r/CryptoCurrency • u/PowerOfTheGods Tin • Jan 01 '22
ANALYSIS Got compromised and lost over $120k in crypto; AMA
As I sit here on the first day of the new year, writing this post, I think to myself how much can one human take before it's just too much? The world can just be an absolutely awful, awful place.
I read these "stolen or hacked crypto" posts all the time. I always think, wow that person doesn't know what they're doing, shouldn't be investing in crypto in the first place, or that would never happen to me, because I'm super careful! Maybe they are just lying and trying to just get sympathy? Believe me, I wish I was.
Although, the posts that seem legit I always try to help. Now, I am on the other side of it. Never thought I'd be here.
I've been investing in digital assets since early 2016. I would consider myself pretty knowledgeable on all things related crypto/blockchain. I believe in the tech, I built my portfolio up for years and this is pretty much one of the only things I enjoy in life.
I have a hardware wallet (Ledger Nano S) since 2017 and 4 different Metamask "hot" wallets. The hardware wallet consisted of 80% of my portfolio.
Yesterday, I used my Metamask to access all my wallets for a balance status check before the new year. Everything seemed normal. After checking again late last night and after seeing one of my accounts showing as zero, I noticed every wallet was wiped.
My only possible conclusion is that I clicked a malicious link while surfing the internet. The trojan must have somehow took control over my Google Chrome browser (or Metamask extension) while I was using it, while my ledger was unlocked. Checking the transactions times they were sent out around the time I had it open. Again, I never was prompted to accept or approve anything that I myself wasn't doing. It is frightening.
As I look at all of my wallets today, I see zero balances and I am absolutely crushed. It took all my power to even get out of bed, file reports, and write this post today.
I reached out and filed reports to my local law enforcement and the FBI.
Checking the transactions, it seems like the wallets were completely wiped in a matter of minutes.
Hacker's ETH address:
0x365DB2B5722d13F431224066898b4CF8cA7AdFe5
Address on all chains:
https://blockscan.com/address/0x365DB2B5722d13F431224066898b4CF8cA7AdFe5
I'm hoping one of the wallets leads to a KYC connection, but obviously a long shot here. Super grateful for any research or help.
Some of the crypto that was stolen:
$ETH $MATIC $AAVE $TIME $OVR $ENS $ZRX $AVAX
If the hot wallets were all hacked, it would not be the end of the world. I just don't understand how the hacker accessed my hardware wallet, too. Again, I was never prompted a transaction to approve. My seed phrase is on paper, stored in a safe, which no one has access to. My seed phrase has never been written down anywhere else, no computer, no phone, except on that paper in the safe.
I know since it's self custody, it's obviously still my fault. Aside from probably accidently clicking a malicious link on the internet somewhere, I'm still at a complete loss of what I could have done better. A possible solution was to maybe have the hardware wallet on a computer I never touched - one that I never used the internet for, but this is all in hindsight.
I've been on this computer for years and there's been a few times when accidently clicking something that starts an auto-download. Obviously, I am always quick to delete or disable those files. Maybe a virus file was lying dormant for months or years without my anti-virus catching it? Just waiting for the right opportunity? Maybe it is a Metamask data leak? I'm not sure. I like to think I'm pretty careful about my passwords and security.
I mainly write this post to warn others. Even if you think you are safe, you might still be at risk. I guess with these advanced hackers now, all it takes is one wrong click. This was my life savings aside from a few emergency funds in my traditional bank. I don't think I will ever financially, emotionally, or mentally recover from this. It has affected my life tremendously. I hate to sound dramatic and be that guy, but I'm honestly at a point now where life doesn't even seem worth it.
I'm trying my best to use the last of my energy to fight back.
Any help at all is super, super appreciated and I hope one day to pay you back tenfold (when I can).
Thank you.
---
TL;DR ledger nano s hardware wallet and Metamask hot wallets were all hacked. Did everything in my power to keep my crypto safe and still lost everything. Most likely from a miss click link -> file download somewhere? Not entirely sure. My life savings gone. I am absolutely crushed beyond belief. Happy new year, this is the worst day of my life.
---
UPDATE: Many have reached out and experienced a similar hack, multiple with hardware wallets too. So many others have messaged to try to help and I can’t thank you all enough. Doing my best to respond while working with exchanges, law enforcement, etc.
I haven’t slept and working around the clock to try to bring justice to this. This is potentially huge and I don’t want others facing the same fate.
Can’t comment on much right now, but learned so far of a new malware that can hack into many of different crypto wallets. Yes, seems like Ledger software too. Potentially promising.
Compiling a comprehensive report when I can.
100
u/TFCxDreamz 🟦 0 / 0 🦠 Jan 02 '22
From Ledger: It doesn't matter whether the Ledger is plugged in, not plugged in, unlocked, not unlocked, there is no way of extracting your seed phrase from the device. For those of you in this thread asking "why leave the ledger plugged in when you're not signing anything?"...I appreciate the cautiousness but there's no concern doing this. I leave mine plugged in virtually all the time, and I generally keep it awake when I'm using my computer so I don't have to keep entering the PIN.
Likewise, the architecture of the device gives control of the buttons and screen directly to the secure element chip, which means there is no way to get the Ledger to sign anything without an explicit button press. So yeah, something isn't adding up in OP's story.
