Author

Topic: Is it possible to hack a digital currency wallet? (Read 190 times)

legendary
Activity: 2730
Merit: 7065
There are many ways to hack digital wallets:
There are, but it also depends on the type of wallet.

- Phishing Emails
Don't get phished. There is no reason to be curious and click on every link you see. Don't click on unknown links from random people you don't trust or you aren't expecting will PM you.


- Malware and Viruses
They can cause no harm to hardware wallets (except a clipboard hijacker that can change the destination address, but if you pay attention to the address displayed on your devices' screen, you will notice it), papers wallets, and airgapped devices.


- Browser Extensions and Plug-ins
This is similar to phishing links. In most cases, there is no reason to use the majority of them. If you absolutely have to, ensure you are downloading the real thing.
member
Activity: 1165
Merit: 78
Please give your opinion in this regard, I am Iranian and I speak Persian, I can not speak much English, if one of my Persian friends helps me, I will raise a discussion in this regard.
Yes, it possible to hack a digital currency wallet but 97% of digital cursency wallet hacked were through the owner errors while the other 3% are due to some technical flaws, this is why the crypto community preferred an open-source wallet so the community can do the needful reviews about the wallet.
jr. member
Activity: 147
Merit: 6
There are many ways to hack digital wallets:
- Phishing Emails
- Malware and Viruses
- Browser Extensions and Plug-ins
staff
Activity: 3304
Merit: 4115
@Welsh and @bob123
You're both right, the biggest "attack vector" is indeed the user... I certainly agree with that, but when i wrote my post, for some reason, i was thinking about the semi-technical attackvectors instead of the PICNIC "vectors" Smiley. (for those who don't know this acronym: i picked it up in one of my first jobs where i had to man the helpdesk for 1 day a week => PICNIC = Problem In Chair, Not In Computer..... aka 90% of the helpdesk calls)
Yeah, I think I understood where you were coming from when I made my reply, I just wanted to make it clear for others reading that generally, you don't have to worry too much about the software, but rather your own behaviour, and habits. I think we've all at some point in our lives, potentially compromised ourselves by not thinking or being complacent.

Software at least gets seen by multiple eyes, but generally when it comes down to user error, you act on instinct or in other words don't give much thought to it, and that's when your more prone to being compromised.

The issue is that, again generally speaking, most "Digital Currency Wallets" provide mechanisms to make the required amounts of time, money and resources so vast that it is simply not temporally of economically feasible to do so.
This is especially true for normal average people. If you are particularly famous or a lot of people know that you have a lot of money, then you might be more prone to attacks. However, the principles are the same, its generally not the software you should be worried about, but your own habits, and personal security.
 
HCP
legendary
Activity: 2086
Merit: 4361
Generally speaking, almost anything is hackable given enough time, money and resources... I don't see why "Digital Currency Wallets" would be any different.

The issue is that, again generally speaking, most "Digital Currency Wallets" provide mechanisms to make the required amounts of time, money and resources so vast that it is simply not temporally of economically feasible to do so.

And then users use passwords like "password" or "abc123" or + etc. Roll Eyes
legendary
Activity: 2702
Merit: 4002
A ـhackـ can take place even from within the network if its does not have enough hashing power to prevent 51% attack to control over it, or if all nodes are managed by central units such as BSC.

So in short, it's a game of probabilities, the more you use X the less likely you are to be hacked.
Things that may increase your security:

 - Open source *wallet* reviewed by lots of experts.
 - wallet seed were created in an offline environment.
 - wallet seed/passwords are stored securely, so that no one can access them.
 - A currency with good hashing power was used that made it impossible for one party to control the network.
 - The address was not re-used again.
legendary
Activity: 3584
Merit: 5243
https://merel.mobi => buy facemasks with BTC/LTC
@Welsh and @bob123
You're both right, the biggest "attack vector" is indeed the user... I certainly agree with that, but when i wrote my post, for some reason, i was thinking about the semi-technical attackvectors instead of the PICNIC "vectors" Smiley. (for those who don't know this acronym: i picked it up in one of my first jobs where i had to man the helpdesk for 1 day a week => PICNIC = Problem In Chair, Not In Computer..... aka 90% of the helpdesk calls)

But yeah, most of the cases i've seen over the years were because users where phished, gave away their private keys, clicked links they weren't supposed to, didn't verify signatures, saved seedphrases (or walletfiles) in the cloud, didn't encrypt their wallet (or encrypted it with a very weak password), gave away their seedphrase, were running aged versions of wallet software, ...

Offcourse, this isn't very wallet-specific... It doesn't matter if you made the (in my opinion wrong) choice to use an online custodial wallet or if you use an airgapped setup: if the user's opsec isn't good, he's a prime target for scammers and thieves Smiley
legendary
Activity: 1624
Merit: 2481
~snip~
In a desktop wallet, the main attack vectors are vulnerability's in the software wallet itself [...]

In a paper wallet, the biggest potential vulnerability is probably the RNG [...]
~snip~

The main attack vector is always the person the wallet belongs to.

If i had to compromise a wallet, i'd always first start with the person itself. Spear phishing seems to be the easiest approach here.
While this obviously isn't a huge issue for technically versed people, it still is dangerous for the majority.

If i had to guess, i'd say that less than 5% of coins are stolen through true vulnerabilities. I guess the majority gets stolen because of phishing and malware (i.e. the user is at fault).




Also another way for hackers to steal anybody else's crypto is if they discover a vulnerability in a particular wallet software. Then they can run a phishing campaign and lure unsuspecting people to download the malware they make and exploit the vulnerability.

A phishing campaign together with malware has nothing to do with the software or any potential vulnerability of such software.
If the software and hardware is perfectly secure, the wallet can still be compromised if you can get someone to download your malware.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Also another way for hackers to steal anybody else's crypto is if they discover a vulnerability in a particular wallet software. Then they can run a phishing campaign and lure unsuspecting people to download the malware they make and exploit the vulnerability.

This usually targets people who run old versions of wallet software, so it's best to always keep your wallet up to date.
staff
Activity: 3304
Merit: 4115
It's very hard to answer your question because the term "wallet" is very broad. Also, this isn't just an easy discussion... You can probably write a master thesis on this subject, and you still would not have covered every aspect.
Yeah, but the question is can "digital currency wallets" be hacked; which the simple answer would be; yes. However, you are quite right that there are factors to be considered when you are looking at an individuals wallet, how they secure it, how they use it, how often they use it, what medium is it stored on, do others have access to the computer, how secure is your password, and a bunch of other variables that I won't even get into to.

However, the simple answer is that given the right information or access a wallet that stores your Bitcoin could potentially be compromised, and therefore you should try every mitigating factor that is feasible to you to try, and prevent that.

In a desktop wallet, the main attack vectors are vulnerability's in the software wallet itself, the use of a weak password (so it can easily be brute-forced), physical access to the machine holding the wallet,... Also, the storage of the seed phrase and wallet files are potential vulnerability's
In these instances given though, its not down to the software. Its down to how the user is using the software. So, how secure the user has made their password, how they intend to remember that password, i.e do they store it on paper, where do they store that paper, and does anyone else know that they use that password. In terms of physical access, that is another flaw in the persons security rather than the software itself. Same goes for the storage of the seed phrase, and wallet files. Although, definitely I'm not claiming that the software cannot be compromised, but the listed reasons would be down to the fault of the person, rather than the software used. Which would likely be the weakest part of anyone's security, the person as with most other things.
legendary
Activity: 3584
Merit: 5243
https://merel.mobi => buy facemasks with BTC/LTC
It's very hard to answer your question because the term "wallet" is very broad. Also, this isn't just an easy discussion... You can probably write a master thesis on this subject, and you still would not have covered every aspect.

In these matters, it might be a good idear to give a specific usecase and discuss it instead of making broad claims... For example, you could ask what the biggest potential vulnerability would be if you'd run electrum 4.1.0 on a dedicated linux box running centos 7.0 with firewall enabled, configured for running on Tor, wallet encrypted with a 30 character random password generated by keypass and stored on 2 usb sticks. The seed also stored in the same keypass db.
In such cases, it becomes much easyer to give you pointers as to which errors you might have made (for example: you're not running the latest electrum version and you did not verify electrum's signature....)


