A crypto fairy tale

7 min readFeb 15, 2021


You might be thinking, this will be about a token that made me 100x. In 2021, that does sound like a fairy tale doesn’t it? Unfortunately no, I won’t tell you about such a token. I can promise you though, that like every fairy tale, this one walks the borderline of believable and also has a happily ever after, or happily never after in our case. It is also a story about what it means to be able to rely on companies and people, that genuinely care about their customers.

7 years ago I started my own tech company with another partner. There were 5 employees, today there’s 12. Those starting five, which came to be known as “the core team”, had a stake in the company and certain financial privileges that came along with it. We run a good business and earn enough for a comfortable living, strive to maintain an environment of mutual respect and above all, trust, or so we thought.

Some of us invest in crypto. 3 years ago, I invested in CoinMetro. A crypto exchange which was born in the ashes of the great 2018 crypto winter, that saw most assets drop 80%, 90% or even more. They had a big hill to climb, but something told me to stick around, and I did. I was a sucker for cartoonish trains for some reason (a theme on their website at the time). Fast forward to today and we see, it became a flourishing and friendly place, starting to become a giant in the space.

Now, the story thickens. The bread and butter of our company is data processing. Lots of data. We keep about 12 4U NAS storages with about 2 petabytes of space. A decent sized data center. We also have a mobile setup, since we often work out of office, abroad on top of that, and there is no way to simply transfer such volumes of data over the internet, so we carry a bunch of those servers with us.

Middle of January, one of my coworkers calls me and reports performance issues on a rendering field server: “rendering process is extremely slow, I found one weird process in the task manager, Windows reports this particular process is using 100% GPU”.

“what is the name of the process?”, I asked.

“phoeim.exe”, she replies.

I Googled it and came up with nothing. Try it. I had a suspicion what it is, but since Google found zilch, I asked in a few crypto Telegram groups and got my confirmation immediately. It was the executable file of the Phoenix miner, most commonly used to mine ETH.

I was raging. I knew which employee did it, because it was his job to prepare the field server and because he did it once before, only with an ASIC BTC miner. He simply installed it in the company server room, which he was authorized to access. Upon discovery at the time, he received what I would call a yellow card if I borrow from soccer terminology. The sad thing is, it was one of the core members. This had one simple motive I hate the most in people: greed. A new company code, strictly prohibiting any form of unauthorized hardware utilization was also put in place after this incident, but we gave him a second chance.

Back to the point. After this initial discovery of Phoenix miner, I had a bad feeling I was looking into a rabbit hole, and boy, what a rabbit hole it turned out to be. Since this person was a system engineer and a senior member, he had authority to make any required hardware purchases without the consent of other senior members (trust, remember?). Upon analyzing all hardware purchases related invoices of 2020, we came to a shocking conclusion that about 16 graphics cards were bought illegally over a 6 month period of 2020. The cards were mostly Radeons 5700XT and we all know what those are good for. Playing Tetris of course.

We searched the offices to find out where they were actually installed and found nothing new in the server room and nothing out of the ordinary in the offices. Then someone slapped himself on the forehead. NAS servers! True enough, every NAS server had one of those Radeons installed. It was a perfect crime. Putting those cards into workstations and running them at max would be discovered immediately, but all a NAS server does, is serve files, there’s no one directly using it and this persons job was also NAS administration. The servers were working without a problem, except needing a disk swap here or there, so nobody gave a second sniff about it, let alone open one to check what’s inside.

As you can see, our perpetrator was being very imaginative and thorough, but that also turned out to be his downfall. He left his configuration files quite extensively documented with comments like, where is the account which was receiving ETH from the mining pool. Two of those were very interesting as he labeled them “CoinBase” and “CoinMetro”. He was mining directly into a wallet address, generated for him by the exchange API.

In order to conclude the chain of evidence, I needed to link that ETH address to the actual person. If the owner of that particular address was our perpetrator, I would have enough to press him. If he registered there, he had to go through the KYC process. Now, I haven’t used CoinBase in some time due to high fees, but I do use CoinMetro regulary and am fairly active in their community Telegram group as I was also an ICO investor.

Anyone who uses CoinMetro knows how seriously they take customer care and support. Those also know, they can talk directly to the company CEO by leaving a direct message. He responds, always. If CoinMetro support is a fully loaded Bentley, others I have dealt with, are old diesel Volkswagen Golfs with less trim options than a nearby cave.

I sent a private message to the CoinMetro CEO on Telegram, exchange voice messages during his lunch hours at about 6pm and explain my problem. Due to GDPR restrictions, he could not confirm it for me, but he would assure me, if an official inquiry from authorities came to CoinMetro with the specific question: Is this the name of the owner of the following account? They would send an official confirmation immediately and lock up the account if requested, pending potential legal resolve of the dispute. I said I hope that won’t be necessary, since I was aiming for a peaceful resolution. Encouraged and confident the person in question was indeed the owner of those accounts, I decided to play the odds and bluff.

It was time, to confront him. I asked directly, if the software I found on the server was intended for mining and how it got there. He replied that it was, but that it surely must have been auto installed (like a virus)because of some software licence crack he applied, that he downloaded off some Russian site (which is a transgression itself, as we don’t allow pirated software, period). That was a lie, you see, he forgot the he only installed and applied the crack on 1 of those three machines where the miner was found.

After some time, he changed his story 2 times. First, he said he received an email, stating that if he installed the miner and directed proceeds to a specific wallet, he would gain twice as much in return to his own address. My eyes rolled around. There were only two possibilities. Either he thinks I am that dumb, or he is, to believe it. (which he wasn’t). The second version of the story was him claiming, he was only testing mining since the start of the year, for the purposes of providing profit to the company which would cover our electricity bills, and he only didn’t tell us, because he wasn’t sure it would work. He claimed he was only mining from the beginning of the year and intended to inform us as soon as he would have a proof of concept.

At that point, I decided to do a little more digging into his configuration files. I loaded up the addresses into Etherscan to find a shocking discovery. The oldest mining pool incoming transaction was 1100 days old and the last one, only 2 days. This was going on for more than 3 years. The discovery shocked us to the very core, when I presented it to other senior members.

I threw out my next bomb. We wanted to know his rationale for buying and the whereabouts of illegally bought graphics cards. The answer was, that he had issues with graphics cards, that they were failing as soon as he was plugging them into the servers and that he threw them all away. I thought, really? That is your answer? Even if they were failing, someone should remind him that when new hardware fails, you apply for a warranty claim, not throw it away like used baby diapers.

At this point, we’ve heard enough. It was clear the guy we knew and worked with for 15 years, with whom we went to the seaside in summer, or skiing in the winter, with whom we laughed and joked, is not the same person anymore. It all became about a clean severance that ensures the smooth transition and security of our company.

This is when I tried my bluff. I sent a clear message, presenting our evidence and declaring his answers to our questions on the verge of being insulting. I also stated the company would seek an official inquiry into the ownership of ETH accounts found in miner config files on both CoinBase and CoinMetro, should he disagree with our proposal on leaving the company immediately and on our terms, which meant his hefty severance pay was gone, and he is required to offer immediate assistance on pending and future issues till the end of the year. A second yellow card = a red card.

I admit, the devil in me decided to send that email at about 10 pm, knowing quite well the guy would not sleep that night. That’s okay, neither did we for the last 14 days after discovering that iceberg of shit, pardon my french. Next morning, the guy folded, conforming to our terms, but sadly, not showing enough balls to admit what he did, still clinging to his bullshit story.

We now live happily never after.




Tech lover and enthusiast. Love to discuss IT tech and trends, gadgets, sports...