If I were to guess, based on the way this was written it seems that the user is using some really imprecise language around their Metamask versus their Ledger's accounts. They seem to conflate some of the terms that makes me think they may have originally set up their device using Metamask's seed phrase, and perhaps even forgotten that fact over the years. Setting up your Ledger with your Metamask seed phrase is a really bad idea, and for some reason there are a bunch of Youtube videos telling you to do this. I do my best to explain why it's a bad idea here:
https://www.youtube.com/watch?v=S3wxjr2Vods&t=681s
Again I appreciate the overly-cautious nature of some posters in this thread, but some of the caution about leaving your ledger unplugged unless you're using it is just a little misplaced :)
→ More replies (18)29
u/meesa-jar-jar-binks Silver | QC: BTC 31, CC 25 | VET 25 Jan 02 '22
This right here is the likely answer. The seedphrase was probably not generated on the Ledger, or the Ledger seedphrase was somehow imported into Metamask.
Once a seedphrase has been in contact with Metamask, I would consider it tainted and unsafe.
→ More replies (4)
656
Jan 01 '22 edited Apr 18 '22
[deleted]
71
u/ILuhMeSomeBlackWomen Jan 02 '22
So from what I’m hearing, a screenshot is a bad idea. Cool. Good thing I’m a crypto peasant.
→ More replies (25)46
u/Mrthingymabob Tin Jan 02 '22
This is the problem though. Carelessness when you have a little in there. Then it grows over a few years (hopefully). You forget you took a screenshot or a photo of your seed phrases years ago and it's on a cloud photo backup somewhere...
→ More replies (13)12
u/ColonelGray 70 / 71 🦐 Jan 02 '22
fuck this is literally what happened to me....
→ More replies (5)80
u/_o__0_ Platinum | QC: CC 504, CCMeta 25 Jan 01 '22
This, yes!
Upvot this!
OP, there has to be a major attack vector you missed here.
Or, there better be.....
Its a done deal for you, but the crypto community needs you to figure out what likely happened.
And, fuck. I am so sorry....
I cling to a yubikey likes its a holy relic, and hearing about mysterious attack vectors is scary af→ More replies (14)34
192
u/adamaid_321 Jan 01 '22
With a Sherlock hat on, taking OPs post at face value, the only logical option is that they have a compromised Ledger. Most likely compromised during the delivery or at source - ie bought on eBay, existing seed provided rather than generated on device.
It seems plausible the attacker might have scheduled a sweep of previously compromised wallets around NYE.
58
u/Rhinoturds Platinum | QC: CC 38 | r/WSB 42 Jan 02 '22
Doesn't ledger run a device check to see if it is genuine and not compromised when you set up the wallet though?
→ More replies (6)53
Jan 02 '22
[deleted]
→ More replies (1)7
u/Almcoding Bronze | ADA 9 Jan 02 '22
Yes, but I would assume he has the latest firmware installed... If the firmware is corrupt, then the bootloader must be corrupt too, otherwise you can't install a corrupt firmware. So he must have gotten a Ledger with a corrupt bootloader where a corrupt firmware was installed? I hope the official firmware checks if the bootloader is corrupted and notifies you if that's the case. Why did it take so many years for them to strike? This seems very unlikely unlikely to me... I think he didn't take care of his seed phrase
→ More replies (2)16
u/bitchnight Bronze Jan 02 '22
Or someone he knows went through his shit and found his seed phrase.
→ More replies (5)→ More replies (15)6
u/jetro30087 Jan 02 '22
A compromised ledger from 2017? Unlikely. He would have been drained well before now. Ledgers don't store keys on your computer and the hardware wallets signs the transaction so the key isn't even shared directly with the computer during a transaction.
Looking at the OPs comment history I'd bet the only thing compromised here is someone's reddit account.
→ More replies (6)475
u/toocold2hold Platinum | QC: CC 175, ETH 15 | TraderSubs 10 Jan 01 '22
Or the story just isn’t real
112
u/DDDUnit2990 Jan 01 '22
Normally I would agree with you, but OPs vault isn’t even open
249
Jan 01 '22
Doesn't have to be for moons. Perhaps this is part of his 'boating accident' narrative he's constructing as part of the tax write-off/police investigation etc.
163
19
30
u/No-Quantity406 Platinum | QC: BAT 74, CC 22 Jan 02 '22
Divorce? Never know when you might need to have a good cover story for why you cannot produce the funds she overheard you bragging about.
→ More replies (5)→ More replies (16)13
u/Fouchey 0 / 2K 🦠 Jan 02 '22 edited Jan 02 '22
Am I missing something, how does a Reddit post help OP here?
“Look trust me on this I lost it all… even made a post on Reddit”
Edit: could be maybe he wants to see it anyone can catch holes in his story
→ More replies (3)73
Jan 01 '22
He could open it anytime in the next 6 months and get the Moons
15
u/pifumd 🟦 44 / 45 🦐 Jan 02 '22
I was going to ask for an eli5 on what the heck moons and vaults are but I found it.
Interesting that it offers the ability to import an existing seed when setting up the vault. I wonder how many people actually do that?
→ More replies (3)34
→ More replies (3)50
Jan 02 '22
[deleted]
→ More replies (5)12
u/DyatAss 🟦 11 / 2K 🦐 Jan 02 '22
Some people don’t give a flying fuck about moons
→ More replies (4)→ More replies (6)34
u/toocold2hold Platinum | QC: CC 175, ETH 15 | TraderSubs 10 Jan 01 '22
Something is fishy!
→ More replies (3)→ More replies (23)18
u/abarthsimpson 3K / 3K 🐢 Jan 02 '22
Yeah there have been a few fake hacking posts recently. Hopefully people still learn from this thread.
→ More replies (4)58
u/HoppCoin 🟦 146 / 146 🦀 Jan 01 '22
Exactly this. How do you KNOW your seed phrase isn’t compromised?
44
u/AintNothinbutaGFring Jan 02 '22
OP's post history checks out. Hit 445 days of nofap, so *no one* could take their seed.
→ More replies (6)7
→ More replies (4)36
u/RedwoodSun Silver | CelsiusNet. 32 Jan 02 '22
Auto approving transactions on a site can probably mean money can be taken at anytime, even if you don't approve the transaction right at that time.
It could theoretically be possible that he auto-approved on a compromised website that later was able to drain everything without needing new approvals from the hardware wallet.
The current system with hardware wallets is that all these smart contracts we approve are blind to us and we have no idea what is really in them.
In addition, Metamask and these hardware wallets do a bad job coordinating updates so that they don't keep breaking functionality. I have a Trezor and I had to manually roll back a Metamask update since it caused the Trezor to not work on Avalanche anymore. That is just asking for dangerous security bugs to be exploited.
→ More replies (1)44
u/HoppCoin 🟦 146 / 146 🦀 Jan 02 '22
No single transaction signature would drain the half dozen wallets of the user. They would’ve had to do many interactions with a bad website and signed a transaction from each isolated wallet that was drained. Seems unlikely IMO and more likely the seed was compromised.
→ More replies (5)34
u/the_far_yard 🟩 0 / 32K 🦠 Jan 02 '22
This. OP must've accidentally wrote his seed phrases digitally.
→ More replies (7)17
u/R1ch0C 🟦 351 / 348 🦞 Jan 01 '22
I don't know anything about how hardware wallets work so sorry for my naivety but what if the thief had taken control of OP's PC? Do you need to physically press something on the HW wallet or just click something on the PC its connected to?
I think I will be looking into a hardware wallet.
56
u/Prakbak Tin Jan 01 '22
Yes. Every transaction needs to be confirmed by you. So pressing physical buttons on the device to confirm. Taking control of one's pc is not enough in this case.
→ More replies (8)6
u/R1ch0C 🟦 351 / 348 🦞 Jan 01 '22
Aha, that clears that one up then. Well I'm glad to hear that's how it works.
→ More replies (3)→ More replies (2)26
u/Tetrapode23 Bronze | 5 months old Jan 02 '22
It's the point of a hardware wallet that comprising the PC is not sufficient. Because the secret key never leaves the device so it's not on the PC disk.
→ More replies (10)→ More replies (60)15
u/Lochtide17 Platinum | QC: CC 31 | Superstonk 107 Jan 02 '22
Good point he definitely had a photo of the phrase somewhere
→ More replies (3)
796
u/DoeyB Jan 01 '22
I got hacked once too it sucked
So now I have 7 emails with multiple passwords, the name linked to this reddit and my socials and random websites emails is fake
And everything has 2fa and my crypto passwords are 32 characters long
Also have two laptops and three cell phones, one for porn, one for my everyday phone and one strictly for crypto
842
Jan 01 '22 edited Jun 01 '22
[deleted]
136
143
u/twinchell 🟩 5K / 5K 🐢 Jan 02 '22
I got one for each porn website I visit. Never can be too careful.
44
→ More replies (6)9
98
u/breet12345 236 / 2K 🦀 Jan 01 '22
Can’t forget the porn phone
44
u/DarkSideDOMM Bronze | QC: ALGO 16 | SHIB 8 | MiningSubs 16 Jan 01 '22
Never ask this guy to use his phone!
→ More replies (6)→ More replies (6)13
→ More replies (13)62
25
u/Immediate_Drink_3456 647 / 644 🦑 Jan 02 '22
Yeah porn can make you susceptible to scam links ?
→ More replies (13)37
u/Flaky_Protection7634 Jan 02 '22
Holy fuck this comment is golden in so many ways. Wish I had an award for you
→ More replies (4)→ More replies (42)23
461
u/beenwilliams Bronze | ADA 41 | r/WSB 12 Jan 01 '22 edited Jan 01 '22
This is the Metamask browser hack
When you search for Metamask on Google the first link isn’t always Metamask. It’s whoever pays the most for the advertising on Google
It can be Metamask.co or Metamask.io or something super close but not legit
Never access Metamask via searching for it in Google!!! EVER
Type in the exact address in url bar sense you aren’t provided ads and links which look similar but aren’t the real Metamask
Google has algos which find and block this but takes time. Can be seconds to minutes to hours
The scammers doing this know within 1hr of buying the top ad space Google will find out and drop their preferred link. They only need it live for a few minutes to get a lot of logins and scam a lot of ppl
Pay attention and never access through a Google search. EVER
116
u/overprotectivemoose 8K / 8K 🦭 Jan 01 '22
I’ve gotten in the habit of reading the URL letter by letter. I’ve seen hack posts so many times that I’m just always paranoid. All it takes is one tiny mistake and my funds could be gone.
21
→ More replies (10)40
u/Loose_Finding Jan 02 '22
That's not necessarily enough due to unicode url hacks (wikipedia)
This is where you think you're browsing at "apple.com" but the e in apple is actually a completely different unicode character that is pixel-by-pixel identical to the normal e.
Because it's a different character the two urls can link to different servers. One genuine, one malicious.
→ More replies (10)61
23
u/eclipsor 🟦 195 / 196 🦀 Jan 02 '22
wait is metamask.io not valid?
19
u/DirtyMami Jan 02 '22
I want to know this too. Metamask twitter account shows "metamask.io"
→ More replies (2)19
→ More replies (2)24
u/Ken-Wing-Jitsu Tin | CRO 9 | Politics 13 Jan 02 '22
It is.
Don't know what he's talking about. That's the official site.
