Pages:
Author

Topic: I thought I would never get hacked... - page 2. (Read 1115 times)

hero member
Activity: 2366
Merit: 793
Bitcoin = Financial freedom
August 02, 2023, 02:33:51 AM
#64
Please, don't use Grammarly if you want to remain anonymous online under different names on different platforms. They record every sentence that you type, then analyze your writing ability, your writing style, manner, etc.
In order to improve your writing ability and expand your vocabulary, I suggest you to use Cambridge books, personally I love them and Thomas BJ has great books for vocabulary and idioms.

Thanks for the suggestion but I don't have a budget to buy these books do you have any free source?
I'm only using Grammarly sometimes when writing some content here or in WP blogs but when typing a password or copying/pasting some important details I always switch it back to the default keyboard(Samsung keyboard).
The dude is living in the old days Cheesy even though it is good to read books and acquire knowledge from it the effort needed is like pain in the ass and I am not sure is there anyone willing to give such effort when we have an alternative that does the same job for free via tools such as Grammarly.

If I am not wrong in android, Grammarly is available in the keyboard format alone which is not really helpful because the built-in dictionary is almost available on all keyboards including the stock ones so there is no need to trust another one 3rd party app with our sensitive data.

Grammarly is good when we use it on a PC in the form of an extension so it can only collect the data from that particular browser alone not from the entire device.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
August 01, 2023, 12:02:24 PM
#63
Please, don't use Grammarly if you want to remain anonymous online under different names on different platforms. They record every sentence that you type, then analyze your writing ability, your writing style, manner, etc.
In order to improve your writing ability and expand your vocabulary, I suggest you to use Cambridge books, personally I love them and Thomas BJ has great books for vocabulary and idioms.

Thanks for the suggestion but I don't have a budget to buy these books do you have any free source?
I'm only using Grammarly sometimes when writing some content here or in WP blogs but when typing a password or copying/pasting some important details I always switch it back to the default keyboard(Samsung keyboard).
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
August 01, 2023, 05:13:02 AM
#62
Possibly that's the reason why you've been hacked any 3rd party keyboard has some sort of cloud database that records your keystroke. I'm always using the default keyboard than using like Swiftlkey or Grammarly because they record my clipboard and keystroke. However, sometimes I use Grammarly but switch it back to the default keyboard when typing a password.
Please, don't use Grammarly if you want to remain anonymous online under different names on different platforms. They record every sentence that you type, then analyze your writing ability, your writing style, manner, etc.
In order to improve your writing ability and expand your vocabulary, I suggest you to use Cambridge books, personally I love them and Thomas BJ has great books for vocabulary and idioms.

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.


I don't really get your point though. The reason I lost money is because I screwed up. You are saying I have a problem. But in fact I have no problem at all. I will learn from my mistakes and everything will be alright.
His point was to never say never. Anything can happen to anyone, even unexpected.

apogio
Was antivirus turned on on your smartphone? Was your android rooted? What suspicious apps did you have? Did you enable permission to install 3rd party apps without the Google Play Store? Were you visiting some suspicious websites? I mean websites that load tons of advertisements and open new tabs in your browser. I don't think that it all happened because of Swiftkey, I highly believe that the problem lies somewhere else.
hero member
Activity: 2366
Merit: 793
Bitcoin = Financial freedom
August 01, 2023, 02:45:13 AM
#61
"assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.


I don't really get your point though. The reason I lost money is because I screwed up. You are saying I have a problem. But in fact I have no problem at all. I will learn from my mistakes and everything will be alright.
He is just trying to say that you, assuming you are invulnerable to hacks and other potential risks which is lead to financial loss. The good thing is that you acknowledged your mistake so taking the necessary steps to improve is essential to avoid similar pitfalls in the future.



legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
August 01, 2023, 12:59:13 AM
#60
I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet.
I'd feel the same. But, on the other hand, you could consider it "a cheap warning": early enough to know something was wrong without high costs, and a good moment to re-evaluate your entire OPSEC.
hero member
Activity: 560
Merit: 1060
July 31, 2023, 04:43:13 PM
#59
I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

Quote
I thought I would never get hacked...

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.


I don't really get your point though. The reason I lost money is because I screwed up. You are saying I have a problem. But in fact I have no problem at all. I will learn from my mistakes and everything will be alright.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
July 31, 2023, 09:38:05 AM
#58
I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

Quote
I thought I would never get hacked...

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
July 31, 2023, 09:08:39 AM
#57
I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

Knowing best practices doesn't automatically mean we always obey the rules strictly. Me too, I do something stupid until I do it. Hopefully the loss isn't large then. It hurts my pride, I guess yours, too. We have to try hard to learn from such shit, stay more vigilant. It's human to make mistakes, but better don't do them twice or more. You know who's to blame then.
Easier said than done, though.


... I have decided to monitor my wallet on my Sparrow desktop app only. I will keep only one device to monitor my wallet. I will avoid using wallets on my mobile phone, except for Zeus wallet which is connected to my lightning node.

Sounds like a more safe approach. Monitoring wallets don't really need to get in touch with the recovery words, you can in most cases use only the extended public keys to setup a watch-only monitoring wallet. No risk to loose private keys this way if the monitoring device should get compromised. That's my approach if I want or need to look on my wallet(s) on a more frequently used daily driver or mobile phone.
Casual computing or gaming are another zone and I try to strictly separate this from more serious stuff.
hero member
Activity: 560
Merit: 1060
July 31, 2023, 04:05:47 AM
#56
I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.
  • He handled recovery words on an online device outside of the original app (Bluewallet). Recovery words were fed into another wallet app. Don't do that on online/hot devices, period!
  • He used 3rd party keyboard apps for entry of sensitive data. We agree, that's bad and should be meticulously avoided as you have no control whatsoever where your entry data diffuses to.
  • He might have taken digital pictures of his recovery secrets. I don't know that, it was not talked about this. Of course, avoid this ever, too!

Recovery words are supposed to be backed up analog only, ie. paper or stamped in metal or similar analog and secure storage.
Maybe there's that went wrong, we don't know.

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet. I consider mobile phones as completely unsecure simply because a user does a hell of his internet shit on a mobile phone, install maybe questionable apps on it and just don't have much clue about security of such devices, not to mention the questionable update status of most Android devices once they get older.

I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

Well, it depends. If you coinjoin them and then store the xpubs of your new outputs insecurely again, then you will be back at square one.

Definetely true. I have decided to monitor my wallet on my Sparrow desktop app only. I will keep only one device to monitor my wallet. I will avoid using wallets on my mobile phone, except for Zeus wallet which is connected to my lightning node.
legendary
Activity: 2268
Merit: 18711
July 31, 2023, 03:12:44 AM
#55
Yes, except if I coinjoin them.
Well, it depends. If you coinjoin them and then store the xpubs of your new outputs insecurely again, then you will be back at square one.

Though I'm not sure if keyboard entries aren't some sort of private for the app that requested the keyboard entry.
Unless the app has its own virtual keyboard like Electrum, then they aren't. You can tell this simply by the fact that your predictive text carries over between apps and software, meaning anything you enter on the generic keyboard is not kept within whatever app you are using but is accessed by the wider firmware and even synced to the cloud to better "learn your writing style" (read: spy on you).

But the keyboard app has to follow this request properly, ie. don't do fancy online stuff and whatnot with that sensitive entry, particularly don't memorize or store the entry in some dictionary or blow it into the digital cloud.
Google were successfully sued a while back because if you turned off location gathering, Google still gathered all this data, they just didn't display it to you in your account when you accessed your location history page. I would not be in the least bit surprised if they still gathered all the sensitive data you enter via your keyboard, they just don't display it to you as an option for predictive text.

I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.
Completely agree. As I said above, this is just one possibility and the OP should not assume this is the cause without definitively proof. I was merely pointing out just how easy it is to be careless with your seed phrase, which should never have been entered on any keyboard at all.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
July 30, 2023, 11:52:18 AM
#54
Every app on your phone has access to your keyboard inputs.
Really? Even when they're at the background? That would be a terrible flaw in Android!

It's not a flaw, it's a feature. Wink I'm not an Android programmer but I read a lot about potential security stuff around digital devices. Any Android app can "subscribe" to be notified by system messages (don't pinpoint me on the correct jargon) if e.g. the clipboard changes and likely what is typed on the keyboard. Though I'm not sure if keyboard entries aren't some sort of private for the app that requested the keyboard entry. I wouldn't bet on it (a real Android dev surely knows better).

To boost security an app can and should ask for a private keyboard entry which should always be used for sensitive data. But the keyboard app has to follow this request properly, ie. don't do fancy online stuff and whatnot with that sensitive entry, particularly don't memorize or store the entry in some dictionary or blow it into the digital cloud. Decent keyboard apps should do this, but hell no you have no guarantee a keyboard app actually does it, unless you see and understand the source code or program it yourself.

The keyboard app in Android is a really sensitive and security important spot. There's a reason why e.g. Electrum on Android uses it's own keyboard entry method to enter recovery words. I praise Electrum for this. Unfortunately such security awareness is rare on other Android wallet apps.


I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.
  • He handled recovery words on an online device outside of the original app (Bluewallet). Recovery words were fed into another wallet app. Don't do that on online/hot devices, period!
  • He used 3rd party keyboard apps for entry of sensitive data. We agree, that's bad and should be meticulously avoided as you have no control whatsoever where your entry data diffuses to.
  • He might have taken digital pictures of his recovery secrets. I don't know that, it was not talked about this. Of course, avoid this ever, too!

Recovery words are supposed to be backed up analog only, ie. paper or stamped in metal or similar analog and secure storage.
Maybe there's that went wrong, we don't know.

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet. I consider mobile phones as completely unsecure simply because a user does a hell of his internet shit on a mobile phone, install maybe questionable apps on it and just don't have much clue about security of such devices, not to mention the questionable update status of most Android devices once they get older.
hero member
Activity: 560
Merit: 1060
July 30, 2023, 11:02:35 AM
#53
F*CK! I am so stupid... Anyway, what has been done, has been done. I will only use desktop wallets.

If you think that you will be safer that way, it seems that you have not realized how risky it is to store sensitive information, regardless of whether it is a smartphone or a desktop computer. When it comes to a desktop computer, you can also very easily expose your seed if you enter it in another wallet and you have a keylogger on that device.

Devices on which you store private keys should be isolated from all possible risks arising from your daily activities, which means that you need a hardware wallet or an airgapped device. Even then, you should always be on your guard, because being your own bank means you need to be on the lookout for thieves, whether they're online hackers or bad guys in the real world.

Thanks, but as I said above, I have 99% of my sats in cold storage and the systems I use don't store anything in memory. As soon as the device is turned off it erases everything it has in memory
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
July 30, 2023, 09:19:19 AM
#52
F*CK! I am so stupid... Anyway, what has been done, has been done. I will only use desktop wallets.

If you think that you will be safer that way, it seems that you have not realized how risky it is to store sensitive information, regardless of whether it is a smartphone or a desktop computer. When it comes to a desktop computer, you can also very easily expose your seed if you enter it in another wallet and you have a keylogger on that device.

Devices on which you store private keys should be isolated from all possible risks arising from your daily activities, which means that you need a hardware wallet or an airgapped device. Even then, you should always be on your guard, because being your own bank means you need to be on the lookout for thieves, whether they're online hackers or bad guys in the real world.
hero member
Activity: 560
Merit: 1060
July 30, 2023, 07:36:45 AM
#51
if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?
That depends on your personal preference for privacy. But even if you move the funds, if they know your current public keys they can follow the money trail.

Yes, except if I coinjoin them.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 30, 2023, 05:03:19 AM
#50
if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?
That depends on your personal preference for privacy. But even if you move the funds, if they know your current public keys they can follow the money trail.
hero member
Activity: 560
Merit: 1060
July 30, 2023, 04:40:57 AM
#49
So today I will factory reset my phone. One question though. I have my xpubs for my multisig vault in my phones storage. Even though nobody can steal my money, if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?
legendary
Activity: 2380
Merit: 5213
July 28, 2023, 01:57:51 PM
#48
More likely, having 24 words would make it harder for a malware,
If a malware infects your device and makes your wallet compromised, your fund will be stolen and it doesn't matter whether your seed phrase includes 12 words or 24 words.


Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase.
A 12 word seed phrase provides 128 bits of entropy and as already said, it's secure enough.
hero member
Activity: 560
Merit: 1060
July 28, 2023, 12:57:02 PM
#47

Sorry about your loss. I hope you will soon find peace of mind.

From what I have read, I cannot tell you where you were not careful enough or how you could have stopped this from happening but I doubt it had nothing to do with 12 word or 24 word seed phrases. Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase. I think what happened is that you might have a virus on your device or you stored your seed phrase in an unsafe way and somebody might stolen it without you noticing.

Best thing to do now is to get familiar with wallet security practices. OPSEC!

Thanks for the kind words
I am much better. As I said it wasnt the amount I lost. It was the fact that I wasn't careful enough.

You say you use Bluewallet, is it the android or iOS version (if applicable)? And where did you install it from, in the case of Android?

There are many 0-day vulnerabilities targeting older mobile OSes and it is possible that you were hacked with one of those.

It is android version 12 and I downloaded the app from the playstore.


What was the reason for your choice of Bluewallet and not Electrum? Of course, this will not change anything, and most likely it would not have changed even before hacking, because the malicious program would certainly have stolen from the electrum wallet as well. In your situation, only hardware wallet could save the contents or the multi-sig.

Hello. I own a multisig vault, created with offline hardware wallets. I also own cold storage where I also use passphrase. But, like everyone else I also had a hot wallet with some small amount in it. And I lost it. I wanna see what I did wrong and get better. The other two wallets are perfectly safe, technically speaking, as long as I also keep the backups safe.

I chose BW instead of Electrum for no obvious reason. Possibly the simplicity and the minimalistic approach. I have only used it for my hoy wallet though. Not for my other wallets.
legendary
Activity: 2240
Merit: 1993
A Bitcoiner chooses. A slave obeys.
July 28, 2023, 11:45:58 AM
#46
I have been hacked yesterday. I had 2 UTXOs in a single-sig, hot wallet. My seed phrase was 12 words long. I had originally created the wallet using Bluewallet.

Here is the transaction: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37

I don't know you the thief is, but I really wish that they lose all of their belongings.

Even though I had a single-sig wallet. Even though I had not used my own node to connect to. Even though I have done many mistakes, stealing is not acceptable...

PS: I think there may be something wrong with windice.io. I had sent some sats multiple times to play some roulette. Maybe they are doing something suspicious. Anyway, I will blame myself only...

Please, tell me that there is nothing wrong with 12 words seed phrases. Tell me it was malware and it would have happened even if I used 24 words... I need to hear this.

Sorry about your loss. I hope you will soon find peace of mind.

From what I have read, I cannot tell you where you were not careful enough or how you could have stopped this from happening but I doubt it had nothing to do with 12 word or 24 word seed phrases. Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase. I think what happened is that you might have a virus on your device or you stored your seed phrase in an unsafe way and somebody might stolen it without you noticing.

Best thing to do now is to get familiar with wallet security practices. OPSEC!
legendary
Activity: 1792
Merit: 1296
Crypto Casino and Sportsbook
July 28, 2023, 11:34:51 AM
#45
I have been hacked yesterday. I had 2 UTXOs in a single-sig, hot wallet. My seed phrase was 12 words long. I had originally created the wallet using Bluewallet.

Here is the transaction: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37

I don't know you the thief is, but I really wish that they lose all of their belongings.

Even though I had a single-sig wallet. Even though I had not used my own node to connect to. Even though I have done many mistakes, stealing is not acceptable...

PS: I think there may be something wrong with windice.io. I had sent some sats multiple times to play some roulette. Maybe they are doing something suspicious. Anyway, I will blame myself only...

Please, tell me that there is nothing wrong with 12 words seed phrases. Tell me it was malware and it would have happened even if I used 24 words... I need to hear this.
Everyone is sure that hacking will not affect them and this problem will surely bypass them, creating trouble for others. Anyone but me - this idea is familiar to everyone. It is easy to deceive yourself and end up with losses.

What was the reason for your choice of Bluewallet and not Electrum? Of course, this will not change anything, and most likely it would not have changed even before hacking, because the malicious program would certainly have stolen from the electrum wallet as well. In your situation, only hardware wallet could save the contents or the multi-sig.

Just the mistakes made and poorly built protection are used by attackers. There is only one solution: to minimize errors and try to be as safe as possible.

Blaming yourself will not change anything, but finding your mistakes and finding out where you made a mistake, with their subsequent elimination, will be more beneficial for you.

More likely, having 24 words would make it harder for a malware, but would not save your wallet from being stolen. Surely it would be possible to say if you figure out the attack vector.
Pages:
Jump to: