**TL;DR** – I thought LocalCryptos.com (P2P Exchange) locked me out of my account. They ghosted me with zero explanation. Loss of money was avoided thanks to a private key backup. Always back up your private keys. Always use non-custodial exchanges. Eventually I realized I was locked out because of a time-sync problem on my end.
If you’re into Peer-to-Peer exchanges, you may have heard of Australia-based exchange LocalCryptos.com. I’ve been using them for a while now to trade Bitcoin, sometimes for cash, sometimes for bank transfers. Until now I had no complaints about them. In fact, I would’ve readily recommended them to any semi-experienced bitcoiners looking for a spot to securely buy or sell crypto while retaining custody of their funds.
This changed at the end of August 2020. I went to log into LocalCryptos. I enter in my email/password and Google 2FA code. LocalCryptos says my 2FA code is invalid. Huh? Weird. I haven’t changed phones or account passwords, nor reset 2FA or anything like that. The 2FA app isn’t the problem here – I’ve been using the same Google authenticator app for more than a year. But LocalCryptos still isn’t letting me log in.
Now I start to freak out a little. I had several thousand dollars’ worth of BTC stored in LocalCryptos before I was locked out. At this point, I’m starting to worry if:
– I have just been phished
– LocalCryptos’ servers were hacked or their domain was hijacked
– LocalCryptos is scamming me to take my BTC somehow
– Someone hacked my account and changed my 2FA keys or password
If any of the above were true, then my BTC would surely already be stolen. The first thing I realize I should do is check the transaction IDs for my most recent deposits into LocalCryptos. LC is a non-custodial exchange, so if the those UTXOs had been spent without my knowledge, then case-closed: I was hacked and the money is gone.
But I’m surprised to find that my coins are still sitting there, in the same addresses I left them in.
“LocalCryptos must’ve locked my account” is the only explanation I can come up with. I email their support.
– They ask “What error are you getting?”.
– I send them a screenshot of the login page error which says “Wrong OTP” (for the uninitiated, OTP stands for ‘one-time-password’).
– They send me this:
> I have escalated your ticket to a high department for them to help you.
> Please allow 48 hours for them to respond.
– I’m confused, but placated. I send a simple ‘thank you’ message and sit on my hands.
– 48 hours goes by and nothing happens. My account is still locked and I’ve heard nothing from LocalCryptos.
– I wait a few more days and then I send a reply back – this is 5 days after being told to wait 48 hours – asking if anyone is listening. At the time of writing, I still have not received a reply to that email thread.
– Another 48 hours later (a full week after initially reaching out to them), I hear nothing back, and my account is STILL locked.
– I start a new support ticket referencing the previous one, describing the situation, etc.
– They send me the same copy/paste reply:
> I have escalated your ticket to a higher department for them to help you.
> Please allow 48 hours for them to respond.
– 24 hours later, they send me an automated email saying “Do you still need help? We replied to your ticket 24 hours ago, and we haven’t heard from you. If you still require assistance, let us know by replying to this email.”
– Normally if you ignore those emails, they close your support ticket, so for good measure, I reply back saying yes, please help me, I am locked out of my account.
– At the time of writing I still have yet to hear another word from a real LocalCryptos employee on the matter.
– I had a discussion with their CEO on Telegram several months prior, so I messaged him, hoping to get lucky, but he ghosted me as well.
My theory was that someone filed a bogus report on my LocalCryptos account, or maybe LocalCryptos has some kind of ‘fraud detection system’ that mistakenly flagged my account. In either case, their support team’s policy when that happens seemed to be the old ‘stall-and-ghost-them’ technique.
By the grace of god, the last time I was logged into LocalCryptos, I happened to find the ‘download backup’ button, and downloaded a backup of my LocalCryptos account’s private keys. I used that to generate the keys for the addresses that my coins were stored on, and successfully recovered them! Phew. So no money was lost, thanks to the power of private key ownership.
A few weeks later, I realized what the problem was. My phone’s clock was no longer properly synchronized. Since Google Authenticator and other 2FA apps use the current time to determine the OTP code, this meant the codes they generated were invalid at the time I used them. After re-synchronizing the clock, I was able to generate correct 2FA codes and log into my account again!
So after all this, I’m still inclined to say LocalCryptos isn’t a *bad* exchange, because their exchange was designed with a situation like this in mind. Even if you are locked out without explanation or help, you can still get your money back. Their smart contracts are very reliable and they enable non-custodial peer-to-peer fiat/BTC/LTC/ETH exchanges.
But if you use them, be aware that you’ll get no help from their customer service. My account was perfectly normal, and a little help from a customer service rep would have probably uncovered the time-desync issue in no time. Instead I had to figure it out on my own simply because they were too lazy or incompetent to reply to me.
Heed my story as a warning if you use an exchange: you had better beware of the risk that, even if you are smart, even if you play it safe, even if you use a strong password and 2FA, your account might suddenly become locked and you’ll need to rescue your BTC yourself. That’s what non-custodial exchanges are for!
In case anyone is wondering, here is the tool I used to recover keys from a LocalCryptos backup:
LocalCryptos staff, if you’re reading this, ghosting locked-out customers is NOT OK. Fix your sh***y customer service policies. If you tell someone to wait 48 hours for a reply, then you bloody well better reply in 48 hours, even if it’s to say “Hey, sorry this is taking longer than we thought, but please rest assured we’re working on it. Expect an update within N days”.