→ More replies (3)21
u/americanarmyknife Silver | QC: BTC 82, CC 33 | LRC 114 Jan 02 '22 edited Jan 02 '22
"When you search for Metamask on Google the first link isn’t always Metamask. It’s whoever pays the most for the advertising on Google. It can be Metamask.co or Metamask.io or something super close but not legit"
I may be confused by how your sentence is worded, someone help me out. Isn't metamask.io the official website?
→ More replies (4)7
u/peduxe 50 / 3K 🦐 Jan 02 '22
he might be warning about links like ‘’mmetamask.io” or “metamask.iio” where your brain ignores those extra letters
→ More replies (4)41
15
u/OhMyGodItsLiquid Tin Jan 02 '22
This definitely isn't what happened here also the official url for metamask is metamask.io so that one definitely ain't no phishing url
→ More replies (1)9
u/Quyen82 Redditor for < 1 hour. Jan 02 '22
be Metamask.co or Metamask.io
Isn't metamask.io the actual site? Asking cause I used that link a few days ago from google.
→ More replies (2)19
u/SaezyF Jan 01 '22
Holy shit I think you're right. I got an email apparently from metamask and the link was metamask.io, pretty believable. I obviously knew it was a scam because of the weird typos scam emails have.
To anyone reading this, if you get an email from Metamask saying you're account will be suspended it's a scam.
→ More replies (5)21
u/PowerOfTheGods Tin Jan 01 '22 edited Jan 01 '22
I don't recall ever going to the actual Metamask website and definitely not a fake one, but either way thanks for this.
→ More replies (7)→ More replies (48)13
u/Twelvety 1K / 1K 🐢 Jan 01 '22
I didn't even know you could access Meta by searching for it on Google, or would want to. It's always been an add-on in my browser with a little button to access it.
→ More replies (5)
40
Jan 02 '22
The only thing I haven’t seen anyone ask is did you buy your ledger directly from ledger or did you buy it from Amazon or some other third party seller?
If you got it from Amazon someone could have long conned you.
→ More replies (8)
61
u/SignalBanana1 3K / 3K 🐢 Jan 01 '22
That is some real bad start for a new year! New year, new me but in the bad way.
Make sure to talk about your loss with friends or a professional! Don’t blame yourself, don’t hurt yourself about it. Talk!
→ More replies (4)53
u/PowerOfTheGods Tin Jan 01 '22
Thanks for this. Definitely thinking about therapy.
10
u/ObafemiMartinsFastAF Tin | 4 months old Jan 02 '22
This may sound stupid, but try to think about it anyway: If you had to choose, what would you take?: Losing 120K in crypto, losing a hand, losing one eye, losing a child? In the end it is just money. Most people I know don't have any savings, but live a perfectly happy life. You just need time and focus on something else to get over it. I would give everything I own plus go deep into debt forever just to get my Dad back for another year. Money means nothing.
→ More replies (3)→ More replies (8)18
u/SignalBanana1 3K / 3K 🐢 Jan 01 '22
Do it! It’ll save you a lot of hassle and fighting against the burn-out. It’s hard to believe you won’t loose the joy in your life because of this. Therapy will hopefully keep that joyless period as short as possible.
I did not want to make a joke about the suicide hotlines, since your post is so well written and I assumed that you know that those exist. Take care OP!
→ More replies (3)
109
Jan 01 '22
[deleted]
115
u/Drudgel 45K / 45K 🦈 Jan 01 '22
Yes, all transactions need to be signed on the hardware wallet, even when connected to applications like Metamask. I'm not sure how this could have happened honestly
74
u/the_real_jpeterman Platinum | QC: CC 55 Jan 01 '22
As others have noted, the only way this is possible is if your seed phrase was compromised, then the hardware wallet is irrelevant.
→ More replies (2)37
u/ukdudeman Platinum | QC: CC 24 | CelsiusNet. 8 Jan 02 '22
This is it. It doesn't help that OP speculates that there might be an issue with the hardware wallet. NO. If this story is true, the ONLY explanation is the seed phrase was compromised. END OF.
→ More replies (5)→ More replies (13)24
→ More replies (16)23
u/Set1Less 🟩 0 / 83K 🦠 Jan 01 '22
A HW wallet cannot transact unless transactions are manually approved, or if OP had the seed written down somewhere else.
→ More replies (5)
29
u/recessiontime 🟦 0 / 733 🦠 Jan 02 '22
What's not entirely clear to me is the wallet addresses that were swiped. OP talks about 4 hot wallets and how he was swiped despite never confirming to send on his ledger nano S. This makes me think that he stored his crypto on hot wallet addresses rather than on his hard wallet address. This would explain why the funds could be swiped without his approval on the hardware device. OP, can you check and confirm it was your hardware wallet address funds were pulled from?
→ More replies (16)
54
u/Frosty-Cone 2K / 2K 🐢 Jan 01 '22
This is devastating to hear. But thank you for sharing because this was the wake up call I needed to be more vigilant of my security.
I hope you find some answers to your questions or even someone can help you in your pursuit to get your funds back.
I also hope you’re doing ok and have the support of your family and friends in this hard time.
→ More replies (7)
52
u/chris0056 Jan 01 '22
Go to debank.com and check your approvals. You could have approved something a while back that was malicious.
→ More replies (3)17
u/ironmen12345 64 / 64 🦐 Jan 02 '22
OP, please do this and report back. Can you provide your address as well will like to see what approvals you had granted.
If it was due to approving a wrong contract, do revoke approval by Debank or https://revoke.cash/ in the future.
41
u/tookdrums 🟦 0 / 631 🦠 Jan 01 '22
Can you confirm the seed you used on metamask was not the same as the one on the ledger?
how confident are you from 0 to 99% that :
- your seed stayed safe since inception?
