Tell HN: Crypto Wallets Trust Wallet and Ledger appear to be compromised

It's possible that those wallets are compromised, but it's quite strange that both of them would be compromised at the same time. It's also strange that someone in possession of a compromise for one of these wallets would use it for merely $40,000.

To me it seems more likely that your nephew is mistaken about some aspect of this story. Perhaps he used some malicious software and subsequently forgot about it. Either way, there is nothing that can be done.

In the future, your nephew would be better off using traditional saving methods rather than self-controlled cryptocurrency. If he can't figure out what he did wrong, it's likely he won't be able to prevent it from happening again.

So I’ve read through the comments, and I can see that you’re adamant the seed phrase isn’t the attach vector, but I’m going to be listing things down in order of what I see as being a rough probability, please don’t see any of this as accusatory in anyway - it’s more that I keep an eye on OpSec for crypto generally despite not being an expert.

First question; was the amount stored on the ledger stolen during a transaction? If so then he may have been exposed to the same targeted Metamask attack as experienced by an NXM founder https://medium.com/@hugh_karp/nxm-hack-update-72c5c017b48. This wouldn’t explain the BTC and LTC transactions though.

My collection of possibilities:

1. The seed phrase was exposed. Maybe not from your piece of paper, but perhaps it was saved onto a text file, jotted down into notes, captured somewhere else. I realise given the other comments you are likely to disregard this one, I get it, but it still seems to be the most likely from the outside looking in.

2. The computer used to make transactions was hacked, as per the Metamask hack above.

3. Your nephew got into trouble and needed money. I’m not saying he’s lying to you, but he could be trying to save face.

4. A device on his network got hacked and he was subjected to a pretty targeted attack which could have made false transactions on his behalf if he accepted the certificates on his device, maybe. Perhaps a worm on his computer propagated to his iPhone to read the trust key.

5. Both ledger, and Trust are compromised to remote attacks. This would mean someone has found a way to read the seed phrase from ledger and trust remotely and then dump the wallet entirely. This would also make him probably the first person in the world to face these vulnerabilities on both apps. Hopefully you can see why 1 & 3 seem more likely than this.

Can you give us more reason as to why you're 100% sure the paper was not accessed? You don't need to tell us where it is/was, but your extreme certainty in that fact seems greater than the certainty I have about almost anything in my life.

Another possibility no one has mentioned yet: is it possible your nephew is lying? Perhaps he "stole" the cryptocurrency from himself, and went to his relative hoping they might give him pity money to get him back on his feet? Just a wild guess.

Simplest explanation is the most likely.

Both wallets were accessed at the same time, indicating seed words for both wallets were exposed.

Regardless of what your nephew remembers, or believes about how he handled his seeds, someone got access to that data.

One culprit could be cloud hosting like iCloud, google docs, dropbox, etc.

My teenage nephew got a RAT malware, that someone used to record him watching porn. Then they used that to blackmail him, saying that they would report him to the FBI for watching porn as minor or something. I believe looking for crypto as a payout.

My brother (his dad) caught wind of it and had some fun messing with the attacker. But for a moment my nephew was in some serious deep shit that he would have sneaked around to buy and send crypto to get out of.

So that's a scenario that could have happened, and would explain why he wouldn't want to tell the truth.

Alternatively - Ledger got hacked and a list of customers for the Nano S was stolen. So someone could use that for a targeted phishing attack. Perhaps the above would be a similar strategy

Edit: Aha! There are indeed warnings of active phishing attacks from Ledger: https://www.reddit.com/r/ledgerwallet/comments/ck6o44/be_car...

Your nephew got phished, and is leaving that bit of the story out

"appear compromised" should be reserved to when multiple unrelated instances occur with no direct relation.

While you describe plenty of recent facts, from the "he has spent years earning it" I take the wallets were setup years ago and honestly, I would not trust even myself on operational security of a single device/passphrase that I may regularly use.

Are you really sure that a given iphone has never "left his possession"? Was it locked in a safe the entire time?

I went through a similar loss ($11k in Mt Gox). At the time, it felt like I'd lost everything.

It took years for me to really get over it. I'd like to spare your nephew from that, if possible.

The next week is going to be really rough for them. Just be there, and reassure them that things are going to turn out fine. Even if it seems like a massive deal right now -- possibly the biggest problem they've ever run into -- it's an illusion.

The fact is, determining how the money was stolen won't get the money back, just like determining why Mt Gox collapsed didn't get mine back. But I could've been much happier if I'd just accepted it and moved on.

In their case, this theft might be easier to stomach than an exchange collapse, because at least they won't live with uncertainty about whether the money is coming back. It's gone.

Try to remind them that as much as it sucks, they still have their health and their sense of humor. Both are priceless.

(Or perhaps just listen to them. Sometimes saying anything isn't really necessary.)

I want to make it clear that the Ledger passphrase, on paper, and hidden, was not ever accessed. And, even if it was, which it wasn't, his Trust Wallet on his iPhone was also compromised.

How can someone guess both passphrases, from separate wallets, in separate locations with different words? It's literally impossible.

Whatever technology is used to generate the passphrases in each of those wallets must be compromised.

Nothing else can explain it.

to everyone saying it's someone the nephew knew that stole the crypto, it can't be, right? because OP confirmed the thief's address had transactions from other addresses, so this seems like a remote adversary.

i'm very sorry to hear he lost $40k, especially because he was saving it for college... i can't even imagine that much money being a student so i just hope you guys can find some way to work this out... i guess.

that said, i don't think Ledger's security is to blame here... it is infinitely more likely that your nephew's computer was infected with something. for example, if he kept his trust wallet passphrase as a screenshot, perhaps that screenshot synched via iCloud to his PC, from which point the attacker was able to pick it up? or they were able to retrieve his iCloud session cookie?

there are a million times more entry vectors if you consider the PC (or, hell, Mac, or whatever it is) as the infected device. i'd wipe the shit out of it and start fresh, if your nephew intends to do anything else with crypto in the future.

Only read half the comments, so maybe someone has suggested this, but:

Either the seed or the ledger were compromised (I'm ignoring the trust wallet, that's not the interesting hack).

Either:

1. You're wrong about the paper copy of the seed (that is pretty obviously stored in your family's safe, based on your comments) never seeing the light of day.

2. There was another copy of the seed on some other medium (seems most likely to me, tbh — the trust wallet was also compromised so if there was a photo of the seed paper on the iPhone as well, that would add up neatly)

3. Someone got ahold of the ledger itself and the pin.

4. Your kid plugged in the ledger and got phished into signing a malicious transaction.

5. Someone has magic quantum voodoo powers and used it to steal < 10 BTC instead of stealing thousands.

6. You or your kid are lying.

I've been working in blockchain for 7 years and I definitely could have missed something but those are literally the only possible options that make any sense.

Kid transferred the money. Either accidentally lost it with a bad transaction or intentionally cashed out. Now saving face with adults.

Has to be someone close to him who knew about both. I seriously doubt someone compromised ledger’s security and only stole $40k.

Last year there was a leak at Ledger that exposed the name and address of everyone who bought a Ledger wallet direct from Ledger (not distributors). I assume a local criminal or group has broken on and taken a copy of the keywords unknown to you. (They do know where you live). Obviously they would look for petty cash boxes, in the fridge and in the back of the toilet cistern. Take a photo of the keywords and get out silently with nothing else. You would never know they had been there.

I'm sorry, but if the ledger wallet was actually compromised it would be an extremely sophisticated zero day hack that the hackers would not compromise being exposed over a few hundred thousand.

The fact he saved a screenshot on his iPhone of either passphrase, which is number one do not, shows he wasn't being careful and likely made other mistakes that could have been exploited.

I do feel for your nephew, but it's almost certainly user error and not related to the ledger wallet at all.

Follow up questions:

1) how did the conversation come about? Who brought up cryptocurrency in the discussion? Did you ask him how it was going on a random phone call, or did he call you explicitly alert you to the issue?

2) how old is your nephew?

I don't know what happened, but I also lost significant amount of BTC a few times in the past and started obtaining from scratch.

My current advised setup is this: 3 different harware wallets from multiple vendors, generate 2-of-3 multisig. Send some money to the address, try to send back money with any 2 of the 3.

After the address is safe, put the 3 wallets in physical trezors stored with different banks. Also use the same, but very simple passphrase that you 100% don't forget (do

The cost of this setup maybe $500/year, but at $40k it's worth it.

If one pass phrase was stored as a screenshot on his iPhone (which is automatically stored on iCloud without much encryption), I have little faith about the certainty of his paper words having never been accessed.

Anyways, either someone had access to his hardware wallet and had a copy of that paper at the time of the theft, either wallets are insecure.

If wallets were that insecure, more complains and warnings would be found online, and the wallet company would probably loose all its customers. So I say it’s unlikely.

Unless the piece of paper containing the seed is in fact sealed (an opaque tamper-evident bag etc.), we can't know, whether or not it was accessed.

Was the hardware wallet “preseeded”? There is an attack where a malicious reseller sends a unit with the seed previously generated, and a prefilled card of words. When the address is funded, the reseller can reclaim the coins.

The reason I suspect this is the attacker has swept the wallets to the same addr. This could represent a supply chain attack with a common attacker.

Here's the BTC transaction: https://www.blockchain.com/btc/tx/4b05e788a4338d330f3d8a19c8...

There are companies like elliptical that specialize in tracking illicitly acquired crypto [0] Probably your best shot at recovering the assets.

[0]: https://www.elliptic.co/

He downloaded a bad app or gave his keys (unknowingly) to a web service. Or his other machines which he likely used to trade were compromised. Its his fault, there's no vulnerability.

Dust the box for prints.

> - The passphrase for the Trust Wallet is saved as a screenshot on his iPhone.

Could the photos have been uploaded to iCloud and compromised from there? Or accessed from another device?

If the attacker had remote access to his computer, he could find the photo on iCloud and also could have seen the seed phrase through webcam.

Sounds like something that should be investigated by the relevant authorities, esp. if there are multiple people affected.

Perhaps there was a keylogger installed all the way back when he created the keys/wallets.

Besides what everyone else says, just a reminder:

Humans are always the weakest security link.

What if the wallet was accessed from a compromised machine?