This is similar to asking why more waiters/waitresses don't use credit card skimmers.

I suspect the answer is similarly that, unsurprisingly, most hosting providers are in the business of providing hosting, as opposed to running a front for criminal activities. And that anyone caught running this criminal activity would likely be fired and prosecuted.

And of course that there is an inverse correlation between the type of person interested in petty theft, and the type of person with the skills required to do this and not get caught.

But it makes sense to retrieve wallets from instances that are going to be permanently deleted (when client stopped paying, etc).

For example it would save 17000 BTC that bitomat.pl exchange lost when upgrading Amazon EC2 instance to add RAM.

Not if you assume that the client should have already backed up data on that instance, and keeping a copy for yourself is illegal.

About as long as it'll take them to start harvesting credit card details from the same clients.

Credit card thefts can be reversed.

If they can't detect which of the admins did it then what are they going to do?

Also, credit card numbers do expire. You could just make a backup copy of somebody's private key and wait a year or two before transferring all their funds to your account, unless they move the money away to a different address themselves.

It's an interesting point. That said, forensics on VPS's / cloud providers is already a big thing. Until now it's mostly been databases, secrets, SSH keys etc. Well-known providers zero their storage... lesser known, not so much.

> Credit card thefts can be reversed.

Yeah, that's the only reason hosting companies don't mass harvest credit card numbers from their customer's websites

If you set up your VPS with a hierarchical deterministic wallet[1] or a passphrase-protected private key[2], your hosting provider will be unable to determine your private key.

[1]: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawi...

[2]: https://github.com/bitcoin/bips/blob/master/bip-0038.mediawi...

There's really no getting around the evil maid attack[1], if someone can attack your hardware directly. There's even evidence that a sufficiently clever attack can persist through formatting and re-installing a drive[2] - note, people have also found exploits in network firmware... remotely exploitable exploits. If you can do it by accident[3], then most likely it can be done with malice aforethought.

Edit: adding a strong pass-phrase /does/ give you a significant level of protection; While it doesn't offer protection from an evil maid type attack (where the attacker trojans your server, then you decrypt your key after said server was compromised) it does offer quite a bit of protection, say, from an attacker who has access to old backups but not your production system. So I think a passphrase on all of your important private keys is a worthwhile thing to have.

I just want to make it clear, once you decrypt that key from within a compromised system? all bets are off.

[1]https://www.schneier.com/blog/archives/2009/10/evil_maid_att...

[2]https://news.ycombinator.com/item?id=6148347 (of course, this specific attack wasn't as scary as it could have been, say if the same sort of thing was remotely accessible)

[3]http://theinvisiblethings.blogspot.com/2010/04/remotely-atta...

Is that still true if the attacker has access to system memory? That's a more difficult attack but still feasible for a malicious VPS admin.