Topic: A bad practice that cost a friend everything. (Read 323 times)

That's it! I think it's laziness that makes people do that. Laziness of copying it out. They rather be on the fast lane and screenshot it. This same thing happened yesterday while I was trying to set up a wallet for someone I advised to buy and hodl for the bull rally. The dude made a screenshot of his passphrase and I condemned that wallet. I always advise people not to be hasty when it comes to anything finance, whether online or offline. It's this hastiness that scammers rely on to hit their targets. Extra five minutes for writing the PP out wouldn't have killed your friend and his funds would've been intact.

Well, I don't know if the screenshot thing is enabled from start before the wallet is properly set up but I know there's an option to enable or disable that on a few of the wallets I've used. Away from the screenshots of PP, what about for tutorials to show the point of what one is doing as a guide to mentee so they can easily follow up? I don't think the blame should be on the use of screenshot on wallet apps (I like having it), we should blame the user who administered it wrongly. Like they say, before you blame the hawk for wickedness you must first scold the mother hen for exposing her chicks to danger.

I didn't think that something like that and what many people usually do (I think) could have such a bad impact. I also often access my wallet via smartphone. but I use a different smartphone than what I use every day for my activities. so I have a smartphone that I only use to access wallets and exchanges. there are no social media or other additional applications.

I don't know if it will prevent me from being hacked. but from the cases you shared, it seems like almost everyone does it. permits some apps to enter your contact list and even their pictures. I'm sure not all application developers have bad intentions, but what has happened like that, clearly gives us experience and knowledge. thank you for sharing it.

Surely they will deny that accusation since no criminal will ever admit their crime committed. And I think the owner of the wallet is more liable of that because he’s never cautious of what he’s been doing to the extent of he’s the one making things easier for the thief to steal his ethereum. This might be very upsetting on his part but at least he learned his big lesson now.

This is why I don’t easily agree with  some apps that require access to your phone. It’s obvious that it’s for their own advantage why they are doing that and definitely not for our own safety. Every time it happens on me, I just cancel it immediately. Otherwise, they will have another target to victimized.

Possibly the developer must have done that to him but how could he have screenshot his phrase and got it stored on his phone. That was a silly mistake head though.

I remembered some weeks ago I was discussing with my friend and we were talking about phone apps  and their security features because I just bought her a new phone and I had to tell her to disable all connectios between the apps she would download and she argued over it so I had to explain things to her that was when she understood what I really meant. I will send her this thread to read as well to see the reasons why I told her to not grant access any app to get access to her phone.

If your friend has written to binance, I believe he would get positive results from them. Only what I would advise hi tidonis tone patient with them. Since the hacker has done his kyc with them, they must know who he is to getting more facts for the case at hand

Some people don't know how to manage the security to the wallet, they did some nasty acts thinking it's nothing without knowing those are the kind of weakness that the scammers are looking around for to see coming from us, when a user does not know how to perfectly secure his wallet seeds that will prevent any third party from knowing or seing it, all he could do was to make a screenshot of the private keys forgetting that anyone can have access to their own mobile device used while they have forgotten there's a screenshot of their seed phrase on the device.

Most crypto wallets don't allow the taken screenshot option again; they disabled it long ago, and some of them have the option for you to enable it, but that's not the case here. The thing is with the person who uses the app to create a wallet or import his or her seed phrase.
 
If the app doesn't allow for screenshots, most people still make use of a second phone to take a picture of the phrase, which not taking screenshots can't solve. It's about individual decisions. Most people are just too lazy to want everything to be done too easily when what's only required to be safe is to do some extra work by writing them down and making sure they're kept in a safe place in at least two different locations.
 
I feel sorry for your friend. After all the lessons, it still appears that he falls under the category of people who like learning the hard way, so since he experiences this loss, he will never make such a mistake again. Let's hope Binance can do something about it, but the refunding of those stolen funds is not guaranteed.

Whenever I am teaching anyone about crypto, I don’t like doing it online. I always prefer seeing the person physically because I know they will end up messing everything up, so to avoid unnecessary complains, I do ask them to visit me, or when I am free, I can just visit them to guide them on the necessary things they should do.

One of the mistakes newbies make is always taking screenshots of their private key and keeping it on their phone. It also once happened to me when I was new. I believed the easiest place to secure my private key was on my phone, so I made a screenshot then and left it on my phone. Actually, I wasn’t hacked, but after doing more research, I discovered that leaving a private key on a phone is really a wrong idea. Anyone can collect your phone and decide to go through your gallery, they might end up stealing your private key and sending out all your coins.

It may not be a developer, someone might just collect the phone and stolen the private key from it, it might even be someone close to him, maybe a friend, and it might also be a developer of one of the apps that has access to it. No one can say because there are lots of phishing apps. That’s why we have to be careful with the apps we are downloading and don’t always keep sensitive information on our phone.

Before you can make use of Binance, you have to complete your KYC first. But I haven’t lodged a complaint like this before with Binance, so I don’t know how they are going to handle it. But how sure are you that the person didn’t use someone’s Binance? Since you have reported to Binance, just wait and see the response that Binance will give. I will like you to share the response you received from Binance here.

I think it depends on the smartphone we use, look at what @Stopmix said on his reply, he was able to take screenshot of his recovery seed using Electrum wallet and you aren't able to do the same with the same crypto wallet, I think the phone we are using plays a part too, anyway, I might have lost my recovery seed in the same manner too, because I still couldn't find the reason behind the lost of my assets to hack some years ago, but I can remember perfectly that I like taking screenshot of recovery seeds, I was stupid it seems, but I don't do such anymore, something inside me just believe its wrong, but thanks for sharing this story OP.

After doing some research online I found out that so many people have lost their assets and even money in their bank account due to taking screen shots, like seriously I don't even know what's save and what's not save to do online anymore, it feels like things are just getting even more worse than they used to..

It's safe to take screenshots for personal use but when it comes to financial value you will likely get in trouble taking screenshots of vital information, like passwords, numbers, bank details, home address, BVN etc, screenshots can pose a sever threat to your privacy, I have heard about how unsafe machine sharing software are if you are a fan, other parties can capture your screenshots without you knowing,

I don't know if what does the "APP" that the OP said is, but if it's an app that's related to crypto, I believe it's expected that the developers will try, and dig those pictures on the phone especially if the owner let them have access to his files, but if it's not a crypto-related app, I believe it's only a mere coincidence, and the person who saw that picture happens to have a bit of a knowledge in cryptocurrency.

Nevertheless, the moral lesson here is don't save whatever phrases you have in your phone. I didn't do this ever since, and I only store it in my drawer, and other places. I'm not saving it online because it wasn't safe at all, and it never has.

Anyway, I guess your friend learned a very expensive lesson like what others are experiencing as well.

While the scammers and phishers are using websites to take the seeds and private keys of the victims that they can. It's likely that these apps can also scan out the images on someone's smartphone when most of the time, we just tend to agree and check all the conditions given to them so that we can download the app. It's not a good idea to have screenshots, saved in cloud, email and any other devices where our seeds can be  exposed to anyone. On this case that you have already asked for Binance's cooperation, although the funds are likely withdrawn already but the details that they can provide to you and your friend can help you if you want to pursue it.

Don't be lazy on how you keep your recovery seeds properly by simply writing it down with many backups but not with screenshots.

 Whatever you store on your phone will not be safe always most especially if you happen to download apps that require access to your phone. When you see that, always cancel your downloading as it will never safe for you most especially on the files that you have stored in your phone. And cases like seed phrase or passwords to any of your personal account, you don't need to take a screenshot but write it down on your notes and keep it privately like you're the only one who knows it. Its better to keep it safe than feel sorry in the end.

Furthermore, whatever details in your wallet, do not make it compromise through creating an access with any of your social media account. Note that social media is the playground of scammers, so you better stay away from social media using the info in your wallet or you get rid from being involved in social media because it will never give you an edge over your privacy.

Downloading something through Playstore doesn't mean that it is safe, there are a lot of fake and shady applications you can download through Playstore. If you want to download a wallet, do so through the original website; and finally do not use your wallet in a device that you use to carry out all of your online activities, get a hardware wallet so that your wallet will be offline and safe.

There are also some apps that we need and when we download them through playstore then it is ok. But if we directly download an app from Google on a mobile phone because it is not available in the Play Store. Then it is necessary to download it from the Google link and we have also to permit our phone. Is it a scam? Or what we should do then if there is only one way to download the app and if we don't permit them we can't download it?

One of my friend's wallets has been hacked because he was always downloading things from Google the same thing was present in the Play Store I don't understand if they had created a website how easy they have to hack someone's mobile phone and their videos and files etc.

This is possible in some wallets, I know you can actually do this using trust wallet but it's not possible on electrum wallet.

When you want to generate a seed phrase, there's always a warning message to write it down on a piece of paper. Some people don't take their wallet security seriously until something bad happens. The picture app his friend installed on his phone had an infostealer malware and an example is CherryBlos, this malware can scan photos and extract written text on it. When he granted the app access to his gallery, the malware was able to read the text on the screenshot and stole the seed phrase.

Let's see
- a developer going through millions of pictures of the users of his app, and all this data traffic is not getting picked by anyone
- your friend by mistake when selecting pictures posting the pic with the seed also on some website
- your friend by mistake sending that picture to somebody instead of other picture

I would place my bets like 49.9% on each of the last two and 0.2% on the first one!


It depends on what wallet you use, I can't take a screenshot of my PIN cards or CVV number when displayed in the bank app but I can easily take a screenshot while generating a seed in Electrum.

It must have been very tedious for a hacker to scan one by one all the images he come across and look into them. He sure expects to find one after all if the app is crypto related he sure will find someone who owns some crypto and installs it.

There are apps that you can't really avoid allowing to have access to your storage. I'm wondering if the hacker can get around when you only allow "while in use" ?

Being Offline by cutting off internet is not clod storage. If you turned off the Internet when you created the wallet and then restarted it and used the wallet normally, you are still at risk. If the hacker gains access to root privileges, he will be able to spend from your wallet.


What phone wallet allows you to take a screenshot of seeds? Taking pictures of the seeds or saving them digitally means that there is a weak point that hackers will be able to access if they reach your phone, which will benefit you in this case if you generate an offline wallet.

Possible also that a friend of a friend has borrowed and taken a look at his phone and borrowed it and browsed through his galleries and saw that screenshot of his seeds and taken a photo of it or wrote it down.

But if it's with the app, it's also possible as they get the log of their users and that's possible for the devs to see it.

It has never been safe to take a screenshot of our seeds. I was a naive when I've done this before but realized it that it's not an ideal way of keeping your wallet.

I hope your friend didn't keep nude photos on his phone) Otherwise, the problems are just beginning for him, and perhaps soon these photos will become public when they are posted on a thematic service. A smartphone is not a place where we can keep our secrets.

On iOS at least you have the option to select which photos you want to share with the app, it doesn't share the entire photo library by default. Same thing with your clipboard, where you need to explicitly permit the app to access your clipboard every time it needs it (to make pasting stuff easier, etc). Not sure about Android, but I'm sure there may be a (rooted) option to make something like this? Using a custom rom, etc...

People trash talk Apple all the time, but this stuff is smart.

Victim of bad circumstance I guess.
You don't blame the developers for allowing you to take screenshot of your seed phrase and private keys. I think some of them even need permission to have access to your phone screenshot before the app can work to take a screenshot. If you take a screenshot, it's because you give them the permission from your phone, there is a setting for that to disable screenshot for some apps or even more permission on how you allow some apps to have access to your files and gallery.

Always follow good practice of keeping seed phrase in good place, there is no good thing in keeping wallet seed phrase in gallery especially if you have a phone that is good in camera, your mate will always want to borrow them to take pictures. They can use this to steal anything important from the phone.