In an online custodial wallet, hacking might not be the biggest problem. They can lock your account, do an exit scam, or a company employee can rob you blind. Other than that, you can fall into a phising trap, you can lose your credentials (or they can get stolen), you can fall for a MITM, your credentials can be brute-forced, you can have spyware (or other malware) on your pc

In on online non-custodial wallet, the wallet company should not be able to lock your account, do an exit scam or employee thefth should also not happen (offcourse, this depends on the actual implementation, vulnerability's might still exist), but all the other attack vectors are the same for a custodial and non-custodial wallet.

In a desktop wallet, the main attack vectors are vulnerability's in the software wallet itself, the use of a weak password (so it can easily be brute-forced), physical access to the machine holding the wallet,... Also, the storage of the seed phrase and wallet files are potential vulnerability's

In a hardware wallet, usually physical access is required, but if somebody steals your seed phrase, you lose everything

In a paper wallet, the biggest potential vulnerability is probably the RNG... Unless you did not disconnect from the internet while creating your paper wallet (in this case, you might have exposed yourself to a bunch of potential attacks)

In an airgapped wallet, the biggest weakness is probably where you stored the backup of the wallet or the seed phrase... Unless you used some very old, vulnerable, wallet software with a buggy RNG


This list is far from exhaustive.. Like i said, you can probably write a master thesis on this subject, and still not cover every aspect.
newbie
Activity: 6
Merit: 0
Please give your opinion in this regard, I am Iranian and I speak Persian, I can not speak much English, if one of my Persian friends helps me, I will raise a discussion in this regard.

In the following link, I explained this topic in a very basic way in Persian, if someone helps, I will raise this issue in English.

https://virgool.io/@matinbeigiwp/%D9%87%DA%A9-%D8%A8%DB%8C%D8%AA-%DA%A9%D9%88%DB%8C%D9%86-%D8%B1%D9%88%D8%B4-%D9%82%D8%B7%D8%B9%DB%8C-%D9%87%DA%A9-%D8%A8%DB%8C%D8%AA-%DA%A9%D9%88%DB%8C%D9%86-wjdk3fipcgpp
legendary
Activity: 3472
Merit: 10611
It depends.
The hacker would require physical access to the wallet file, which if you use cold storage (wallet on an air gap computer) they should never gain.
Then there is a matter of encryption. If a properly strong password is chosen to encrypt the wallet, even if the hacker were to gain access to the file they could never break it.

"Brute forcing" which the misleading post above is talking about is different. If you have forgotten your own password but remember some parts of it you can reduce the search space significantly, or if you have used a very weak password then it becomes easier to search the much smaller number of permutations to find the correct one.
member
Activity: 182
Merit: 30
Very easy if you have the wallet file, start with 'john the ripper' for wallets, google it, [ hashcat is super good] look for article's online that teach you how to use these tools

I recently forgot my wallet password for my ETH wallet, and it had $$ bummer max, but I was able to find the 'lost' password in 1-2 days, I had 3 machines running con-currently, they support GPU's super fast.

[ actually I had forgot about this wallet from an address I had setup years ago, when I tried to open the account I realized I didn't know the correct password. So what I did is make a list of all passwords I have ever used for the past ten years", and like I said 2-3 days on 3 computers running and the slowest computer found it, it was "InaWorldofFencesNobodyNeedsBillGates%%xx00xx", I mean hell how in the well could have cracked that, but it did Smiley

Almost all the hacking, or cracking I should say support all file formats, which includes all wallet formats for all crypto.

There is usually in the file-name, or the first few bytes of the wallet info that tells about the crypto-algo used, you plug that into JTR, and away you go; It helps if you have a clue about what the original password is-was,  you can add a file of 'hints', which helps a lot, if the password is say 20 random characters that can take months to crack;

But if the password was "Ilovedogxxxx", and you don't remember what xxxx value was, then that can be found in a few minutes.

Lots of new versions of 'ripper' that support GPU, just make sure before you do this,you have the wallet-file, that you have a super-fast machine, with GPU's; This is not a task for your handheld mobile phone, this is cmd-line stuff, if your a GUI  dependent your up shit creek.
copper member
Activity: 66
Merit: 0
Bitway.net
I just hacked my own ethereum wallet using hashcat.
newbie
Activity: 6
Merit: 0
Please give your opinion in this regard, I am Iranian and I speak Persian, I can not speak much English, if one of my Persian friends helps me, I will raise a discussion in this regard.
Jump to: