in exactly the same way as genuine use.

If you figure out a bitcoin private key, that doesn't give you any more right to the money than figuring out a way to guess someone's bank password. And remediation would be the same.


You're not really answering the question. It's fundamentally easier to do it with cloned credit cards, or banks because they are centralized entities dealing with individuals with verified identities.

Even if you had someone's bank password, what will you do with the money? Transfer it to another bank? If so the wire will be reversed. Why? Because you can call someone and tell them to do so and an investigation will be done, but you will be presumed to be innocent first.

So again, with Bitcoin, with no centralized entities involved, how can you distinguish between someone ceding their bitcoin to someone else vs. it being stolen from them?


If you wire money to a fraudulent account, it's gone forever. Unless you can track down the fraudsters for criminal charges.


This isn't true though. Look up SWIFT Recall. Again, we're talking about Bitcoin here, not wire fraud.


I don't think this discussion is going anywhere, but you most certainly can irrevocably lose money with wire fraud. Even many debit cards are not covered from fraud.

And we are comparing Bitcoin and wire fraud.


OK so you basically don't have any response on how to distinguish Bitcoin being given to someone vs being stolen without centralized entities being involved, got it. I won't be responding to you anymore since you have nothing to add.


Yes, exactly like you can't distinguish wiring money to someone intentionally vs wire fraud.


How do you think they traced Ross Ulbricht? You do actual detective work to figure out who did the transactions and then you can work backwards to who the coins belong to.

Same with MT.Gox the stolen bitcoin is being given to the people who had the original accounts.

Bitcoin is largely anonymous not because of its encryption but basically security to obscurity because that since every transaction is on one central ledger.


With Ross, he didn't steal private keys, did he? And with Mt.Gox it was only possible due to it involving a centralized entity, which is my point to begin with.


Yes but Ross had really poor operational security. He reused identities across stack overflow. If you want to prove that someone had a private key stolen and had poor operational security what this hypothetical person could do is as follows.

1. Takes the private key of the person in question.

2. Immediately sends an email to a fence or just sends the BTC to an exchange.

3. Takes the money.

In a court case you could claim the following:

The user that got their private keys stolen has record of a file containing a private key that they own which is older than the other user and has done at least one purchase with it.

If the person who stole your private key has transactions that aren't older than the original owner that's how you could argue the case.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: