How a Web Wallet Outperformed Hardware Security

After publishing the article “AML Terrorism” (if you haven’t read it yet — do so, you won’t regret it), a user contacted the support team at rabbit.io with a question about how to mark cryptocurrency as stolen in AML systems.

When we asked what happened, our correspondent shared a very sad story about being robbed. I won’t recount all the details of this story, but I want to share one non-trivial lesson that can be learned from it. This lesson is that sometimes a cryptocurrency storage method that seems the least reliable might actually protect your cryptocurrency better than other, supposedly more reliable methods in extreme situations.

Cryptocurrency in wallets of different types

What Happened

The person who contacted us was a social activist. For his projects, he collected donations in cryptocurrencies.

He handled this cryptocurrency very wisely: distributing it between several wallets.

What was needed for current expenses was kept in a hot wallet and managed through a smartphone application.
If there were excess funds, they were sent to a cold wallet. Accessing such cryptocurrency required a special device (Ledger, Keystone, Tangem, or something similar).

For donations, he provided addresses managed by a web wallet. The private keys for these addresses were not stored on his devices — they remained on the web wallet provider’s server.

The criminals knew that this particular person had cryptocurrency and forced him to hand it over using violence and threats.

They managed to get everything except what was stored in the web wallet.

How the Web Wallet Funds Survived

The robbers knew he owned cryptocurrency and came prepared. They knew exactly what to look for:

Cold wallets (hardware key cards)
Hot wallets (smartphone apps)

They found these and coerced him into revealing access codes. The web wallet, however, went unnoticed.

Theoretically, they could have discovered it. They had his smartphone and could have checked the browser history to find the web wallet’s website, then forced him to disclose the password. But this proved too complicated for them.

Or perhaps it simply didn’t occur to them that someone who invested $100 in a hardware wallet for security would also store crypto on a third-party server.

What Conclusions Can We Draw?

Perception vs. Reality: Everyone considers a hardware wallet to be the most reliable storage method, while an online wallet storing keys on someone else’s server is considered the least reliable. But it turns out that your own device can be taken from you by force, while someone else’s server isn’t so easy to find.
Visibility Matters: Some believe that a hardware wallet is reliable also because not everyone will realize that this flash drive or this card is a key to cryptocurrency. But criminals who know what they’re looking for will easily identify it. Yet the web wallet couldn’t be recognized even by sophisticated robbers.
Privacy First: This story highlights the dangers of publicizing crypto holdings. If everyone knows you have cryptocurrency, among them might be criminals who want to take it from you. By the time you mark your cryptocurrency as stolen, it may have changed dozens of owners, harming innocent people.

So, avoid drawing unwanted attention. And for secure crypto swaps, use rabbit.io — we don’t need your personal data.