Topic: I thought I would never get hacked... (Read 1115 times)

That's interesting; however, is that really necessary? My point is that my main usage of Quillbot is limited to using it to correct some grammar and punctuation mistakes, mainly on my Bitcointalk posts or when I'm writing a formal email and want to avoid any kind of grammatical mistakes. Now that I'm thinking about it, the latter doesn't sound like a good idea anymore, as such an email might be confidential, and you're practically giving your private information away.

I'm not sure, but abandoning those kinds of services or at least using them a little more conservatively might be a good idea until I can find an open-source alternative.

I would presume that their Privacy Policy applies equally to all their products.

Everything you type or paste in to their website will absolutely be being stored as described above, and unless you are using a fresh Tor identity each time, then everything you type in will be linked to everything else you type in via cookies or your browser fingerprint.

You should try looking for an open source alternative you can download and run locally. I'm afraid I have no experience of such things so can't recommend anything.

That's interesting; however, are you talking about the extension or the browser version? Because it sounds way too farfetched and doesn't make too much sense. I was considering upgrading to their premium membership, but I'm having second thoughts. I'm only using their website and haven't installed their extension, as I'm trying to avoid more unnecessary ones that slow down the browser even more. Thus, I don't think what you said can be applied to those who are not using their extension, am I right? At least, they cannot obtain as much information as their privacy policy claims.

I'm starting to think that every website or extension is a possible threat to your security and privacy. I've become a little paranoid after suffering from a fake Google Sheets extension.

Here you can see it: What Information Does Grammarly Process or Collect?.
It is not a bold statement and doesn't really need source to prove it. It's simple, it's business and we all know that these companies use every piece of our data to improve their product, improve their marketing and increase their sales, also to spy on us.

Maybe we should popularize the idea of Fuck Grammarly Ask Me?
I used to believe that businesses were doing what they were saying but when I grew up and started work, I understood that absolutely everything is a lie in every industry with only a few exceptions, there are only a few, probably one in a million companies/people that really back up their words and are honest. Otherwise, not only Grammarly but even food industry is a big joke and lie when they write down Organic on their product.

I've never heard of Quillbot before, but a quick look at their Privacy Policy isn't any better:

Good idea. You should make a habit of only having the minimum number of essential browser extensions installed, such as uBlock Origin and HTTPS Everywhere. Every unnecessary extension presents a new attack surface and makes your fingerprint more unique.

Maybe the absence of mistakes and a near perfect grammar and punctuation show up as a red flag to some AI detectors. I can't think of anything else.
I used it quite often in the past, but never bothered to read their TOS. I still have their extension installed, but as I mentioned earlier, I use Quillbot to correct any mistakes I make. I guess it's about time the Grammarly extension is permanently removed from my browser. It seems that not everything is as innocent as it looks.

Their Privacy Policy: https://www.grammarly.com/privacy-policy#sectionSingleColumn_51qLjMIKnP2BOgokskyVEE

They collect "Account information" including your name and email, "Device information" including your IP address, location, and browser fingerprint, and "User content" including "all the text you enter". So yes, Grammarly is a keylogger, not just logging everything that you type, but linking it all to your real identity.

If you do a quick web search, you'll find that lots of large tech companies and government departments have Grammarly and other such software blacklisted from all their devices. This should tell you everything you need to know.

The Cambridge book and Thomas BJ are not free you can find them on Amazon.

I know Quilbot and tried that thing but it edited my posts and it's flagged as AI-generated text when checked it to CopyLeaks AI checker.
I'm fine using Grammarly I just only use it for auto capital, auto-correct wrong spelling, punctuation, and synonyms.

I think it best not to keep all eggs in one basket.
One wallet to receive and send, one to keep or severall even better.

I was also using the Grammarly extension in the past but have now switched to Quillbot's platform, which, in my opinion, is far better. However, do you have a source for your statement? It sounds too far-fetched that it's gathering your data and possibly abusing it.

I'm sorry for the OP's loss; fortunately, it wasn't an extravagant amount; it could have been a lot worse. Is it actually possible that the Swift keyboard application leaked his seed phrase? That would stink big time, but at least you have something to suspect. I also got scammed by malware approximately a year ago, and I have nothing to hold accountable for its installation, which in my opinion is a lot worse.

Absolutely! cheers!

What I mean by that is that at this point of
the discussion am sure we've both understood  each other's point.

Hey mate, I understood everything apart from this sentence. Sorry but English is not my native language.

You're absolutely right mate no one has a right to walk into another privacy and steal a property, but not everyone will behave or think in the way you do. The world has gone beyond were people take to heart between what's bad and what's good. So you should be able to embrace between what it is from what ought to be, and take your security above anything else.

So like the saying goes, when you're in Rome you behave like a Roman. Which literally mean, in a world like this never be stupid to leave your door open, there could be someone nextdoor waiting for the opportunity to hup in at any slightest chance to steal from you. Apply this ideology same to your wallet  private keys.
At this junction I take my bow not to return to this same discuss believing we are at square with it.

Ok. I have noted that but I will keep swearing against anyone when they get unauthorized access to my coins. Apart from that, there are 3 pages in this thread where we go into detail in regards to the mistake I ve made. If you leave the door open at night, it is a stupidity. But this doesn't mean someone has any right to get inside and steal.

You don't need to know the thief and I think those wish/swear words of yours are unnecessary and the occurrence will repeat itself if you don't take appropriate measures to safely keep your private keys in place. I believe your funds weren't gotten access to because you're using a wallet with 12 private keys, same would have happened even if it was a 24 private keys phrase because this seems to happen due to a malware (maybe from a careless use of it online) or you exposure to a third party unknowingly to you. Swearing won't help but taken adequate measure towards your security online will do just fine.

So, it seems as though it was your own mistake and the way you handled your seed... right? I am very cautious when it comes to things like my Private keys... and even things like browser hijacking. (Clipboard hacks)

I regard a seed phrase or private key as being compromised, if it has been used even once. People record your online sessions or they use key capturing software, so if you put it online... then it is perceived as being compromised. 

We learn from our mistakes.... but the loss are still real and the feeling of your security being breached are frustrating AF!

That’s only what could result out of doubting the system but, it leads to you being more cautious of the possibility of a theft haven’t had one. Though, 24 seed phrases puts more difficulty in the event of a guess if that could have been the case which I doubt.
You just might have made some error with your security at OP as, being totally secure and have a wallet that comes with a seed phrase or private key hacked is unheard of.

I appreciate that you have your own way of learning vocabulary but for me, it's really not needed so I am saying I stick with the things that work fine for me.

Just like every innovation which is more towards reducing the workload and if you say it will make us stop the evolution then it's not true.

I am not a motivational speaker neither travel a lot but for the sake of communication, I think I knew enough.

Okay, I'm talking about these books:
Elementary/Intermediate/Advanced Vocabulary Paper (Skills) by Thomas (Choose your level).
Cambridge Advanced Grammar in Use

I guess you can find their PDF versions online but if you can't but you really need these books, check them if are available in your country, to understand if you really like and plan to read & do exams in those books and I'll buy them for you.

I am not living in the old days and it's not pain in the ass to read and study from books, actually, Grammarly is only doing bad for you. When you make yourself dependent on 3rd party apps to write in English, then your brain gets a little bit lazy and over time, you'll understand that this tool stopped you from learning English. Also, you can't use Grammarly when you travel and have to speak in English with different people, you can't use Grammarly when you speak to the audience in English.

The dude is living in the old days even though it is good to read books and acquire knowledge from it the effort needed is like pain in the ass and I am not sure is there anyone willing to give such effort when we have an alternative that does the same job for free via tools such as Grammarly.

If I am not wrong in android, Grammarly is available in the keyboard format alone which is not really helpful because the built-in dictionary is almost available on all keyboards including the stock ones so there is no need to trust another one 3rd party app with our sensitive data.

Grammarly is good when we use it on a PC in the form of an extension so it can only collect the data from that particular browser alone not from the entire device.

Thanks for the suggestion but I don't have a budget to buy these books do you have any free source?
I'm only using Grammarly sometimes when writing some content here or in WP blogs but when typing a password or copying/pasting some important details I always switch it back to the default keyboard(Samsung keyboard).

Please, don't use Grammarly if you want to remain anonymous online under different names on different platforms. They record every sentence that you type, then analyze your writing ability, your writing style, manner, etc.
In order to improve your writing ability and expand your vocabulary, I suggest you to use Cambridge books, personally I love them and Thomas BJ has great books for vocabulary and idioms.

His point was to never say never. Anything can happen to anyone, even unexpected.

apogio
Was antivirus turned on on your smartphone? Was your android rooted? What suspicious apps did you have? Did you enable permission to install 3rd party apps without the Google Play Store? Were you visiting some suspicious websites? I mean websites that load tons of advertisements and open new tabs in your browser. I don't think that it all happened because of Swiftkey, I highly believe that the problem lies somewhere else.

He is just trying to say that you, assuming you are invulnerable to hacks and other potential risks which is lead to financial loss. The good thing is that you acknowledged your mistake so taking the necessary steps to improve is essential to avoid similar pitfalls in the future.

I'd feel the same. But, on the other hand, you could consider it "a cheap warning": early enough to know something was wrong without high costs, and a good moment to re-evaluate your entire OPSEC.

I don't really get your point though. The reason I lost money is because I screwed up. You are saying I have a problem. But in fact I have no problem at all. I will learn from my mistakes and everything will be alright.

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.

Knowing best practices doesn't automatically mean we always obey the rules strictly. Me too, I do something stupid until I do it. Hopefully the loss isn't large then. It hurts my pride, I guess yours, too. We have to try hard to learn from such shit, stay more vigilant. It's human to make mistakes, but better don't do them twice or more. You know who's to blame then.
Easier said than done, though.



Sounds like a more safe approach. Monitoring wallets don't really need to get in touch with the recovery words, you can in most cases use only the extended public keys to setup a watch-only monitoring wallet. No risk to loose private keys this way if the monitoring device should get compromised. That's my approach if I want or need to look on my wallet(s) on a more frequently used daily driver or mobile phone.
Casual computing or gaming are another zone and I try to strictly separate this from more serious stuff.

I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.


Definetely true. I have decided to monitor my wallet on my Sparrow desktop app only. I will keep only one device to monitor my wallet. I will avoid using wallets on my mobile phone, except for Zeus wallet which is connected to my lightning node.

Well, it depends. If you coinjoin them and then store the xpubs of your new outputs insecurely again, then you will be back at square one.

Unless the app has its own virtual keyboard like Electrum, then they aren't. You can tell this simply by the fact that your predictive text carries over between apps and software, meaning anything you enter on the generic keyboard is not kept within whatever app you are using but is accessed by the wider firmware and even synced to the cloud to better "learn your writing style" (read: spy on you).

Google were successfully sued a while back because if you turned off location gathering, Google still gathered all this data, they just didn't display it to you in your account when you accessed your location history page. I would not be in the least bit surprised if they still gathered all the sensitive data you enter via your keyboard, they just don't display it to you as an option for predictive text.

Completely agree. As I said above, this is just one possibility and the OP should not assume this is the cause without definitively proof. I was merely pointing out just how easy it is to be careless with your seed phrase, which should never have been entered on any keyboard at all.

It's not a flaw, it's a feature. I'm not an Android programmer but I read a lot about potential security stuff around digital devices. Any Android app can "subscribe" to be notified by system messages (don't pinpoint me on the correct jargon) if e.g. the clipboard changes and likely what is typed on the keyboard. Though I'm not sure if keyboard entries aren't some sort of private for the app that requested the keyboard entry. I wouldn't bet on it (a real Android dev surely knows better).

To boost security an app can and should ask for a private keyboard entry which should always be used for sensitive data. But the keyboard app has to follow this request properly, ie. don't do fancy online stuff and whatnot with that sensitive entry, particularly don't memorize or store the entry in some dictionary or blow it into the digital cloud. Decent keyboard apps should do this, but hell no you have no guarantee a keyboard app actually does it, unless you see and understand the source code or program it yourself.

The keyboard app in Android is a really sensitive and security important spot. There's a reason why e.g. Electrum on Android uses it's own keyboard entry method to enter recovery words. I praise Electrum for this. Unfortunately such security awareness is rare on other Android wallet apps.


I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.

• He handled recovery words on an online device outside of the original app (Bluewallet). Recovery words were fed into another wallet app. Don't do that on online/hot devices, period!
• He used 3rd party keyboard apps for entry of sensitive data. We agree, that's bad and should be meticulously avoided as you have no control whatsoever where your entry data diffuses to.
• He might have taken digital pictures of his recovery secrets. I don't know that, it was not talked about this. Of course, avoid this ever, too!

Recovery words are supposed to be backed up analog only, ie. paper or stamped in metal or similar analog and secure storage.
Maybe there's that went wrong, we don't know.

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet. I consider mobile phones as completely unsecure simply because a user does a hell of his internet shit on a mobile phone, install maybe questionable apps on it and just don't have much clue about security of such devices, not to mention the questionable update status of most Android devices once they get older.

Thanks, but as I said above, I have 99% of my sats in cold storage and the systems I use don't store anything in memory. As soon as the device is turned off it erases everything it has in memory

If you think that you will be safer that way, it seems that you have not realized how risky it is to store sensitive information, regardless of whether it is a smartphone or a desktop computer. When it comes to a desktop computer, you can also very easily expose your seed if you enter it in another wallet and you have a keylogger on that device.

Devices on which you store private keys should be isolated from all possible risks arising from your daily activities, which means that you need a hardware wallet or an airgapped device. Even then, you should always be on your guard, because being your own bank means you need to be on the lookout for thieves, whether they're online hackers or bad guys in the real world.

Yes, except if I coinjoin them.

That depends on your personal preference for privacy. But even if you move the funds, if they know your current public keys they can follow the money trail.

So today I will factory reset my phone. One question though. I have my xpubs for my multisig vault in my phones storage. Even though nobody can steal my money, if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?

If a malware infects your device and makes your wallet compromised, your fund will be stolen and it doesn't matter whether your seed phrase includes 12 words or 24 words.


A 12 word seed phrase provides 128 bits of entropy and as already said, it's secure enough.

Thanks for the kind words
I am much better. As I said it wasnt the amount I lost. It was the fact that I wasn't careful enough.


It is android version 12 and I downloaded the app from the playstore.


Hello. I own a multisig vault, created with offline hardware wallets. I also own cold storage where I also use passphrase. But, like everyone else I also had a hot wallet with some small amount in it. And I lost it. I wanna see what I did wrong and get better. The other two wallets are perfectly safe, technically speaking, as long as I also keep the backups safe.

I chose BW instead of Electrum for no obvious reason. Possibly the simplicity and the minimalistic approach. I have only used it for my hoy wallet though. Not for my other wallets.

Sorry about your loss. I hope you will soon find peace of mind.

From what I have read, I cannot tell you where you were not careful enough or how you could have stopped this from happening but I doubt it had nothing to do with 12 word or 24 word seed phrases. Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase. I think what happened is that you might have a virus on your device or you stored your seed phrase in an unsafe way and somebody might stolen it without you noticing.

Best thing to do now is to get familiar with wallet security practices. OPSEC!

Everyone is sure that hacking will not affect them and this problem will surely bypass them, creating trouble for others. Anyone but me - this idea is familiar to everyone. It is easy to deceive yourself and end up with losses.

What was the reason for your choice of Bluewallet and not Electrum? Of course, this will not change anything, and most likely it would not have changed even before hacking, because the malicious program would certainly have stolen from the electrum wallet as well. In your situation, only hardware wallet could save the contents or the multi-sig.

Just the mistakes made and poorly built protection are used by attackers. There is only one solution: to minimize errors and try to be as safe as possible.

Blaming yourself will not change anything, but finding your mistakes and finding out where you made a mistake, with their subsequent elimination, will be more beneficial for you.

More likely, having 24 words would make it harder for a malware, but would not save your wallet from being stolen. Surely it would be possible to say if you figure out the attack vector.

You say you use Bluewallet, is it the android or iOS version (if applicable)? And where did you install it from, in the case of Android?

There are many 0-day vulnerabilities targeting older mobile OSes and it is possible that you were hacked with one of those.

If you have two devices I suggest like others said make a cold/offline wallet with Electrum but this time never connect that device to the internet and make a watch-only wallet in another device where you can monitor your funds and make unsigned transactions and only use the Electrum cold/offline wallet when scanning and signing a transaction. It is way more safer than using Electrum as a hot wallet.

Thank you very much! I will! At least I learnt something from my mistake.

Choose a good wallet software if you are to use a mobile app.

Wallets like electrum for example have an inbuilt or virtual keyboard. That way, when you are typing your seed, you do it through the virtual keyboard and not those third-party keyboards on your mobile device.

Also, even importing a wallet, do it offline.

Do you have in mind any keyboard that is relatively safe? Perhaps offline, or without cloud backup etc.

Maybe. Maybe not. Malware is obviously specifically designed to bypass the usual security protocols. And given that most phone firmware and most apps are largely closed source, who knows for sure? But I'm certainly not going to assume that Android or Apple have created the first 100% fool proof security system.

This is just one possibility. Don't assume this is definitely how your seed phrase was compromised, and that by using a different keyboard app that device is now safe. We can't say for sure what happened, so you should assume that device is compromised until you format it.

Thanks so much for the info. It makes absolute sense.

Possibly that's the reason why you've been hacked any 3rd party keyboard has some sort of cloud database that records your keystroke. I'm always using the default keyboard than using like Swiftlkey or Grammarly because they record my clipboard and keystroke. However, sometimes I use Grammarly but switch it back to the default keyboard when typing a password.

F*CK! I am so stupid... Anyway, what has been done, has been done. I will only use desktop wallets.

It's a trade-off between paying a transaction fee, or doubling the risk of using a compromised wallet. In this case, with a small wallet, I wouldn't have moved the funds, but instead use both wallets (the new one for receiving funds, the old one for paying until it's empty).

Really? Even when they're at the background? That would be a terrible flaw in Android!

Which syncs to the cloud. By the time you finished typing in your seed phrase, it was already on an unknown number of servers around the world.

This is true, indeed. Btw I am using Swiftkey as my main keyboard app.

Even the simple act of typing your seed phrase on your phone's keyboard is enough to result in it being stolen. Every app on your phone has access to your keyboard inputs. Any one of them could be maliciously logging your key strokes, or inadvertently leaking information. Your predictive text keyboard links up with Google/Apple/whatever servers to analyze and learn your writing style. I've even seen something as simple as a custom theme for your phone have a built in keylogger.

Assume that you have created a wallet using wallet A. Generally speaking, it's possible that there's a vulnerability in wallet A that may cause you to lose your fund. It's also possible that there's a malware which can attack wallet A if your device is infected with.
With importing your seed phrase into wallet B, you increase the risk of getting hacked. Now, you will lose your fund if there's a vulnerability in each of wallets A and B. It's possible that your device is infected with a malware that can attack wallet B while it has nothing to do with wallet A.

The more wallets you import your seed phrase in, the more attack vectors you open for hackers.

Still, I can't figure out why it is a bad idea. But, I can realise the fact that my seed phrase is imported into two distinct applications and this doubles the risk.

We don't know what exactly caused your wallet to be compromised, but you should never do this.
With importing your seed phrase into another wallet, you increase the risk of getting hacked. If you no longer want to use bluewallet or any other wallet for any reason and you want to use a different wallet, create a new wallet with a new seed phrase, make a transaction and send all the fund to that.

definetely. I will.


Now that you mention it, I have imported my seedphrase once to another application (blockstream green) because I was thinking of switching from BlueWallet to BS Green. I have forgotten it because it was a month ago and I never thought it was suspicious. I have downloaded the app from the playstore. After I decided to keep using Bluewallet instead of green wallet, I uninstalled the green wallet and kept using BlueWallet.

So, to summarize, I have created and used my wallet with BlueWallet. I have imported my seed phrase once to Blockstream green.

Yes hot wallet is not secured as we think but the carelessness of the user can also make the hacker to have access to the funds. Just like our living rooms are not secured but the way we protect the house will prevent arm robbers not to enter the house. But if they use extra measures to penetrate and that how wallet all is. The most important things to do in the protection of one's wallet is to keep your seed phrase and the password in very secure place. Don't disclose it to anyone unless you will it to someone.
In most time, our carelessness of login to another person device can also case this hack. And this is what is happening in this days. So one of the preventive measures is to steer clear from other people device with your wallet.

Hot wallets are insecure. This is just a fact of life. Yes, we all use them, but the funds in them are never truly secure. Think of all the apps on your phone, all the links you click on, all the files you download. Any one of these could contain malware.

Alternatively, are you absolutely certain no one could have accessed your seed phrase? You've never typed it in anywhere, or imported it to any other wallet, or saved it electronically, or even copied it to a clipboard? I've seen lots of cases where people have been careless just once, and that's all it takes for their coins to be stolen.

I guess it's #4. #3 would mean many more people would lose much larger amounts.
So backup your data, factory reset your phone, and start over.

Thanks. I have no sendable merit, but I appreciate your answer. In my opinion the most likely scenarios are (3), (4).

Take a look at the receiving address, and "CTRL-F bc1qs9gxwj6497yk" on that page, then scroll down. That highlights when the address received funds, when it sent funds, and when it sent funds to itself. Some of the transactions are consolidating, but at high fee. Some are splitting inputs. Both actions are a waste of transaction fees.

It's just a guess because I can't think of any other reason to create such transactions.

Is there any possibility to know some (most) of your seed words, without knowing all of them? I guess not, so this is the least likely scenario.

It's possible.

It's possible.

It's possible.

Option 5: someone had access to your phone for a moment, and swept your funds.

Ok, sorry my bad for both of the above.

Weird. It looks like someone was testing his malware backend.
[/quote]

If you want to explain further, I would appreciate it.

What does it mean that someone was testing his malware?

In my opinion there are the following options:
1. Someone tried to brute-force my wallet and they succeeded. Highly unlikely. Except if the attacker knew some of my words and therefore were able to reduce the search space.
2. Someone saw my seed phrase on my piece of paper. Highly unlikely. Since where I store my seed phrase nobody has access except for me.
3. My BlueWallet app is compromised somehow. I downloaded it from the playstore.
4. My phone is compromised somehow and someone gained access to my phone's storage.

However all those options seem too obscure to me and I can't understand how it happened.

You can't obfuscate addresses like this, it's trivial to find.

Weird. It looks like someone was testing his malware backend.

Hang on, I have been misunderstood, perhaps because english is not my native language.

So, I have a hot wallet on my BlueWallet application.

I have sent multiple time to an address that the website (windice.io) provided me, which was looking like this: 3J....... I don't show the exact address because I don't want to expose all of my transactions for privacy reasons.

So, my wallet had multiple transactions to the address above.

Then, suddenly, I have seen this transaction from my wallet: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37

The output address of this transaction is this one:  bc1qs9gxwj6497ykmj5txdk7aax0c6psyr62fwcuv6

I don't own the keys that generate this address.

I hope I made myself clear and I am happy to add any more information if needed.

You're contradicting yourself:

First, you say your Bitcoin was sent to the address above. Then you say it's from a website you've used, while you say you've never sent funds to that address. It doesn't add up. How do you know which website the address belongs to?

Yeah I guess they couldn't access my PK, but I still wonder how someone gained access to my wallet...

I remember this casino, they even advertised themselves in this forum, I think around 2018-2019. Let me look up the links

But I don't think a site would access your private keys (seeds) or something like that. There is a possibility there was some security lapse that led to the leakage of your private keys (seeds) recently or way back, and you can't remember.

Their ANN: ♨️🎲 WINDICE.io 🎲 Contests 🏆 TvT 🔰 Progressive Faucet💰 Jackpots 🎁❤
Their former Signature Campaign: Windice.io Signature Campaign(CLOSED)

Hello! So, what do you think has happened?

I can assure you that nobody has ever seen my seed phrase. But the phone may be compromised. I just can't understand what I see in mempool. I have never seen the receiving address before.

There is nothing suspicious with windice.
They gave you a deposit address and you sent bitcoin to that address. That's all. There is no way they can gain access to your private keys or seed phrase and make transaction from your wallet.

Sounds correct. My device is actually my phone. I really can't understand what went wrong... My seed phrase has never been imported to any other software apart from Bluewallet on my phone.


Nobody has access to my seed phrase (nor my phone) apart from me.

I have never sent money to this address but windice.io makes you always deposit to the same address (which is not the one where my money went).

Do you mean you've sent funds to bc1qs9gxwj6497ykmj5txdk7aax0c6psyr62fwcuv6 before?  That's where you're money went, did you log onto the roulette site to see if the funds are there?  Are you sure you didn't send the funds while on a fortified hookah bender, and just forgot?  Does anyone else have access to the device where you have the hot wallet?  

12 words are more than sufficient. 24 words are harder to brute force, yes, but brute forcing 12 words is already impossible. The number of words makes no difference if an attacker compromises your back up.

If the seed phrases from your multi-sig set up have never touched an internet connected device, then they remain as safe as possible.

What you should really be focusing on is how your hot wallet was compromised. How did you store the seed phrase back up, and did you import it anywhere else? It could well be that the device which was hosting this hot wallet is infected with malware, meaning you will need to think about formatting it and reinstalling your OS.

I had used Bluewallet all the way from the beginning till the end with this wallet. I created the seed phrase there = I created the wallet there and used it as a hot wallet.


As far as the multisig vault is concerned:
This is exactly how I have backed-up my wallet. In fact the only thing I have done using a device connected to the internet, it to monitor my wallet importing my xpubs to Sparrow which is connected to my personal electrum server.

I'm confused: you said you "originally" created the seed phrase in Bluewallet. Does that mean you imported your seed phrase elsewhere? Which wallet did you use, and how can the website you sent funds to have anything to do with that?

12 word seed phrases for 2-of-3 multisig wallet created on a hardware wallet is very safe and secure, you can not compare that with single sig online wallet which is far more vulnerable if you compare them both.

Having the backup in this order in different places also makes the backup to be safe:

Seed 1, MPK 2
Seed 2, MPK 3
Seed 3, MPK 1

Hello Loyce. It's not the amount... It's the fact I got  hacked... I have both a multisig vault and a cold wallet with passphrase. That's where I keep my entire net worth. I really couldn't afford losing it. That's why you see me desperate and forgive me for that...


As I said, it's from the website where I sent some sats to play roulette, I think it's a scam.


Thanks, I really appreciate this answer. It's what I thought anyway, so...

OP had less than 0.001BTC in a hot wallet. That's a totally acceptable amount to risk losing, and I assume OP has most of his funds in cold storage already.

The interesting part is the receiving address: bc1qs9gxwj6497ykmj5txdk7aax0c6psyr62fwcuv6: it received many more transactions, all within 24 hours. It looks like someone targeted many wallets at once.
Update: It gets weirder: many of those transactions are sending his own inputs to his own address: this transaction for example. I have no idea why.

I trust 12 seed words. You should look elsewhere, changing to 24 words will only give you a false sense of security.

It's not a hardware device actually. It's a seed signer, meaning it has no memory at all. My seed phrases are on paper on 3 different places. I am starting to think that I must create another wallet where each cosigner is 24 words long. Should I? Or am I ok?

Having the 2-of-3 multisig on hardware devices is very safe and secure. One of the best options to go for.

I also have a 2-of-3 multisig. All cosigners are 12 words long. They have all been generated using a hardware wallet which is airgapped. I am monitoring my wallet (as watch-only) connected to my own node.

I start to worry about this setup too now...

Sorry for your loss.

It might be a malware. But it might be an offline attack, like someone to see your seed phrase backup. Or when you give them your device or something like that and password is not enabled.

I will recommend you wallet on an airgapped device, a hardware wallet or Electrum 2FA wallet and make sure the 2FA is not on the same device your wallet is.

Not more secure during online attack or if the seed phrase is seen offline. But passphrase can help against offline attack.

Definitely a 24 seed phrase which is longer is more secure than 12 seed phrase since it has 256 bits of entropy compared to the 128 bits of 12 seed phrase. The probability of guessing the words accurately will be higher in 24 seeds than in 12 seeds. But still this doesn’t eliminate the fact that both will face same faith if exposed to malware.

From your post it seems you either might have caught malware or you expose your seeds either through phishing attack or any other way.

Going forward I would advice you prioritize offline method of storing your keys and seeds, because without taking full control of them even if you have 200 seeds as recovery phrases the same thing will happen without proper storage.

I have been hacked yesterday. I had 2 UTXOs in a single-sig, hot wallet. My seed phrase was 12 words long. I had originally created the wallet using Bluewallet.

Here is the transaction: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37

I don't know you the thief is, but I really wish that they lose all of their belongings.

Even though I had a single-sig wallet. Even though I had not used my own node to connect to. Even though I have done many mistakes, stealing is not acceptable...

PS: I think there may be something wrong with windice.io. I had sent some sats multiple times to play some roulette. Maybe they are doing something suspicious. Anyway, I will blame myself only...

Please, tell me that there is nothing wrong with 12 words seed phrases. Tell me it was malware and it would have happened even if I used 24 words... I need to hear this.