I am pretty sure there is currently no malware capable of extracting a user's private keys except the official Ledger Recover program.
That would be my guess too. It makes you wonder though: how many hackers are trying to do this now? I would assume the seed leaves the device after encryption, and Ledger decrypts it on their end. But it might even be dumber than that. Just imagine malware that extracts the seed phrase right after connecting the device! Someone could 
Topic: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities - page 3. (Read 4624 times)
November 05, 2023, 06:23:53 AM
November 05, 2023, 05:09:00 AM
How does that work?
I am pretty sure there is currently no malware capable of extracting a user's private keys except the official Ledger Recover program. These fake apps could work in various ways. The spammers are mostly interested in your seed. So, they will think of a way why you need to enter your seed phrase into the fake app and not the Ledger hardware wallet. Next, Ledger HWs can't connect to fake Ledger Live software and 3rd-party servers pretending to be Ledger Live. The scammers can develop a malicious firmware that allows the device to connect to their software and servers. You would then generate a seed they know about or everyone is shown the same pre-generated one. It could be a combination of things.
November 05, 2023, 05:01:08 AM
I believe it's more the opposite, instead of sending it's receiving.
The fake wallet creates an address allegedly from Ledger, and then the victim thinks he is going to load his Ledger wallet, but he is actually loading the hacker's wallet.
That comes down to the same problem: not verifying the address on the hardware wallet. It could also work with a fake version of Electrum, hooked to a hardware wallet. It's convenient to copy the address only from Electrum, but it doesn't give you the security for which you bought the hardware wallet.The fake wallet creates an address allegedly from Ledger, and then the victim thinks he is going to load his Ledger wallet, but he is actually loading the hacker's wallet.
Then again, some people would just enter their seed phrase into a phishing website. Some people just don't want to learn.
November 05, 2023, 04:50:25 AM
How does that work? Someone installs malware, enters their PIN on the Ledger, doesn't verify the address on the Ledger, and clicks send? If that's the case, why did they bother buying a hardware wallet?
I believe it's more the opposite, instead of sending it's receiving.
The fake wallet creates an address allegedly from Ledger, and then the victim thinks he is going to load his Ledger wallet, but he is actually loading the hacker's wallet.
November 05, 2023, 04:40:18 AM
the scammers are still on the move and have made a fake Ledger Live app available for download in the microsoft store in the last few days. this app has generated almost 17BTC!
How does that work? Someone installs malware, enters their PIN on the Ledger, doesn't verify the address on the Ledger, and clicks send? If that's the case, why did they bother buying a hardware wallet?Or is it much more advanced, like this: The user installs malware, enters their PIN on the Ledger, (fake) Ledger Live extracts the seed phrase and sends it to the attacker? I guess this scenario didn't happen yet, but that's just a matter of time now.
November 05, 2023, 04:18:35 AM
November 05, 2023, 03:52:51 AM
the scammers are still on the move and have made a fake Ledger Live app available for download in the microsoft store in the last few days. this app has generated almost 17BTC!!!! stolen and sent to the following address: bc1qg05gw43elzqxqnll8vs8x47ukkhudwyncxy64q
https://twitter.com/zachxbt/status/1720961400313373127
however, Microsoft has announced that this fake app has now been removed from the store:
https://twitter.com/zachxbt/status/1721016371775943071
https://twitter.com/zachxbt/status/1720961400313373127
however, Microsoft has announced that this fake app has now been removed from the store:
https://twitter.com/zachxbt/status/1721016371775943071
October 31, 2023, 07:44:05 PM
One interesting thing I heard recently about new upcoming ''law'' in EU is that police could have legal right to seize and take away crypto from you even if they don't have any proof against you, only suspicion is enough for them.
I don't remember having heard of such a law, so "dramatic".
What happened was that the United Kingdom approved a law that now makes it possible to seize cryptocurrencies. But this only happens through legal action, at the same level that is done to seize other assets (houses, cars, properties, etc.). Furthermore, they are always dependent on whether the person agrees to give access to their wallets or not.
October 31, 2023, 03:59:08 PM
Coincover says it will never give up its share of the key, even if it receives court orders. Unless it's extremely radical, but...
It doesn't say anything ''radical'', they simply say legal obligation, that is just one phone call or visit from any law enforcement agency.One interesting thing I heard recently about new upcoming ''law'' in EU is that police could have legal right to seize and take away crypto from you even if they don't have any proof against you, only suspicion is enough for them.
October 30, 2023, 08:17:20 AM
But maybe there's still some folks out there that prefer paying a management fee over learning how to secure the coins themselves
I can imagine it "feels" safer and especially more familiar to see a number in your broker's account, than having to deal with your own transactions. People are used to buying ETFs this way.But the management fee is a good one: I hate those! I wish I could just keep my own shares and store them by myself, instead of paying my broker and the fund owner.
October 29, 2023, 01:50:49 PM
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
An idiot.
An idiot.
An idiot that pays for the privilege of being an idiot.
Are we allowed to call people who fall for this idiots? 
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
Is this worse or better than people who trust exchanges or soon ETFs with their Bitcoins?To be fair the ETFs are targeted towards an audience that would not get exposure to Bitcoin otherwise, though I'm not quite sure who those people would be outside of institutional investors. But maybe there's still some folks out there that prefer paying a management fee over learning how to secure the coins themselves -- as we can see with Ledger, the pitfalls of keeping coins secure are plenty.
October 29, 2023, 10:16:50 AM
Even Ledger says not to use Recover if you care about your privacy:
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
An idiot.
Ledger should make this phrase the main slogan and place it in capital letters on its website. This would be the Quote
"If, for you, your privacy is of the utmost importance, please do not use that product, for sure."
-- Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2342
-- Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2342
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
An idiot.
Are we allowed to call people who fall for this idiots?
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
Is this worse or better than people who trust exchanges or soon ETFs with their Bitcoins? October 29, 2023, 08:36:34 AM
Are we allowed to call people who fall for this idiots?
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
Is this worse or better than people who trust exchanges or soon ETFs with their Bitcoins? 
October 28, 2023, 03:42:23 PM
Ledger's key extraction includes other companies. What happens if those companies want to give up your keys? Here's what Ledger's CEO says:
Take a moment to really think about what he just said. It's scary if you actually think about it. This could easily be the next cycle's disaster in the making.
Even Ledger says not to use Recover if you care about your privacy:
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
An idiot.
Quote
"These companies are not slaves to Ledger. We just have commercial agreement."
-- Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2393
-- Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2393
Take a moment to really think about what he just said. It's scary if you actually think about it. This could easily be the next cycle's disaster in the making.
Quote
"Great, so now the Department Of Justice calls you and says "We are charging so and so with X, Y and Z. Get two of your vendors to send us the Bitcoin keys."
-- Harry Sudock, discussing Ledger Recover with Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2608
-- Harry Sudock, discussing Ledger Recover with Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2608
Even Ledger says not to use Recover if you care about your privacy:
Quote
"If, for you, your privacy is of the utmost importance, please do not use that product, for sure."
-- Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2342
-- Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2342
Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.
An idiot.
October 28, 2023, 08:53:44 AM
I was curious when they said that the other two parts of the key are in different jurisdictions. What jurisdictions will these be?
As we knew from before, Ledger is headquartered in France. The second shard holder is Coincover located in Wales. Lastly, we have EscrowTech, headquartered in the United States. The US and UK entities will find an agreement in no time if the shards need to be compiled by law enforcement. And France's Ledger isn't going to get themselves in harm's way if the right documentation gets presented to them. October 28, 2023, 08:24:21 AM
In turn, Coincover says it will never give up its share of the key, even if it receives court orders. Unless it's extremely radical, but...
Of course they will. They will never protect anyone other than their own business interests. They are obliged to share such information with the right government agencies if it's requested from them. They explain that in the first sentence in the quoted part that you shared. The second sentence states it's a criminal offence not to cooperate with law enforcement. The third one means absolutely nothing and is only there to make you feel safe. Saying that they will verify if the requests are legitimate is of no importance.I was curious when they said that the other two parts of the key are in different jurisdictions. What jurisdictions will these be?
United States, Cuba, and Cayman Islands?
October 28, 2023, 08:01:55 AM
In turn, Coincover says it will never give up its share of the key, even if it receives court orders. Unless it's extremely radical, but...
Of course they will. They will never protect anyone other than their own business interests. They are obliged to share such information with the right government agencies if it's requested from them. They explain that in the first sentence in the quoted part that you shared. The second sentence states it's a criminal offence not to cooperate with law enforcement. The third one means absolutely nothing and is only there to make you feel safe. Saying that they will verify if the requests are legitimate is of no importance. October 28, 2023, 06:58:04 AM
On a serious note, this does bring up an interesting question. What happens if someone cancels their automated payment for Ledger Recover? Will they destroy the seed phrase from their storage and all their backups? I find that hard to believe, and you can't know for sure. Or will they just keep your seed phrase, but deny you acces if you ask for it? Or will they just charge you a much higher "manual recovery fee" when you need it? Either way, I'm not going to find out 
Good question.This should be clearly written and explained on their website, like with any subscription services.
Maybe some ledger fanboy is willing to do a test sacrifice for all of us, and tell us what happens after cancelation
I didn't sign up for the service to check, but according to the official website, you have up to 9 months to recover the subscription with an additional fee of €50, after 9 months it will no longer be possible to use the service. Since it is an extended period, I believe that the information will be deleted later.
Quote from: https://www.ledger.com/recover
What happens if I stop paying my subscription?
If you don't update your payment info and pay the subscription within 7 days, you won't be able to restore your private keys using Ledger Recover. If you don't regularize your payment within 3 months, your subscription will be suspended. After your subscription is suspended, you have 9 months to contact Ledger Recover Support and reactivate your subscription. You will need to pay an administration fee of 50 EUR along with any outstanding balance.
If you don't update your payment info and pay the subscription within 7 days, you won't be able to restore your private keys using Ledger Recover. If you don't regularize your payment within 3 months, your subscription will be suspended. After your subscription is suspended, you have 9 months to contact Ledger Recover Support and reactivate your subscription. You will need to pay an administration fee of 50 EUR along with any outstanding balance.
In turn, Coincover says it will never give up its share of the key, even if it receives court orders. Unless it's extremely radical, but...
Quote from: https://www.coincover.com/faq
Coincover will never pass your information to a third-party unless it has a legal obligation to do so. For example, law enforcement agencies often have extensive criminal investigation powers, including the ability to obtain production orders requiring information to be produced. It may result in a criminal offence for any entity supporting Ledger Recover to fail to comply with a production order, but Coincover would always take all reasonable steps to verify a production order before complying with it.
You should also note that the Recovery Seed Phrase (RSP) is encrypted and split into three fragments – all of which are held by independent companies established in separate legal systems. Since a minimum of two of three fragments would be required to gain access to your wallet, it is likely that an order would need to be obtained in at least two jurisdictions. These individual fragments are not exploitable on their own. Two of them would need to be recombined and decrypted with separate keys. Any order of this nature would realistically only ever be obtained in the most serious cases of criminality (such as where terrorist financing is suspected).
Coincover will never be able to access your seed phrase. Coincover or the other backup providers will only ever manage one encrypted fragment. We do not hold nor have access to the other fragments that make a complete seed phrase.
You should also note that the Recovery Seed Phrase (RSP) is encrypted and split into three fragments – all of which are held by independent companies established in separate legal systems. Since a minimum of two of three fragments would be required to gain access to your wallet, it is likely that an order would need to be obtained in at least two jurisdictions. These individual fragments are not exploitable on their own. Two of them would need to be recombined and decrypted with separate keys. Any order of this nature would realistically only ever be obtained in the most serious cases of criminality (such as where terrorist financing is suspected).
Coincover will never be able to access your seed phrase. Coincover or the other backup providers will only ever manage one encrypted fragment. We do not hold nor have access to the other fragments that make a complete seed phrase.
October 28, 2023, 04:08:27 AM
Keep in mind, those older devices use closed source firmware too, so you have no way of knowing if your device has a backdoor giving Ledger - or whoever - access to your seed:
I hope they didnt fire btchip co-founder and worst reddit mod just because of that statement, this was just one of his many semi-truths he said 
On a serious note, this does bring up an interesting question. What happens if someone cancels their automated payment for Ledger Recover? Will they destroy the seed phrase from their storage and all their backups? I find that hard to believe, and you can't know for sure. Or will they just keep your seed phrase, but deny you acces if you ask for it? Or will they just charge you a much higher "manual recovery fee" when you need it? Either way, I'm not going to find out
Good question.This should be clearly written and explained on their website, like with any subscription services.
Maybe some ledger fanboy is willing to do a test sacrifice for all of us, and tell us what happens after cancelation
October 28, 2023, 03:21:58 AM
Ah so don't expect any sort of useful answer.
Unless they have received new and updated instructions about what to say regarding technical questions about their Ledger Recover service. Ledger is sending vibes as if their internal departments are completely out-of-sync and not working together properly. A normal company would first train and instruct its support about what they need to do. There would also be coordination between marketing and development. Here, it's like everyone is doing their thing with no common goal. When all this nonsense started, Ledger support was basically, we have no idea what is going on, let's just wait for the marketing or development teams to tell us how to proceed. This is indirectly hinted at by leaks of personal data, which would not have occurred if all internal processes had been properly built and adjusted. This is another reason to doubt whether it is worth using the products of such a company, because your finances are seriously at stake. Jump to: