Topic: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities - page 5. (Read 5423 times)

It depends on the hardware wallet. Ledger and Trezor don't have such options, but airgapped devices, such as the Coldcard or Seedsigner, have functionalities that allow you to see a series of BTC addresses on the HW's screen. Regardless if they do, you don't need it. You should first compare the address you are sending to with the original source. Once the transaction is ready and before signing and broadcasting, you check each detail on the hardware wallet screen. It's like a second-factor-authentication. Confirm the transaction only if everything matches. 

Its always the same the weak link is allways PEOPLE AND HIS LAZINESS, no matter what a company do for security if dumb or lazy people are in the combo, the 90% of "hacking" are because of some eploy making idiots clicks enter credetials or give it to X people. Its more social enginiering than real hacking.

For example of this lazines the 70% of the people doesnt check if a web had their SSL certificates working, doesnt check if their are linked to a real company, in case of electronic commerce they also dont look into the bottom of the page to see if they have the correct certificates of the goverment, or real social media profile etc etc.

And im talking about BASIC stuff, they are like horse with blinders, they only see the offer ahead the promotion and wants to take the opportunities no matter the risk.

That's not an issue. Most hardware wallets are designed to be used in combination with software running on a computer. You're not supposed to get an address from just the hardware wallet. It wouldn't know transaction data anyway.

Lol. Microsoft has produced insecure software for decades. Isn't that the reason people bought hardware wallets in the first place?

This whole situation is pretty confusing to me.  I don't get why someone would use that fake Ledger browser extension to access their wallet instead of just using Ledger's normal app.  Seems like it'd be less complicated to stick with the real deal.

My guess is the fake extension probably changed the recipient address so the coins got sent to scammer.  But then the user just confirmed it without double checking the actual Ledger screen.  I cant believe people are so careless when transferring such huge amounts of money.  We're talking like tens of thousands of dollars here, not chump change.  But I guess some folks get lazy or too trusting.  It's crazy irresponsible if you ask me.

I don't want to justify anything but it's mainly the users who are to blame for their losses. They installed a software on their computer from which they do their crypto stuff and wallet handling that they didn't verify to be legit via the original Ledger website. (Yes, I'm aware that Ledger doesn't make it very easy to check their own software via crypto hashes or signatures; another reason to avoid Ledger crap.)


It could be that the victims didn't pay attention to check the transaction details before they confirmed to sign the transaction with their Ledger hardware wallet, i.e. the malware presented a forged transaction to be signed by the hardware wallet. But this is easy to spot if you follow basic best practices.



Not likely in my opinion, but of course I don't know what kind of flaws already exist in Ledger's firmware that has the recovery feature already in it. (After reading the technical white paper from Ledger about the recovery service it seems to me that it's not going to be easy to exploit it, but white paper and actual implementation don't need necessarily to match; complex software tends to be buggy, closed-source doesn't make it better.)


My guess is that the fake Ledger Live Web3 shit tricked the users to enter their wallet's recovery words into the malware itself, pretending some "good" reason why this might be necessary. Maybe 1 year free Ledger recovery service, lol.

The stealing transactions could be suspicious to users as they usually don't have any change address in the transaction's outputs. Newbies might not be aware of it, but if I were the malicious actor I wouldn't count on that.


Some blame goes to Micro$oft who allowed such a malware in their security section of the app store without verifying that it actually comes from Ledger, Paris.

But frankly I see the majority of blame on the users themselves: never install and use unverified software on your crypto handling devices! Always check transaction details to be signed solely on the display of your hardware wallet! Never enter your mnemonic recovery words on an online computer or website!

But here comes another hardware issue. You cannot directly browse the addresses it has on the hardware. You always need software to validate.

At least, in the test I did today, if I simply connect the Ledger to the PC, without opening any software, using just the Ledger display, I cannot see any address.

In this sense, if the software a person uses is fake, they run into serious problems and have no way of validating it.

That would be my guess too. It makes you wonder though: how many hackers are trying to do this now? I would assume the seed leaves the device after encryption, and Ledger decrypts it on their end. But it might even be dumber than that. Just imagine malware that extracts the seed phrase right after connecting the device! Someone could earn scam billions if they pull it off!

I am pretty sure there is currently no malware capable of extracting a user's private keys except the official Ledger Recover program.

These fake apps could work in various ways. The spammers are mostly interested in your seed. So, they will think of a way why you need to enter your seed phrase into the fake app and not the Ledger hardware wallet. Next, Ledger HWs can't connect to fake Ledger Live software and 3rd-party servers pretending to be Ledger Live. The scammers can develop a malicious firmware that allows the device to connect to their software and servers. You would then generate a seed they know about or everyone is shown the same pre-generated one. It could be a combination of things.

That comes down to the same problem: not verifying the address on the hardware wallet. It could also work with a fake version of Electrum, hooked to a hardware wallet. It's convenient to copy the address only from Electrum, but it doesn't give you the security for which you bought the hardware wallet.

Then again, some people would just enter their seed phrase into a phishing website. Some people just don't want to learn.

I believe it's more the opposite, instead of sending it's receiving.
The fake wallet creates an address allegedly from Ledger, and then the victim thinks he is going to load his Ledger wallet, but he is actually loading the hacker's wallet.

How does that work? Someone installs malware, enters their PIN on the Ledger, doesn't verify the address on the Ledger, and clicks send? If that's the case, why did they bother buying a hardware wallet?

Or is it much more advanced, like this: The user installs malware, enters their PIN on the Ledger, (fake) Ledger Live extracts the seed phrase and sends it to the attacker? I guess this scenario didn't happen yet, but that's just a matter of time now.

And various versions of Ledger phishing emails are still making their rounds. Considering how profitable it is (based on the fact that over 16 BTC has been deposited to a scammer only since the end of October), I don't see it stop any time soon. There are so many people that aren't ready to have complete control over their money that it's frightening. 

the scammers are still on the move and have made a fake Ledger Live app available for download in the microsoft store in the last few days. this app has generated almost 17BTC!!!! stolen and sent to the following address: bc1qg05gw43elzqxqnll8vs8x47ukkhudwyncxy64q


https://twitter.com/zachxbt/status/1720961400313373127

however, Microsoft has announced that this fake app has now been removed from the store:


https://twitter.com/zachxbt/status/1721016371775943071

I don't remember having heard of such a law, so "dramatic".
What happened was that the United Kingdom approved a law that now makes it possible to seize cryptocurrencies. But this only happens through legal action, at the same level that is done to seize other assets (houses, cars, properties, etc.). Furthermore, they are always dependent on whether the person agrees to give access to their wallets or not.

It doesn't say anything ''radical'', they simply say legal obligation, that is just one phone call or visit from any law enforcement agency.

One interesting thing I heard recently about new upcoming ''law'' in EU is that police could have legal right to seize and take away crypto from you even if they don't have any proof against you, only suspicion is enough for them.

I can imagine it "feels" safer and especially more familiar to see a number in your broker's account, than having to deal with your own transactions. People are used to buying ETFs this way.
But the management fee is a good one: I hate those! I wish I could just keep my own shares and store them by myself, instead of paying my broker and the fund owner.

An idiot that pays for the privilege of being an idiot.



To be fair the ETFs are targeted towards an audience that would not get exposure to Bitcoin otherwise, though I'm not quite sure who those people would be outside of institutional investors. But maybe there's still some folks out there that prefer paying a management fee over learning how to secure the coins themselves -- as we can see with Ledger, the pitfalls of keeping coins secure are plenty.

Ledger should make this phrase the main slogan and place it in capital letters on its website. This would be the best most honest marketing move on their part.


It's the same as trying to figure out the types of crap. But the most amazing thing is that there are people willing to take advantage of both.

Is this worse or better than people who trust exchanges or soon ETFs with their Bitcoins?

Ledger's key extraction includes other companies.  What happens if those companies want to give up your keys?  Here's what Ledger's CEO says:


Take a moment to really think about what he just said.  It's scary if you actually think about it.  This could easily be the next cycle's disaster in the making.


Even Ledger says not to use Recover if you care about your privacy:


Anybody who trusts Ledger with their keys, and thus their coins, is an idiot.

An idiot.