Topic: Am I being too paranoid? (Read 247 times)

I think that you were paranoid but that's normal because we humans want to get access ASAP to what we lost. In reality, you haven't lose anything but you wanted to see yourself in live that your wallet really holds some coins. If I were you, I would wait for the replacement to arrive and import my keys into a new wallet. But in this case, if I really wanted to see if my coins are back in place, I would use a computer instead of smartphone. I would install Tails on USB flash drive, import keys in tails and once I see that everything is alright, I would remove the stick and shut down my computer.

This is a good advice, that's why I only use Electrum on my smartphone.

This is a good advice as well. If I were you, I wouldn't use any antivirus because they are spywares themselves. Also, use your smartphone like a stoic and you won't face problems of needing antivirus.

I don't think you're being paranoid in the slightest.

Some people might think I'm paranoid, however: https://bitcointalksearch.org/topic/--5512543

Depending on the amount of BTC you have, it may make sense to have more than one hardware wallet, one as your main wallet and one as a backup. If you had a backup coldcard or Passport, you wouldn't need to expose your recovery seed online, you would just need to restore it to the backup device.

But now that you've imported and everything is fine with your funds, this is a sign that your mobile phone isn't infected with malware (apparently), otherwise your funds would be immediately drained. On the other hand, I still wouldn't trust it 100%, because it could happen, in more specific cases and based on the hypothesis that someone has remote access to your device, that someone is waiting for you to deposit enough coins so they can then pull off the scam and drain your wallet all at once! Not that this is actually what is happening, but it is possible.

In this case, simply create a new recovery seed when your new coldcard arrives, transfer the equivalent of a few dollars to it (to check if everything is ok) and then transfer the rest. Remember, it doesn't make sense to use the same seed that you exposed online on an air-gapped device for obvious reasons.

This serves as a lesson, in cases of hardware wallet loss, the user must know how to act without despair, since when using the seed on an online device, an error can result in the loss of funds. Now that you have seen that your seed generated on the coldcard works on online software wallets, there is no longer any reason to panic, since seeds generated by HW are the same as those generated by software wallets, the protocol (BIP-39) is the same, what changes is the storage method, in the case of the coldcard: offline or air-gapped (as long as you never expose your seed online).

You really shouldn't have entered your seed into Tangem and cancelled out all the benefits of using cold storage. I told you in your other topic that your coins aren't going anywhere. Coldcard didn't even ask you to send the device back, so you gained nothing from importing your seed elsewhere. But you lost time and effort. Now, when you get your new Coldcard, you will have to redo everything and create a new seed in offline mode, make new backups, test if everything works as it should, and lastly move your coins to a new address.

As you see, it was completely unnecessary. Especially since you didn't even need your bitcoin. You were just curious. And you know what happened to the cat that was curious!?

I don't understand why you did this. As you said in your relevant thread your BTC balance is not on the first Cold Card Q addresses ^{(which are empty in this case)} while Tangem ^(currently) allows creation only one account ^{(with derivation path equals  to m/84'/0'/0'/0/0 for bech32)}. Thus to find you balances on Tangem you would need addresses with last index > than zero. You was aware that such addresses are  inaccessible ^{(they promise to remove such limitation in one of the next releases )} on Tangem. I wonder what was your plot?

Alright, Well my new cold card arrives in the next 1-2 hours so I'll just generate a new seed and call it a day. Thanks.

You haven't done anything wrong yet, when you have new cold card just create entirely new seeds and move the funds to it and that's it the funds again went back to cold storage.

You can't be 100% sure that any device is free from any kind of malware even the most advanced machines with all the necessary things from government agencies can't stop the remote attack from hackers so think about security of your device. For now you can use the wallet meanwhile not connecting to internet can be a better than always connected to internet.

I will say your act was more of a natural reaction to panic, some people can react differently some handle situations were better than others. The most important thing is you yourself know you ain’t running a cold wallet again and that’s better, that Tangem wallet you’re running has been left for a long term so you can’t be too sure of whether it is compromised or not, why not actually move it to a new wallet this time around create the wallet using on of the community trusted wallets like electrum. This time you’re sure the wallet is created properly at least it is a hot wallet for now, then you simply move back to your cold wallet when your cold card arrives, you can also simply run an airgapped electrum wallet of it is possible. Just don’t leave the funds on that wallet or any other hot wallet for too long, one cannot be too sure.

I don't think you're being paranoid enough.

Personally, I would only restore the seed into a hot wallet just to immediately send it to another cold wallet that I had already created off-line, and verified I can restore.  And the software I use would be something well known and highly trusted by the community.

Here's the list of software wallets recommended by ColdCard: https://coldcard.com/docs/compatible-wallets/

I think you took an unnecessary step when you entered the seed from the HW into the mobile wallet, and now everything depends on how much you trust that wallet and your smartphone. If you still see that your balance is intact, it means that you don't have a keylogger that would steal your seed, and that you don't have some malicious app that could empty your wallet.

However, my advice would be to delete that wallet or the entire app from your smartphone, especially if it is something of greater value. The good news is that you won't have to throw away the metal backup, since it's not one of those where you engrave letters.

I'd say hold off of restoring the mnemonic phrase on your phone, not because I'm worried it will be stolen or anything, but because you don't need to give it access right now.

You don't go around and restore your mnemonic phrase on any random device, without doing your due diligence checking to make sure the device is not bugged and also to find potential weaknesses inside the OS and browser so that you can avoid them when you use the wallet

Somewhat off-topic, but IMO it's worth to remind that you need to trust them (since those antivirus ask lots of permission) and may drain your battery faster.


You're not being paranoid at all. IMO generating new seed phrase on your new ColdCard Q is similar with using different password or email on each internet account.

If you want to do something like this, you should at least use a software that is (1) open source (2) popular/reviewed (3) trustworthy. The wallet you named (Tangem) may be* open source but it is neither popular enough to be reviewed or trustworthy to be used.

* I say maybe because they have a github repository but I didn't check it to see if it is one of those fake open-sources that have a lot of close source dependencies. But definitely is not safe due to lack of reviews.

That isn't even categorized as "paranoid",
That's just the standard operating procedure when handling Cold-Storage wallets.

So yes, generate a new seed when your Cold Card arrives.

One thing: in Cold-storage, once the seed phrase or even 1 private key from the wallet has been exposed to an online environment, hacked or not, that is not cold-storage anymore.
There no "semi cold-storage" or something in between; expose it online once and you must create a new seed, air-gap.

You are right your previous Cold Card is now not an airgapped anymore and you already taken a good precaution like by creating new seed phrase which will generate new address and when you will send your funds from Tangem app wallet to those wallet address your new Cold Card wallet won't be effected and it will hold its air-gapped property.

We actually make small mistakes like these and also learn from them too so I don't think you are being too paranoid.

I made a post about my Cold Card quitting on me (replacement on the way), and when it quit working I decided to import my wallet into my older Tangem wallet that I wasn't using anymore. I'm not sure why I did this as I didn't need immediate access to my BTC, I think I just paniced at the thought of not having access to it for the moment? Who knows. Anyways, in order to restore my wallet created on the Cold Card, I of course had to enter my seed phrase into Tangem. That's pretty straight forward and standard for any wallet's recovery process, I know. But what I'm being paranoid about is that Tangem is a phone app. So up until this point I've been completely air gapped with my Cold Card Q, and now I'm not. BitDefender Mobile runs on my phone and I don't do anything crazy with it, but how bad of an idea was it to restore my wallet into Tangem? I'm 100% certain it's the legit Tangem App software, so I'm not worried about some of the fake Trezor Suite desktop software horror stories I've read. Am I being too paranoid here or should I just generate a new seed phrase when my new Cold Card Q arrives? I've never put my seed into any digital form/media(photo, text file, etc, etc). I've got 2 paper backups, and a metal seedplate backup (Keystone Tablet Plus), so the ONLY time it's ever seen something "electronic" was when I restored it inside the Tangem app. What are your guys thoughts?