Ledger hacked or not? 100k lost | Bitcointalksearch.org

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: bitmover on August 24, 2020, 02:47:00 PM

I will pay much more attention now when spending altcoins (I don't have much anyway)

I have suggested for a long time now that people should make more use of multiple different passphrases, and this seems to be another good reason to do so. If each of the different coins you store on your Ledger device were stored behind a different passphrase, then it would be impossible for this vulnerability to affect you.

However, I appreciate this wouldn't be easy for ERC20 tokens, since they are stored on standard Ethereum addresses and you need some Ethereum on said address to be able to spend/transfer them, so you would be forced to hold a few dollars worth of Ethereum in multiple different addresses, one for each token. In this case, there really is no substitute for paying close attention to what your hardware wallet is displaying on the screen and double and triple checking it matches the transaction you wish to make.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Quote from: o_e_l_e_o on August 24, 2020, 02:34:28 PM

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

I agree. This is , as far as I understand, exactly the case in this recent exploit:

Quote

This path restriction was not enforced for the Bitcoin app and most of its derivatives, allowing a Bitcoin derivative (eg. Litecoin) to derive public keys or sign Bitcoin transactions.

https://donjon.ledger.com/lsb/014/

As the user is already spending some altcoin, it is easy to be fooled and click the button for a bitcoin transaction while using a fake mew.

I will pay much more attention now when spending altcoins (I don't have much anyway)

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: mpufatzis on August 24, 2020, 12:58:27 PM

Is it possible a fake MEW to compromise Ledger (without entering somehow the seed)?

We can never say never, as there could be a vulnerability we don't know about, but there is currently no known way for a fake MEW to compromise a Ledger device.

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

In terms of the recently discovered Ledger exploit - if there was a similar exploit for Ethereum and ERC20 tokens, then theoretically someone trying to transfer Ethereum or a token to an address could be tricked in to also transferring some other token to that address. There is, however, currently no known exploit which could achieve this.

mpufatzis

full member

Activity: 840

Merit: 128

Is it possible a fake MEW to compromise Ledger (without entering somehow the seed)?
Ledger is supposed to sign transactions even to infected PCs....

Quote from: bitmover on August 14, 2020, 09:22:12 AM

It is possible that he used a fake MEW or something like that, that could lead to some other exploit similar to that one from last week:
https://support.ledger.com/hc/en-us/articles/360015738179

I don't know if the two incidents are related.

I am worried about my ledger now....

Masterswarm

jr. member

Activity: 54

Merit: 6

While this guy's Ledger was not hacked, to be cautious, people should be running multi-sig setups with both a Ledger and Trezor.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: bob123 on August 18, 2020, 06:26:21 AM

The fact not a single address or txid has been posted, makes me believe that it is the latter.

Although he didn't release the TXID, there was a transaction for 17,000,000 of this token made a few hours before his tweet - https://etherscan.io/tx/0x479ee89c7cb976348f41cd66ba7232a95dadbf6026d12ca91d420b06918f7a01. These 17 million tokens were then moved again a few minutes later to a Uniswap contract.

Quote from: bob123 on August 18, 2020, 06:26:21 AM

Usually, when people make dumb things, they start with pretty useless information and then release more and more useful information to actually figure out where they messed up. Not in this case.

He has since made a couple more tweets, again saying that this wasn't the fault of his Ledger device but being completely vague as to what actually happened:

Quote from: https://twitter.com/StackingUSD/status/1295596198968131584

Do not interpret this as an endorsement as everyone is responsible for their own funds, but I believe the issue lies MUCH deeper than a hardware issue or P-key leak. I will shed light on this as soon as I can. To be best of my knowledge, @Ledger is #safu.

What is he hinting at here? Much deeper than a hardware issue? Either the code of the shitcoin he is shilling is filled with bugs, or he is still trying to cover up his own stupid mistakes.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: TopTort777 on August 15, 2020, 04:13:39 AM

Could this be somehow connected to resent Ledger security breach, when about 10k users private data was stolen? Could this stolen private info help “current topics hacker” to stole 100k usd?

