Author

Topic: Loss of bitcoins from h/w wallet (Read 215 times)

sr. member
Activity: 467
Merit: 267
August 11, 2018, 08:45:22 PM
#5
Thanks for the help everyone. At this point, all indications point towards an insider job. We have traced the chain of custody and it is unrelated to any technical issue with Trezor.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
August 11, 2018, 08:08:46 AM
#4
35 BTC lost/stolen is big money (210 000$), and your friend should report this to police and to Trezor support as soon as possible. Maybe BTC can not be tracked and returned, but it is possible that there is some security breach with Trezor.

As other members already asked, it is important to know how your friend came into possession of this Trezor. If device is purchased from an authorized dealer or direct from Trezor and your friend is never expose his seed, it is obvious that hacker is managed somehow to compromise the device remotely.

It also should not be dismissed option that someone close to your friend do this, member of the family or some friend who took advantage of his negligence.

You should also know that some security problems are discovered in the past regarding Trezor, but as far as I know it was supposed to be fixed.

Extracting TREZOR Secrets from SRAM

Trezor — security glitches reveal your private keys!
newbie
Activity: 5
Merit: 0
August 11, 2018, 06:54:21 AM
#3
Is he absolutely sure he generated a seed himself? There have been incidents reported where people have received hardware wallets from 3rd party sellers with a 'scratch-to-reveal' seed phrase included in the package and with the seed 'pre-loaded' onto the device.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
August 11, 2018, 06:35:08 AM
#2
The address appear when he lost his funds and was itself cleared one day later.
However, it also sees the transfer of over 1000 btc as if it was the staging area of a large scale attack.

Does anyone know what has happened there?

Thanks,
--h


The attacker, after stealing the bitcoin, used a coin mixer service, so he could not be tracked.

Mixers are amazing for privacy, so you will never know where your coins are now. They were mixed with thousands of coins in many Transactions... It is lost now.

Did you buy your device from the official store? From third party? Was the firmware update?
Your device is compromised if it was bought from third party. If that's the case, just discard it.
sr. member
Activity: 467
Merit: 267
August 11, 2018, 04:12:50 AM
#1
Sorry for posting in here but it is somehow technical too. I put it on the main board and it got drowned by other posts very quickly.

A friend of mine recently got his trezor wallet cleaned out and we are trying to figure out what happened.

He gave me his ypub key and I imported it into Electrum to look at his transaction history.
His last legit transaction was 2 weeks ago but yesterday he got two extra withdrawals.

A test transaction was followed by a complete withdrawal of the entire wallet.

https://www.blocktrail.com/BTC/tx/7a2f637bcd6f30a02c298c64022d4148c58d9587ed6e2191a3a758ad40c6fda2
https://www.blocktrail.com/BTC/tx/7d708a9dc692ce79170a411563ebdcc4110bdfadfdfe1c726b8fb5d3d0bc17bf

IMHO, the fact that there were 2 transactions points towards a compromised seed.
The test tx actually returns most of the wallet amount back into the change address - which is a single use p2sh-p2wpkh address.
Then the change address itself is cleared in the 2nd tx.
The thief knows how to generate private keys for the entire hierarchical wallet. AFAIK, that requires the seed.

So, it looks like a targetted attack. My friend says he never put his seed online, never took a picture of it, etc.
He only kept it on a piece of paper, getting to it would imply someone who knows him.

But the receiving address has activities that I don't understand then.

https://www.blocktrail.com/BTC/address/18abkVcsfwvNHxFM1jN5WLAY9irB91FwTH

The address appear when he lost his funds and was itself cleared one day later.
However, it also sees the transfer of over 1000 btc as if it was the staging area of a large scale attack.

Does anyone know what has happened there?

Thanks,
--h
Jump to: