How using PGP led to me losing $60.

Foreword #

Before I get called out, let me fully disclose that the title is a perfect example of clickbait, and in no way am I actually blaming a widely used technology or Keybase, due to my own lack of responsibility and lack of caution. With that being said, let's get straight into the story.

As I'm changing up my threat model, I wrote this post because I really want people to learn from my mistakes that I, quite literally, paid for (the hard way). I also want to give myself a chance to explain how that happened to me, since this is a matter of public record.

Stellar and Keybase #

Keybase is a useful application that seems to be built around the concept of making certain technologies that would otherwise seem too advanced for the average user, such as PGP cryptography, much more accessible and easy to use. It generally came off as a weird combination of a social media platform and Slack, with a few extra nifty features, such as the ability to create encrypted Git repositories and access encrypted storage that's bound to your cryptographic identity.

Keybase works on top of a clever system that is built around signature chains. Which means that now that I've set my keys, I'd have to add a device, and then I'd have to use the device in order to add another device, or an offline paper key (a series of English words that magically let you back in).

You can probably see where this is going already.

Anyways, one of its more recently added features, however, is the native support for the Stellar Lumens (XLM), which is some sort of a unique cryptocurrency that essentially allows you to make cross-currency payments. It pretty much reminds you of the concept behind Libra, but it's actually tangible, smooth, and not relatively hard to understand.

The Giveaway #

In September 2019, I was met wish a sketchy-looking notification in my notifications. I received a message from a user called spacedrop, which said that I had apparently received approximately 30 USD in some sort of a weird cryptocurrency called Stellar, as long as I obtained a Stellar wallet through the Keybase app. It looked too good to be true, but after doing enough research on the topic, that giveaway was surprisingly enough completely legit.

So, I did what basically any other person in my position would. I took the free money. I was reasonably happy that this actually went well, and I actually did mess with the currency a bit. I mean, if someone gave you free money, of course you'd feel pleasant as well.

The Downfall #

As I mentioned earlier, Keybase is based on a bilinear system where everything is traceable back to your cryptographic identity. For instance, you'd use your private key in order to add a device, such as, say, your laptop. And in order to add more devices, you'd use your laptop, which has been verified by your private key. Adding devices with your laptop would mean that the other devices you own would also be verified, since your laptop is now bound to your cryptographic identity.

You can see how my "graph" looked like before I reset my account here.

Now the problem is that Keybase was seen as a secondary service to me, hence the reason why I didn't particularly regularly use it. I mess around with operating systems a lot, both on my phones and my computers, so, considering that I already store my private keys externally, I thought that losing access didn't mean too much to me, hence the reason why I never paid any proper attention. I periodically performed resets, either because I had actually lost access, or because I deemed that my account was too cluttered.

Loss of Access #

I eventually turned out to be wrong.

My mistake here is that I didn't immediately change my behavior and kept treating Keybase as a secondary account that I didn't care too much about, despite the fact that it now held some sort of a financial capital.

The thought of backing up my private keys only crossed my mind once, but it was deemed as unnecessary, particularly because I already had 4 devices that would allow me to access my account at any given moment. I saw that recovery method as a hassle, as well as an unnecessary security risk.

I mean, I couldn't even find the notebook where I jotted down all of this stuff anyways. 3 days later, after a mishap during an Arch Linux re-installation, I also wiped and partitioned on top of my HDD drive. So there goes 2 out of the 4 "devices" that I had associated with my Keybase account.

That hard drive contained a Windows installation with a few archives, as well as recent picture backups taken from my phone, which was also reformatted and sent in for repairs. So there goes the third one as well, which included family pictures and a trip abroad that essentially changed me.

After realising how my lack of caution eventually came back at me, I didn't panic. Instead, I found an old Android phone that I had, which also had Keybase installed. It was my last beacon of hope. But well, actually, that's what I thought initially-- in reality, I had also reflashed that phone back in September 2019, having completely forgotten about how I had installed Keybase on that phone, just in case everything went south.

The day was November the 16th. I remembered how another "drop" with cryptocurrency that was worth approximately $30 at the time took place yesterday, so I naturally tried to access my account again, until I realised that I couldn't.

Conclusion #

While I was under distress, I sent a desperate e-mail to Max Krohn, the co-founder of Keybase, asking whether there was a way for me to recover the cryptocurrency, despite the fact that I lost access to all of my devices.

I never got a response, obviously, and you can probably already assume why, since I went to great lengths to explain how Keybase essentially works, which was something that I didn't previously know about in depth.

In other words, it is essentially impossible to recover the funds now.

Here's the abandoned wallet of shame, just in case you're curious about it.

← Go Home