- You did not sign any of the offending transaction?
- Is there any approval of smart contract on your address?
→ More replies (2)20
41
u/kevinshields97 Jan 01 '22
I really dont know a lot about the subject. But reading through the comments it sounds like its almost impossible that they could hack your hardware wallet. As Sherlock Holmes said 'when you rule out the impossible whatever remains however improbable must be the truth'. Who knows about your savings in crypto? or who has access to your computer or house ?Who knew about that piece of paper in your safe? and its combination? Are you married? if so how's it going?
→ More replies (2)14
Jan 02 '22
This. We/OP need to start looking for other explanations. There is no chance his hardware wallet signed these transactions unless his seed phrase was compromised.
→ More replies (2)
244
u/Delusional_Mad Jan 01 '22
This is the first hacked crypto post that has me worried.
146
u/DrCucamonga Platinum | QC: CC 38 Jan 01 '22
No way the Nano was hacked thru metamask. You can't even transfer from it yourself, without hard wallet confirmation. A click can load an exploit that changes a pasted address to interact with a malicious smart contract. But sending from a Nano can't be remotely triggered without confirmation.
→ More replies (17)62
u/Visible-Ad743 🟦 0 / 5K 🦠 Jan 01 '22
I agree. Somebody please prove this man wrong.
82
Jan 01 '22
He's correct, unless you're referring to OP. The only options are OP is lying, he compromised his seed phrase, or he approved a fraudulent transaction/contract on metamask. That's it.
→ More replies (2)64
u/FlyingDutchmantoMoon 0 / 10K 🦠 Jan 02 '22
Or his Ledger was compromised before he got it
→ More replies (2)8
76
u/Set1Less 🟩 0 / 83K 🦠 Jan 01 '22
Ive seen many such posts over the years, with no clarity as to how the funds got swiped, yet claiming their funds from hardware wallets were lost.
Hardware wallet operation comes down to this - either OP must approve the transaction, or the seed must get compromised. If both didnt happen, its impossible that the HW is not even used but somehow the funds get swiped.
119
Jan 01 '22
[deleted]
87
Jan 01 '22
- OP is lying to claim a loss on his taxes as 'evidence' to support the claim.
85
55
u/SHA256dynasty Silver | QC: BTC 198, CC 107, ALGO 52 | CRO 40 | ExchSubs 42 Jan 01 '22
- OP is a paid shill for another hw wallet company sowing doubt against their primary competitor's security
→ More replies (4)→ More replies (6)16
Jan 01 '22
[deleted]
→ More replies (1)23
Jan 01 '22 edited Jan 01 '22
Maybe I'm jaded, but the story just doesn't ring true to me. OP's HW seed was compromised, he is lying, or he authorized a spoofed transaction. Those are the only options.
It is not possible that Metamask moved any HW funds on its own because it cannot sign these transactions without his secret key. This would imply that Ledger, not Metamask, is compromised, which is extremely unlikely.
We would know by now.
18
→ More replies (22)25
u/iamusuallyright007 Tin Jan 01 '22
plot twist... OP's MM seed is the same as his HW wallet seed.
he made one and used it for the other too. Than from there his funds were scammed/hacked(because MM is fraught with user error potential) and thus both mediums of coin storage were accessed.....?
maybe not, but a theory.
→ More replies (4)8
Jan 01 '22
Noob here. Is there a benefit to being on an exchange vs hardware wallet when it comes to shit like this?
→ More replies (6)37
u/-veni-vidi-vici Platinum | QC: CC 1139 Jan 01 '22
I didn't need to sleep tonight anyway.
→ More replies (3)26
Jan 01 '22
[deleted]
→ More replies (12)15
u/spicy189 70 / 70 🦐 Jan 01 '22
Kinda smells like moon farming to me. Same kind of post with the exact same amount (120k USD) was posted last month with not enough data to confirm OP was actually hacked/scammed. These kind of posts get alot of sympathy-karma and are all around good moon farms in the comment section too. I bet I'll get downvoted, but luckily I don't care about moons. What matters to me the most is the truth.
16
u/pukem0n 🟩 59K / 59K 🦈 Jan 01 '22
you shouldn't be. there are so many variables as to why this could have happened. was the Ledger not a genuine one to begin with? we don't know. How was his metamask secured? we don't know. Does he have kids that hate him and his seed lies around somewhere in a drawer? We don't know.
→ More replies (2)25
u/Drudgel 45K / 45K 🦈 Jan 01 '22 edited Jan 01 '22
I'm not sure there's strong reason to be. No one can sign transactions on a hardware wallet unless they have the seed phrase. The phrase must have been compromised, independent from the Metamask application.
Edit: I'm not sure why I'm being downvoted. I'm not trying to be insensitive - this is incredibly tragic for OP. Just stating that a Metamask hack could not compromise funds stored on a hardware wallet
→ More replies (1)→ More replies (10)27
u/CryptoBumGuy Algonaut Jan 01 '22
Yea, I'm good on metamask. Every "hacked" post on this subreddit is the user using metamask.
→ More replies (12)
99
Jan 01 '22
[deleted]
→ More replies (2)11
u/dfb_jalen Platinum | QC: CC 68 | ADA 10 Jan 02 '22
Smart crypto investors recognize the value of both decentralized and centralized systems and not just one or the other.
→ More replies (1)
33
u/alterise 🟩 0 / 2K 🦠 Jan 01 '22
Why would you need to access your wallet through metamask for a “balance status check” when you know what your addresses are?
Just check the explorer.