No.
Ledger does not have any information about you which could help to bruteforce your mnemonic code or access your seed in any other way.

I'd say this person either was extremely stupid and negligent (which is pretty likely) or it is just a plain lie.
The fact not a single address or txid has been posted, makes me believe that it is the latter.

Usually, when people make dumb things, they start with pretty useless information and then release more and more useful information to actually figure out where they messed up. Not in this case.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: dkbit98 on August 15, 2020, 07:05:11 PM

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.
Just my crypto conspiracy theory and I could be totally wrong

Interesting thought however. If they were airdropped to him, or given to him as an advisor on the project (depending on where they live) they might still be responsible for the taxes. If your boss gives you an oz of gold instead of a paycheck and you drop that gold and never see it again, your boss still paid you and you still owe taxes on it.

Back to the main point, still looks like it was his fault and the fact as many have said, that he never said what happened just looks funky.

-Dave

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Lucius on August 16, 2020, 05:06:03 AM

This example proves that no matter what someone has $100k in crypto (although that fact is also questioned in this story), this does not mean that he has enough intelligence to follow the simplest instructions such as downloading software from the official site, or not entering his seed anywhere except in the hardware wallet.

The kind of person who owns $100k worth of some random ERC20 token is almost certainly someone who took a wild punt on some ICO and happened to hit the jackpot when it pumps and dumps. For everyone one person who gets rich on a shitcoin, there are a thousand more who lose all their money. I would say that people throwing their money in to random altcoins and hoping to get rich quick are far less likely to be clued up on good security practices and the technical side of owning crypto than someone who owns $100k worth of bitcoin.

Reading through his tweets, he also admits to be an "advisor to the project", so I wouldn't be surprised at all if his 17 million tokens were airdropped to him for nothing.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: o_e_l_e_o on August 15, 2020, 08:55:07 AM

This is one of three things:

And a fourth:
He fabricated this in a hope to get some money off Ledger to shut up.

I've done a 300$ worth of ERC-20 tokens transaction with Ledger and MEW less than one week ago and all went just fine. And all the expected funds are still in place.
So I'd go for the 3+1 list of possible causes for those posts.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

This example proves that no matter what someone has $100k in crypto (although that fact is also questioned in this story), this does not mean that he has enough intelligence to follow the simplest instructions such as downloading software from the official site, or not entering his seed anywhere except in the hardware wallet.

I'm not surprised that this genius may want to hide his shame, but it's pretty frivolous that Ledger didn't reveal what actually happened, but indirectly tells us what may have happened - another illogical move on their part.

sunsilk

hero member

Activity: 3038

Merit: 634

Quote from: ?? on ??

Quote from: sunsilk on August 15, 2020, 12:49:03 AM

I'll agree that it could be the guy's fault.

must say fault resulted from his carelessness and inattentiveness. Even if he was caught up on the hook of the fishing site Ledger had displayed him the receiving address to check before signing transaction. Likely he didn't do that and paid the price.

It's a case-closed. It's his fault and the analysis of o_e_l_e_o is correct, it's either of those factors which led the complainant's negligence of losing his funds.

The guy took the attention of many crypto folks especially, Ledger's and whatever his agenda is, it brought me a short-time fear for my own self-keeping. I commend Ledger's response and how they're willing to help the guy although it's after-sales.

I wonder if Ledger will go after him with the buzz and after damaging their reputation with what he's done.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: dkbit98 on August 15, 2020, 07:05:11 PM

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.

There's no evidence but it is definitely weird. If I lose that much I'd be stressed out like hell unless I'm a whale with 10 millions cash to burn everyday. At least this means Ledger is still safe to use, and not really surprising at all since most 'hacking' method that have been published require access to the HW itself.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: HCP on August 15, 2020, 06:55:15 PM

100% he either entered his 24 word recovery phrase into either a fake version of Ledger Live or a phishing website etc when he reset his seed a week ago.

Sucks his lost so much, but I'd have way more respect for him if he explained what actually happened instead of these somewhat "vague" tweets which are the twitter equivalent of "nevermind, I fixed it" posts on forums Roll Eyes

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.
Just my crypto conspiracy theory and I could be totally wrong

HCP

legendary

Activity: 2086

Merit: 4361

Just... wow! Roll Eyes

I'm guessing the fact that he retweeted the Ledger "Phising" warning, and then publicly apologised to Ledger is the biggest indicator of what happened:

100% he either entered his 24 word recovery phrase into either a fake version of Ledger Live or a phishing website etc when he reset his seed a week ago.

Sucks his lost so much, but I'd have way more respect for him if he explained what actually happened instead of these somewhat "vague" tweets which are the twitter equivalent of "nevermind, I fixed it" posts on forums Roll Eyes

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

What utter nonsense. He had the equivalent of $110,000 stolen, and in the space of less than 12 hours went from threatening Ledger with "you will repay me", to "I'm content moving forward". He has also been completely silent on what actually happened.

This is one of three things:

He did something so monumentally stupid that he is embarrassed by the whole thing, such as type his seed phrase in to a website
He fabricated the whole thing for tax evasion or money laundering purposes
He fabricated the whole thing to advertise a shitcoin

Regardless, almost certainly nothing to do with Ledger and no security vulnerability of the hardware device.

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: Bttzed03 on August 15, 2020, 06:55:02 AM

It's definitely a user error. He probably asked Ledger's support not to disclose the findings in exchange for his apology because it's embarrassing.

Or it is the most common attempt to attract attention in order to promote something else, such as some shitcoins that the user normally promotes. People are not so stupid as not to see what is happening, and when someone avoids giving an answer to the simple question "What actually happened" everything can be reduced to this tweet :

Quote from: https://twitter.com/Atmos_Black/status/1294593992408076289

Since you aren't telling people what happened and how it got resolved, this whole shitshow starts to sound like a cheap marketing campaign for the shitcoin you are promoting.

Bttzed03

legendary

Activity: 2114

Merit: 1150

https://bitcoincleanup.com/

Without disclosing what actually happened, the guy has apologized to Ledger

Quote from: https://twitter.com/StackingUSD/status/1294451182723837952

I want to take a moment to apologize to the @Ledger team. @Ledger_Support was very swift & helpful, despite my attitude. I let my emotions get the best of me, reacting w/o thinking. Rationale & respect went out of the window, and for that I apologize.

Thank you, Team #Ledger.

It's definitely a user error. He probably asked Ledger's support not to disclose the findings in exchange for his apology because it's embarrassing.

He's moving on now and continue with his shills.

Quote from: https://twitter.com/StackingUSD/status/1294468309585481728

I reached out to a lot of exchanges & contacts today, unfortunately they were unable to assist.

I quickly contacted @TomMarchi from @Sentivate & the team was ready to assist instantly. With that being said, I'm content moving onwards and consider this matter concluded.

I guess its time to end the discussion here.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: TopTort777 on August 15, 2020, 04:13:39 AM

Could this be somehow connected to resent Ledger security breach, when about 10k users private data was stolen? Could this stolen private info help “current topics hacker” to stole 100k usd?

No and yes and no.
No, there is no way that knowing that info will get you into someones PC or Ledger.
Yes, in the fact that it might make you more vulnerable to Spear Phishing or a more targeted attack.
No, in the fact that if the above did happen the user would still have to "do something wrong" somehow.

-Dave

TopTort777

legendary

Activity: 2478

Merit: 1492

Could this be somehow connected to resent Ledger security breach, when about 10k users private data was stolen? Could this stolen private info help “current topics hacker” to stole 100k usd?

Topic: Ledger hacked or not? 100k lost (Read 383 times)