Never back up your keys online or use encryption as a justification for doing so. Multiple proven and reliable methods exist for backing up your keys. Please make use of them. Moreover it's strongly recommended not to fragment the 24 words like hiding them separately or obscure individual words within a book's pages. In the first case your bitcoins may be at risk of theft by hackers exploiting online apps you may have downloaded, while in the second scenario accidental loss becomes a real possibility. In both situations the responsibility of loss rests with the owner for disregarding the guidance provided by wallet security experts.

How it's possible in the first place? few months ago I tried to take a screenshot of my wallet's back up, but I can't and received a warning message. Although there are a lot wallets out there and not every wallet have a same security.

Remember it's not only about screenshot, it also depends on how many apps you installed, downloaded file you run in the background, etc etc.

They think it is safe or they think that they will send those screenshots to their PCs, download them on PCs and store there BUT likely they did not delete screenshot files on their mobile devices.

I know even delete them in a simple way will not erase all data on your mobile devices but at least that step can save you a little bit.

An ultimate prevention is better than this. Don't screenshot sensitive data like wallet seeds, passwords and so on.

I guess there is a saying or famous quote that when you use something for free, you are the product. Indeed, the developers look for some kind of benefits from its users. They do not work for free. Even if it looks like free, the reality is it is not free. Either they collecting your personal information from your phone, or they are showing ads in your device when you use the app.

I am not saying all developers do that, but I believe most of them does. Mobile device has never been friendly for crypto users. Mobile users gives all the permission during the installation without checking what access they have gained in your device.

People don't read these warnings or take them seriously until something happens to them. Some people think that nothing can happen to them, mistakenly thinking that a photo taken from a phone will remain only on the phone. But it has already been written many times that all photos are scanned both on the iPhone and on the smartphone. We will pretend that we believe that nothing is stolen, although such promises are not at all worth believing. Developers, not only of wallet software but also of applications that sometimes seem far from crypto, can do anything after gaining access to the gadget. Of course, for many people, having multiple devices can be an expensive pleasure, but even more so, you should take care and understand how expensive an innocent and thoughtless installation of a completely unnecessary application or clicking on someone else’s link will be.

It is a bad practice for someone to create their main crypto wallet on a smartphone, because even when you avoid one trap, another is almost certainly waiting for you, it's just a matter of time. If, for example, OP's friend had avoided taking a sample of his screen and saving it on his device, he might have saved his seed in the cloud, e-mail and something similar - and what about keyloggers or clipboard malware?

If we also take into account that the majority of smartphone users attach very little importance to their security, it is more than clear that they are exposed to numerous risks.

The way to protect yourself is to only download applications that have been available for a long time and have good reviews, and to be careful what permissions you give them when installing them. You should also take into account that your smartphone regularly receives security and critical patches, which means that the same phone is not older than 3-4 years, considering that then it will most likely not have official support.

Take your wallet security seriously like your life depends on it is understatement because your life actually depends on it. It's your asset and your asset is your future. You might guess right by thinking that the screenshot is the reason but did you check to confirm as to whether he grants those photo apps access permission to file? Taking Screenshot of seed phrase is actually wrong in all ramifications but I want us to be sure of what happened before we accuse the app developers. Something might be more to that.

Having Screenshot image on the phone means that anyone that has access to his phone also have access to his wallet if by any chance they come across those images. My point is this, it might not be app developers but probably a close friend or even family members who knows. Anyone who's into crypto knows a seedphrase when they sees one and can take advantage. Just like other comments above mine, I don't think Binance can really help in this case neither. This is a bitter experience for your friend, lesson learned in a hard way.

Two of my friend also click screenshots to save any sensitive info or if they are on pc, they write in notepad. Aside from security, I find such saved stuff hard to restore when you change device. Argument they give is that it's easy and they don't have that many funds to lose, same argument is given for privacy related matters as well.

Thats probably what happened there. Some apps really are suspicious no matter how helpful it is. If this proven true, will the developer of the app held liable for the stolen eth? Maybe they will say its an assumption since there is no evidence from the one who got loss unless he ca prove the app functionality that it can access the phones images.

Aside the screenshots on the phone of your friend I think he didn’t also create the wallet offline or even use it offline. My reasons are; phones are hardly the best device to use for offline wallet creation because there is a point probably before the time of creation that the phone must have had a connection with the internet before and this defeats the purpose of wallet creation on offline device because the wallet should never have been offline.

Another thing is not just creating the wallet offline also but it shouldn’t be on a device which is comes online except it is a watch only wallet which doesn’t hold the private key or seed of the wallet and we know phones one way or the other comes online when we use they for general purposes. Also maybe during the signing of transactions your friend made a mistake that also comes online. That’s why it is advisable to use hardware when you have limited knowledge about how to set up and use offline wallet


Yes OP needs to help us with the wallet name so that others can be aware because most popular Alticoin wallets mostly the MetaMask for Ethereum doesn’t allow the use of screenshots and neither does trust wallet


I strongly doubt Binance can help, exchanges only reveal identity or reverse deposits to senders address only when a standard warrant is presented by security agency and that is if they are under that countries regulations. The reverse your funds when you engage in the in app P2P and one turns out to be a scammer

From being taught to write down seed words to screenshot it, it is a very big different in practice. You did not make any fault in your advice to your friend but perhaps you can do it better next time to other friends.

"Write down your seed, store it offline physically. Don't make screenshot and store it in a device you use Internet daily because it is like storing your seed backup online."

Tell your friends to read this guide.
How to back up a seed phrase?.

I am not familiar with Ethereum, tokens or Altcoins generally, what wallet was the person using, because i know that good wallet softwares for hodling Bitcoin do disable taking screenshots of your seed phrase.
Definitely not a shrewd scammer for sending the funds to Binance, but mind you that some of these scammers use fake (bought) accounts even on KYC exchanges. BTW, i doubt Binance would even be of help to you here, how much was lost?

Cloud is not safe, computer or phone connected (at any time, even briefly) are also not safe. This is written all over the place, nothing new under the sun, still, people tend to ignore that.
And especially if the theft doesn't happen in the first few hours or days after the seed reaches the internet, people will may not consider it the culprit.

So a warning like this (although, as I said, it's not new) is welcome now and then in B&H. (PS. I've made your text red in my quote to make it stand out even more, I hope it's ok)

A friend lost all his Ethereum and tokens two days ago and it came to my attention, this is someone who I shared some tips about crypto wallets with some past months ago, I made sure he generate the new wallet offline and he wrote his recovery seed down, though I was not there with him, we are having the conversation online.

So I was like how the hell he managed to lost his recovery seed to hackers or scammers, he started swearing that he is damn sure he did nothing wrong, and we meet today, looking into his phone and my mind was on the phone, thinking maybe he rooted the phone or something, then I stumbled on his recovery seed been screenshot, that was when I knew he messed up.

He have some picture apps on his phone for meme creations and picture filtering apps, one of this apps have access to his library, including all his photos, and I believe the app scooped the image screenshot, maybe the developer of the app happen to stumble on the picture and decide to steal the fund.

The funds were moved to Binance exchange and sold, we are now hoping that Binance help in this case because he filed complain to them and hopefully the scammer already KYCed on Binance exchange.

Now I am starting to believe that some app creators are intentionally creating useful apps for people to use only to gain access into their files and pictures, this is why when apps ask for some access on my phone I always block them.

This is new to me, but let's take this serious, some stupid crypto wallets still allow taking screenshots, it's wrong, this should be a RED FLAG when installing a crypto wallet on your phone, and as for you and everyone it's a stupid idea to take screenshot of your recovery seed.

Do not be like those average users, take your wallet security very seriously like your life depends on it.

Stop taking screenshot of your recovery seeds, it's basically you storing it online for someone else to see.