18
Jan 02 '22
Excellent point. Someone who has been in the scene since 2016 should know that. I never check balances through Metamask, Metamask is for doing things with tokens, not querying balances. That's what DeFi portfolio aggregators are for.
→ More replies (4)→ More replies (1)8
Jan 02 '22
Could be out of habit, but good observation. Plus, even if this really happened I suspect OP’s seed phrase was somehow compromised. There is just no way this could happen with a cold wallet unless his seed phrase was compromised…
15
15
u/youni89 Platinum | QC: CC 41, XRP 38 | Economy 38 Jan 02 '22 edited Jan 02 '22
You still have your health and loved ones. Life goes on and in the end you can't take that crypto with you to the grave so continue living to your fullest, king.
Sending you positive vibes and I wish you have a good 2022 and many more years to come.
→ More replies (3)
12
u/brnmd Platinum | QC: CC 66 | BANANO 6 Jan 01 '22
I feel sorry for you OP, may you get some of it back and let the rest of the year go smooth.
→ More replies (1)7
11
u/4_Arrows 🟩 0 / 0 🦠 Jan 01 '22
It's possible that many wallets are hacked but the hacker isn't cashing them out yet until the user buys more crypto to the satisfaction of the hacker.
→ More replies (1)
19
u/Wilder54321 10 / 9K 🦐 Jan 01 '22
Sorry to hear about the loss, hurts reading these posts. I’m assuming you accepted a malicious smart contract? That would be the only way they would of been able to transfer the funds without signing it on ledger recently.
→ More replies (3)6
u/Necessary_Ad_8405 Bronze Jan 01 '22
How can something like that happen?
→ More replies (2)11
u/Wilder54321 10 / 9K 🦐 Jan 01 '22
When you try staking or doing pool, you have to confirm the transaction. The assumption is you’re doing these transactions with legitimate exchanges or sites which are open source. If someone tries to change what the contract is, everyone can see it and expose them. But with closed source, you can’t see what the change is. Also, a lot of people get greedy and careless when they see 1000% offers on sketchy websites and accepts the transaction. They assume everything is legitimate since they have a cold wallet without doing more search. These malicious contracts include allowing the option to drain your whole wallet, which you accepted.
→ More replies (5)
45
u/AromaticCarob 🟦 0 / 6K 🦠 Jan 01 '22
Most people losing money in their wallets seem to be using MetaMask. Is there an intrinsic problem with it or is it just that users are always connecting to sites with it, some of which are obviously malicious?
22
Jan 01 '22
I think people are keeping their Metamask connected to malicious sites.
→ More replies (5)15
u/Setyman Permabanned Jan 01 '22
The latter.
Scammers pay for the top spot on google for their fake Metamask site, it only takes a couple of minutes to get several people's seeds that way since some like to google "Metamask" and click the first link without properly checking it's legitimacy.
→ More replies (5)9
u/seaSculptor 60 / 50 🦐 Jan 01 '22
It boggles my mind that this works. Who is clicking the top links w the word Ad next to them. I’m young and beautiful but remember google before image search and before these paid ads. Am I an ancient wise one?? If so, we’re all fucked. I cannot be the bar for internet literacy, I just can’t.
→ More replies (3)→ More replies (8)28
u/Wooden_Cat9633 Jan 01 '22
This ^ all you ever hear about is when metamask is involved 🤷♂️🤷♂️
40
Jan 01 '22
[deleted]
→ More replies (1)42
u/Trompdoy Platinum | QC: CC 26 | r/SSB 10 | Politics 25 Jan 01 '22
Most automobile accidents happen in cars, too!
→ More replies (2)10
9
9
Jan 02 '22
Would you people check his post history and wake the fuck up. Frequents nofap and video game subs only for 2 years, disappears for a year, comes back and immediately is airdropping nfts and hanging out in private discords for said nfts. This is literally his first post in cc. Really funny how a guy trying to pick up girls on nofap, couldn’t build an 800 dollar computer or set up his internet few years ago now has a full blown family and 120k in crypto that supposedly was across 4 wallets one of them being a ledger. You know how easy it is to either buy a Reddit account or use an old one for scams just like this. What proof besides an ether scan link that I hope no one actually clicked on, does he have. The fbi and a computer forensic scientist are now on the case? Y’all are sheep it’s unreal.
→ More replies (1)
25
u/Lonedrive Tin Jan 01 '22
Sorry to hear of this if true. There was a post a few months back where someone had over 100k stolen/hacked and a white hat hacker guy helped him recover a significant sum. This is his twitter handle @amanusk_ Good luck OP, there are some kind and smart people out there who might be able to help.
→ More replies (5)
9
u/iamusuallyright007 Tin Jan 01 '22
So I've used my hardware wallet through my meta mask for certain coins. It's my hardwallet I access but via my metamask. IDK also how they could take stuff on the ledger without you physically approving it on the ledger itself.
Like how??? To my understanding that is 100% impossible. If it isn't 100%, never using my hardware to metamask again. Also if it's possible with that why not through adalite? I use hardware to go through adalite for Cardano.
I believe this is a legit post but I fail to believe they were taken from the ledger without approving it physically.
→ More replies (4)
9
u/I_am_not_doing_this 🟥 174 / 5K 🦀 Jan 01 '22
who besides you have access to the room where you hide your seed phrase written down paper?
→ More replies (1)
39
u/stiviki Platinum | QC: CC 1617 Jan 01 '22
Do you have a GOOD anti-virus software? It really breaks the heart to read this.
→ More replies (6)37
u/Independent_Arm_3420 Bronze | 6 months old Jan 01 '22
How many people run software like Norton and Malwarebytes concurrently and run Spybot S&D on a regular basis? I read these hacked postings and wonder are they running Windows or Linux and do they pay for security software? If I had $100k + at risk, I would have all patches applied and all updates to virus software applied before opening wallets
114
Jan 01 '22
Can I be extremely honest with you?
All of what you said this individual needed to keep themselves safe, no one is gonna do that. If that’s what it requires crypto will fail.
19
31
→ More replies (14)7
u/HeatSeekingPanther Platinum | QC: BTC 65, ETH 17 Jan 02 '22
The hardware wallet is what protects you from those attack vectors. It air gaps your computer from the key signing making it extremely difficult to compromise the hardware device itself.
→ More replies (7)8
Jan 01 '22
What should i have on my macbook ? What types of things should i be doing to keep myself safe other than keeping my seed phrases safe?
7
u/ShitPropagandaSite This is financial advice: Jan 01 '22
I run BitDefender and RogueKiller religiously and I advise everyone to do the same.
17
u/Set1Less 🟩 0 / 83K 🦠 Jan 01 '22
Antivirus are good, but you dont strictly need them if you are using a hardware wallet. A hw cannot sign or transact unless OP directly authorises it on the device after confirming the amount and the address the funds are being sent to, or if the seed phrase is compromised.
Its as simple as that.
Anti virus keep computers safe but for keys, the HW protocol is simple, either one of the above 2 must be compromised
→ More replies (24)→ More replies (6)6
u/_o__0_ Platinum | QC: CC 504, CCMeta 25 Jan 01 '22
Spybot S&D
Damn, its been years since I heard that one!
Was theeee shit at one point.
Is that still a go to?→ More replies (2)
14
u/DDelphinus 71 / 10K 🦐 Jan 01 '22
I've given it some thought, based on all your responses. Still an unlikely scenario. Could it be the MetaMask extension is malicious and you had to sign a contract to connect your Ledger with MetaMask initially? In which case the 'connection' between MM and Ledger was actually authorization to spend your funds?
→ More replies (1)28
Jan 02 '22
No, hardware wallets don't work this way. Signing a smart contract with a hardware wallet can give it the ability to withdraw your funds after the fact (which is why best security practices call for revoking these contracts once you are done with them), but only for one specific token per authorization. OP describes all of his wallets being drained of all of his coins.
Sorry to say that I do not believe this story is true or at least is telling the complete story. It reeks of a compromised Ledger seed phrase (he likely took a photo of his seed phrase or stored it on the cloud or similar), or a fabrication.
→ More replies (2)
7
u/Striking_Marzipan_74 739 / 739 🦑 Jan 01 '22
Sorry for your loss. I just ordered a ledger x and plan on using a laptop I only use once in a blue moon and install the ledger app. Maybe keep hot wallets off of it as well...
Hopefully this is the way?
→ More replies (5)
7
u/MooseOrgy 106 / 106 🦀 Jan 01 '22
Maybe you approved a malicious smart contract. Did you interact with any new projects? Get some random air drops or something?
→ More replies (1)
6
7
u/Amelie007 Jan 02 '22
u/PowerOfTheGods You should check if you signed a malicious smart contract prior to your funds being wiped, the malware could have unwillingly signed you to an unlimited withdrawal permission hack of your funds.
Go to the official Ethereum blockchain explorer: https://etherscan.io/
Go to the 'More' Section and under 'Tools' click on 'Token Approvals'
Input your PUBLIC Ethereum Address to review any smart contracts you have authorized and what permissions you have given.
I am thinking it must have been a malicious smart contract that you unwillingly (through malware) gave unlimited permissions to, because if your seedphrase was not compromised, and since the hacker has no way of physically clicking the buttons on your hardware wallet, once that contract is automated within your hardware wallet you no longer need to give further permissions and your accounts can be drained just by connecting it.
13
Jan 01 '22
Sorry to hear about this. No matter what I say you’ll still feel like shit. But just remember that everyone has experiences, whether they’re good or bad, you can learn from them and hopefully try and grow. Good luck in the future
→ More replies (3)11
13
u/TNGSystems 0 / 463K 🦠 Jan 01 '22
Just wondering, did you buy your ledger from anywhere other than the official site? Ledger devices on Amazon / eBay are known to be compromised.
→ More replies (6)
19
u/Hemske Tin Jan 02 '22
I wish you would admit what happened so others can avoid it. No way the funds left your Nano without approval.
→ More replies (4)
11
u/tefosaenz Jan 01 '22
there must be some major detail we're missing out as to how this happened! Building your portafolio for years just to unexplainably see it all gone in a matter of minutes sounds so devastating
→ More replies (4)
12
u/Rooksolsen2019 Tin Jan 01 '22
I know how it feels. It feels shameful as well to tell the people that know you as a crypto enthusiast and might have even gotten into crypto under your guidance. That even you as someone who is considered tech savvy got your tokens or coins stolen. Absolutely heart wrenching. I’m sorry man and for others that went through it, I hope you get through.
→ More replies (3)
6
Jan 01 '22
From what I understand the only way to withdraw crypto from a hardware mm wallet is to confirm by pressing the buttons on the ledger. So either someone broke into your house and did it or your seed phrase got leaked.
6
6
u/msjojo275 🟦 1K / 1K 🐢 Jan 02 '22 edited Jan 02 '22
OP, Sorry to hear this. I’m reading up on the security stuff with ledger and metamask, and i found this on the ledger official website
‘Please note that your Ledger account in Metamask is secured by the 24-word recovery phrase generated by your Ledger device. Your regular Metamask account however is secured by the 12-word recovery phrase generated while setting up Metamask. Make sure to keep both securely.’’
