Well, if the police was asking for the private keys that protected my million-euro stash of drug money... I would have 'lost' them too. In that vein, I wonder if they keep an eye on the wallets, and for how long.
If I were in their position, I would sign up for one of those services that alert you when coins move. I run one [1].
I'd then set the alert to go to coldcases@police.ie saying "new evidence on case number xxxx". That way even if the current staff retire, it'll be followed up on.
It is plausible to run a service on a $5 VPS. Pay $120 ahead of time and you have it for two years. I don't know why you think it would be so fragile. It wouldn't be difficult to run locally either.
Pretty hard to own a VPS which has no external ports open, even if the software on it is years out of date. In fact, updating software is probably a bigger security risk than not doing so, because you never know when someone manages to package a malicious bit of code into a common debian package.
Also, if it did get owned, I'd just have to spend a few hours rebuilding it - no bitcoin wallets or anything to steal on there.
Fair point about updates being a mixed bag. But “no ports open” doesn’t always mean safe. Maybe someone can pass some evil bits inside transaction metadata? (Disclaimer: no idea what I’m talking about w/r/t transactions, or how much parsing you’re doing)
Sound like FUD, what reason do you have to think a VPS set up correctly would have such a high probability of being exploited? What numbers do you have that show this is common?
(Also, again, someone could easily run something locally)
I'd then set the alert to go to coldcases@police.ie saying "new evidence on case number xxxx". That way even if the current staff retire, it'll be followed up on.
[1]: https://serverthiefbait.com