Topic: Can transaction be signed from hackers wallet? (Read 244 times)

New thing are learnt on a daily basis and we're mere mortals that's just craving for profits and improvement. Hackers comes with more sophisticated strategies to lure their preys. There's no rest for them because they're always throwing links that contain phishing information and if an investor or trader have no clue, they easily click on then and that takes them directly to their personal account, encompassing all vital details and this is really outrageous.

TBF, there is no 100% fool proof setup to safeguard our assets but depending on our setup, we could make it harder for the perps to come in or in a way, mitigate the risks.

I would advise you to get a hardware wallet solely for storage means and use burner wallets and/or devices (or VM,) for interacting with dapps. -- always compartmentalize risky from less risky stuff. I personally follow this and have been doing fine.

Great. Thanks you for detailed explanation on this. I've checked all apps on my phone and I see that they are all installed by me. No cracked apps or testing app. Also, no logged in devices on my accounts except my phone. Hopefully, there won't be any compromising problems.

Some spyware on phones can even be completely invisible and the only way to remove it is to hard restore the device but they are rare so now stick with more common spyware that might be installed with different names like a thumbnail of music player, video editor, games and etc so if you see any name that you didn't install then uninstall at the next moment also check for the unnamed app that you can find the in the app manager by the bottom of the installed apps list.

Yes I know. Thats why I told OP that it is possible egen without knowing his private key based on my explanation. I think I am using revoke cash daily as part of my prevention as I am actively using my metamask everyday for the task Im doing on altcoins. So I knew these scam attempts but what he is asking too many victim of that method even some of my colleague who didnt take caution. Even though their private key is intact.

Many risks and malicious things can steal cryptocurrency stored in hot wallets on online devices.

People who visit, use many websites and interact with many smart contracts especially ones from new projects must be more cautious and careful with potential risks on their funds.

Revoke smart contracts is one of prevention methods.

3 Minute Tips: How to Revoke Token Approval Following Opensea’s Latest Security Episode

Some websites to do this.
https://etherscan.io/tokenapprovalchecker
https://revoke.cash/
https://app.unrekt.net/

Im not an astrologer mate to guess possible scenario with that. If he does not connect to other then might be the issue with the 2 dapps you mentioned. But how sure you are that he isnt linked with some sites. Maybe he thought he didnt go to some malicious sites or thought of a safe one but actually it isnt safe one.

Only by the virtue of exposing your private keys to another person will lead to having this kind of attack and loss of fund, but for someone not having access to any of these, they can't withdraw money from your account, that of the malicious links is what will  link them through the entry to having access to those keys if you expose yourself been vulnerable or keep your private informations on where they can easily have access to.

Actually i don't think the possibility for someone to Initiate a transaction from their wallet to transfer funds out of another wallet without having access to your seed phrase, i don't think if that will be possible except you disclosed your seed phrase to them unknowningly. However as long as the exchange is a decentralized one i don't think if that will be possible, though it depends on the kind of exchange you're making use of. that is why when purchasing token we need to look for those exchange that is highly recommended, because a lot of things is really happening in the internet.

simply put, if they don't have your private key or seed phrase, they can't make a transaction, but if they do, they can make a transaction. unless they have access to your device and can access your wallet, it is possible and you can't do anything when they have successfully transacted your bitcoins to another wallet. that's why it's important for you to be able to protect your device from hackers or unauthorized people, and always make sure that you don't access or install random applications because it can be a gateway for hackers to control your device.

What can you say about this kind of issue.
The owner of the wallet said he only used pumpdotfun and Jupiter. And he never connect his wallet to any other DEX apart from that. Means someone got his private key either buy spyware of anything?

---

Only for Bitcoin network or every other network. Since you are mentioning only Bitcoin But I mentioned SOL and Ethereum.

---

Thank you so much cryptoaddictchie . I was talking about sol and Ethereum networks..
For what metamask said,  seems we can get hacked with malicious websites and contract addresses. That's a reason why they ask us to revoke our wallet access frequently.

---

I Posted it here because Beginner's can probably learn from pros. I know there will be lots of opinions that will make people understand different ways of getting hacked which I also need to know cos I also don't really know much..
Also, thanks for the tips you have valid points and I think if someone can stay away from all you've stated, they will be safe.

---

Hmmmm. What?
I had to delete some apps on my phone after seeing this. I downloaded a testing app from playstore last month to help a DEV test thier app. Although, I didn't give the app any access. I only play games in it..
Will try make more research on this Remote Access Trojan. Thank you  

---

Your reply makes me feel like nothing is really safe on the internet. Even incognito mode might not be safe. You mean some DApp, platform or Browser might not be secured enough making hackers find a way to malicious compromise users behaviour and get them expose some private information. That's strong.
But thank you for this. I learn another new thing as I've been learning here so far.

No access to the private key means no access to the wallet, that is why watch only wallets cannot be attacked, the thing here is giving authorization means the they have full access to everything from their own end, they could have a hidden scripts or something to steal the keys when you authorize them.


This very possible and it’s a common thing, if you look at decentralized exchanges where you connect to the DApps you have given them full authorization as long it is connected, when an hacker gets into the network they could be able to get access to your keys if you’re connected one way you still get hacked after even disconnecting is because once you connect and gave authorization they had scripts that stole the keys from the wallet and kept it.

This is one of the reason why you have to use multiple wallets if you wish to buy from them. Connect one wallet, buy from them and then move the coins out to another wallet

This is impossible for bitcoin wallets, unless hacker have remote access to your computer or if he installed some malware on that computer.
Clipboard malware can insert malicious addresses in some wallets and many users would not detect that.   

This is possible with uniswap and other ethreum wallets if you approve access to some wwebsites permanently and don't revoke it later.

I will advise to not interact with any contract that poses a security risk, do not grant permissions through your wallet holding other finds and never install any malicious program or browser extension.
Use an alternate wallet and device if possible, every-time you are compelled to take a risk with an airdrop.

- Jay -

If you are an airdrop hunter and an active user on social media platforms, if you encounter a phishing site and sign a transaction through your wallet and give them permission, in this case, your assets will be transferred directly by the scammer. Additionally, your funds may be drained due to interacting with a malicious smart contract while attempting to swap any scam tokens or assets through a DEX. If your wallet contains a sweeper bot after your recovery phrases or private key have been accessed by a scammer, or if your computer is hacked or infected with malware, your wallet will also be drained in these situations.

I advise you to be cautious before interacting with any contract, granting permissions through your wallet, or installing any malicious programs or browser extensions. You can install extensions such as AegisWeb3, Pocket Universe, or Fire, and always use Revoke.cash so that you can revoke any interactions you may have had with any smart contracts or platform connections.

From how I have dissected this scenario, I think it's not about the platforms security and what not tbh.. afaik a compromise usually happens from users side (devices ) and this could mean browser might have been compromised giving the hacker the unauthorised access or keyloggers were used to get access to the said platform's which technically makes unauthorized access possible...which is why we need a clean system or dedicated device for such transactions to avoid malicious programs from being harboured or installed on our devices...I mean you never know you could click the wrong link or open the wrong file and access is granted without you knowing..

Yea i think it's obvious Op is concerned is with smart contract which on altcoins which is very dangerous when it is malicious contract though some of these malicious contract will definitely be more cruel than others but this goes from draining entire wallet or some coin to others.

This is true especially when you use older versions Os instead of going for an updated version and Linux is included though it's still much secured than the windows.

Hackers can exploit flaws from older versions even if you were cautious online while wrecking havoc on your devices.

There is another way to make it happen with no seeds/private keys is to get access to the victims device which let them to execute any command they want remotely if the device is connected to the internet.

One of the most common methods is Remote Access Trojan (RAT), that often bundled with the software the users download from unofficial sites such as cracked versions, once that infects a device which gives complete control of your device to the hacker and the worst part is you can't even find it happened.

They can access your camera, files, microphone, and any application and even go deep down to manipulate the devices' hardware.

For many reasons this post should be on the Altcoins section of the forum. Bitcoin or altcoins, ideally if you are using a standard wallet where you are literally the only one who has access to the keys, it's not possible for anyone to initiate a transaction from their wallet transferring funds from another person's. If they don't have the keys, they cannot do that. Most reason why you see stories of wallet hacks is because of malicious links, keyloggers, connecting of wallet to unknown sites,installing Trojans and not keeping your keys offline.  These few mistakes are what crypto holders make that put their funds at risk and it may be due to lack of information on how to avoid hack or ignorance(they don't believe they can be hacked until it happens).

I don't really know though but altcoins most times use different kinds of wallets, sites and many others for various transactions and purposes so I believe that in these processes, you might end up exposing your keys to hackers which might inturn have access to your wallets and control it remotely.

I think they can when the victim happened to be lured on a malicious website so that their smart contract can do the stealing while running their program.

metamask had warn users on this case anyway.

https://support.metamask.io/privacy-and-security/staying-safe-in-web3/fake-mining-voucher-scams/

Maybe for bitcoin it isnt. But surely OP is probably  talking about altcoins or metamask wallet containing alts not bitcoin by his word "malicious smart contract" which happened not present on bitcoin. Also based on his mentioned project like pumpdotfun (solana) and uniswap (eth network).

They never can do that if they don't have private keys of your wallet.

"It's your private keys, it's your bitcoins. It's not your private keys, it's not your bitcoins." This means that if hackers don't have your private keys, they can not steal your bitcoins.

They never can sign a transaction to move bitcoin from your wallet if they don't have your private keys or can not hack your device to get access to your wallet and its private key.

Bitcoin Q&A: Not your Keys, Not your Coins

I think it happened on some malicious links where you click some link and put a signature on the front end of the fake site making you signed a transaction.

Normally this is the gig of the scammers.

Just the coin related that interacted with only if you allow the transaction on your wallet. Its like youre given them permission to like how much max token to be allowed to move from that signed transactions. But youll know if the contract is safe or malicious cause some wallets notify its not safe or has info commented before you signed any transactions.

Is it possible for someone to initiate a transaction from their wallet to transfer funds out of another wallet, without having access to the private key or seed phrase associated with that wallet? If so, could this unauthorized access be a result of interacting with a malicious smart contract address?

Also, is it possible that purchasing tokens from decentralized exchanges like Uniswap, Jupiter, PumpDotFun, or others, could facilitate such unauthorized access to one's wallet or just the coins related with the DEX or contract address interacted with. ?