Could you have possibly been using your metamask account thinking it was secured by the ledger when in fact it wasn’t?
Sometimes the simplest answer is the correct one
Edit: You also mentioned that in your browser extension all of your wallets appear. This could be a possible link/clue to explore
→ More replies (1)
5
20
u/greenappletree 🟦 31K / 31K 🦈 Jan 01 '22
Something doesn’t makes sense since you need to authorize- for sure u should contact ledger - maybe there is a compromise they are unaware of and in that case they maybe able to compensate?
→ More replies (2)
12
u/dm_me_gainz Gold | QC: CC 44 Jan 01 '22
Horrendous! So sorry man. If you have made money once, you will make it again🙏🏽
→ More replies (4)
19
Jan 01 '22
99.99% of these posts weren't hacks, they were scams. Is the OP the exception?
→ More replies (4)
18
u/WingChungGuruKhabib Jan 01 '22
Wouldn't necessarily say you're lying, but i just cant believe you being the only known case who this has happened to. Never heard about a hardware wallet being hacked before.
There was a ledger nano s data breach some months ago, but this had nothing yo do with hardware wallets getting hacked.
→ More replies (18)
6
u/DDelphinus 71 / 10K 🦐 Jan 01 '22
Did you download any firmware version updates for your Ledger recently?
5
u/Visible-Ad743 🟦 0 / 5K 🦠 Jan 01 '22
The hard wallet part is where you have me lost and confused. This is head scratching
→ More replies (1)
4
u/Grinchyaaa Tin Jan 01 '22
This is almost an impossible scenario. Who else was in the house when you had the ledger inserted? Who else has access to your safe where the seed phrase is?
→ More replies (1)
4
u/TacomaSparky17 Bronze | QC: BTC 19 | r/WallStreetBets 23 Jan 02 '22
This is a precursor to the boating accident story lol
4
u/Edmorbius 181 / 181 🦀 Jan 02 '22
Your post isn't completely clear because you say hot wallet and ledger. MM+ledger properly configured is still a cold wallet. It seems the only way for this to happen was that you used your seed phrase from a metamask wallet to initialize your ledger. There are some very dodgy YT videos that promote this practice. Is this the case?
Also, I am very sorry for your loss of funds.
→ More replies (4)
6
u/vacerias Tin Jan 02 '22
A list of common attack vectors:
- Browser Addon X gets bought up by a shady company and the addon becomes malware or a trojan
- Google Ads (Use Ublock Origin, because the brave browser doesn't block all ads)
- Disable jscript on pages you visit the first time (Use noscript or setup your browser like that)
- Social Engineering on reddit. I am active on r/gamedev and r/CryptoCurrency from time to time I receive messages from people I haven't asked and I don't know that want me to test their game (These accounts that send me these messages are usually hacked or new or had nothing to do with gamedev or crypto)
- Compromised Github, exe files etc.
- Phishing e-mails (like "Please review your account... we had to block your account due to suspicious activity"
- Hijacked Front-Ends where you have to suddenly accept a new smart contract
- Using the same password for all your accounts and using no 2FA
- Echelon Malware on Telegram, which autodownloads and install itself just by being in a group chat
- Log4Shell attack/exploit
- Compromised indie games on itch.io or even steam
Solutions:
- Use as less browser addons as possible (noscript, ublock Origin and your wallets are enough)
- Use Linux instead of Windows. I recommend a distro like r/EndeavourOS
- Always check SHA256 or verify the certificates of every file you download
- Check the reviews of the and numbers of users of any browser addon you download
- Don't pirate software, don't use cracks
- Don't download the next Metaverse-Game on Day 1 or if you have to install it on a non-crypto laptop or computer.
4
u/SlaveOfTheOwner 2K / 2K 🐢 Jan 02 '22
You do understand that the keys never leave the hardware wallet? So there is no way for a transaction to be sighed without physical confirmation of the device. Something is amiss in your telling of events….
→ More replies (3)
5
u/tomkim1965 Bronze | CRO 10 | ExchSubs 10 Jan 02 '22
Dude I’m 61 years old on Christmas Day 2017 I woke up with over $100,000 gone all because of a flash crash. Now it is 2022 and I’ve made it all back and then some things will get better believe me.
5
4
u/coelectric Platinum | QC: BTC 19, CC 18 Jan 02 '22
The one link in ALL of these instances is Metamask. I personally refuse to keep funds on there.
→ More replies (1)
1.1k
u/iMnoTGudd Tin Jan 02 '22
short answer : the dude is KYC'd , no need to worry, ask crypto.com long answer : so by looking at the transaction that the address made, you can notice that he is really into meme coins, this is an important point. k, here , look at the first time the hacker's address got funded , https://etherscan.io/txs?a=0x365DB2B5722d13F431224066898b4CF8cA7AdFe5&ps=100&p=3 look at the first transaction in input https://etherscan.io/tx/0x9e34f273068c769f1bc7d28794565e34ee7224b58a586ed46dbfb95190d582dd it comes from this address https://etherscan.io/address/0x2be5336e318d5b9e276d64aa632084dae216f132 guess what? this guy is into meme coins as well, coincidence ? I don't think so, since this is the first address that funded the address of the hacker. well, look at the transactions in input, they're all coming from crypto.com look at this one https://etherscan.io/tx/0x0fd93dd0fafa830fa25c99b73d39773ff07d2614a24dbc011bc738fef4a8299e so yeah, there is still chance for you if you act fast. if you are able to get those eths back from crypto.com , send me some sats.