Andrew Schober invested 95 percent of his net wealth in the digital tokens, which he hoped he could sell later to buy a home and support his family.
But then disaster struck.
Schober downloaded an app called “Electrum Atom” after clicking a link on Reddit, mistakenly thinking it was a bitcoin wallet. Instead, it was malware that allowed hackers to steal 16.4552 bitcoin when he tried moving some of his tokens.
At the time, they were worth nearly $200,000. Today, they would be worth over $750,000.
Schober vowed to track down the culprits. After years of private investigations costing more than $10,000, Schober thinks he has found the thieves, and he’s suing their parents to get his bitcoin back. Krebs on Security first reported on the lawsuit.
The lawsuit alleges that two men in the UK, both minors at the time, now attending university for computer science used the supposed wallet app to deliver malware that inserted itself into a computer’s Java libraries.
The malware then proceeded to monitor Schober’s activity, waiting for him to copy a bitcoin address. When Schober went to paste it, the malware swapped the copied to the hackers’ own address.
The clever twist is that when Schober went to paste an address, the malware would swap it out for one that looked similar, there were 195,000 addresses embedded in its code
Schober hired experts to trace the flow of cryptocurrency from his addresses to accounts controlled by the hackers.
The blockchain analysis presented in the lawsuit suggests that the hackers tried to launder the bitcoin into Monero, a privacy-focused cryptocurrency.
At the time of the theft, the alleged perpetrators were both minors, so as Schober learned their identities, he sent their parents notes informing them of what he knew.
“It seems your son has been using malware to steal money from people online,” he wrote. Schober appealed to the parents, asking them to “make this right, without involving law enforcement.”
He said he would drop the matter if the stolen bitcoin was returned in full, and he listed an address and gave them a deadline. He sent one note in 2018 and another in 2019. He never heard back from either of the young men’s parents.
That silence led him earlier this year to file a lawsuit against the young men and their parents, claiming that the adults “knew or should have known” that their children were engaged in “illegal computer abuse(s) and/or cryptocurrency theft(s).”