A longtime Bitcoin investor and his father discovered last week that they were robbed of ~25 BTC ($919,000) in September that the family had held in a personal wallet since 2012.

The online Bitcoin community is now coming to their aid, with the victim proposing a 23 BTC bounty to anyone who can recover the funds.

Insecure Private Keys

In a video from X user @RMessit (aka Rick) on Saturday, the victim said that his Bitcoin wallet’s private key was kept in a self-hosted password manager called KeePass.

The KeePass vault could only be unlocked via another password, which was only known by the two men. However, this password only contained 30 bits – far lower and less secure than that of a standard Bitcoin private key itself, which is 256 bits.

Though still unsure of how his private keys were accessed, Rick suspects someone may have keylogged their device and watched them enter their KeePass password. He confirmed that the device on which the private key was kept was internet-connected.

“Particularly gut-wrenching that I’m writing this from our first father/son pilgrimage to El Salvador,” Rick added. El Salvador became the first nation to make Bitcoin legal tender in 2021, and has launched various initiatives to spur public adoption of BTC as a transactional currency.

Rick encouraged Bitcoin users to buy a standard hardware wallet to “keep their sats in cold storage.” Modern hardware wallets let Bitcoin users securely store and send coins without exposing their private keys to the internet, thus protecting them from online hackers.

Hardware wallets were not available in 2012, nor were seed phrases – human-readable lists of 12 to 24 words that stored private key data in a brain-memorable fashion.

Tracking Down the Coins

Fellow Bitcoiners are already making progress in tracking down the thief. One user, @coinableS, noticed that the hacker has been re-using his Bitcoin addresses and that his attempts to mix his coins