Author

Topic: making fake HW wallets(will we see this scam next)?? (Read 361 times)

legendary
Activity: 2212
Merit: 7064
But do you know if anyone actually did a deep dive in to these things to see if there was any hidden stuff?
What I found when I did big research of hardware wallets is that Buterino didn't use any malicious stuff in their wallets, it was similar components like in original trezor.
I don't have any of this mini-trezor devices myself so I can't confirm and be totally sure about this, and who knows what could happen after they stopped creating this devices.
I would not suggest using this devices as firmware is outdated, but I would be interested to hear if someone from bitcointalk forum owns them as collectible.

This is of course why I preach to all my friends/clients to buy from the manufacturer directly.  ( I would def love to  have one of these fake trezor's as a collectible!)
Maybe it's best if they don't buy them at all now.
Honestly, I would suggest anyone not to buy any Trezor wallets until they add open source secure element and fix issues they have (they are working on this).
I would never suggest ledger because they are closed source and they have countless issues with their devices, especially nono x.
Buying good used laptop and using it only offline for crypto wallets or with Tails OS is a good alternative, and you won't leak your data to crypto scammers.



legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
I could see this happening.  Take a look at these fake Trezors- https://bitcointalksearch.org/topic/trezor-wallet-fakes-to-be-aware-of-5227930



I see Trezor has a new (for 2020) line of wallets  Smiley. Forgive me for this, but I am amused by the appearance of these devices and the creativity of the creators of the fake device. It was necessary to come up with a "Mini" for these Frankenstein freaks  Smiley.  They look like cheap chinese toys of the lowest quality.

P.S. I learned about these crafts only from this post and for me this is the news of the day. It would be nice to periodically remind about such fakes, as topics about them slide down and disappear from the field of view of their possible victims. And so, at least there is a chance that someone will see a warning about this and will stop them from doing stupid things.
legendary
Activity: 2730
Merit: 7065
Someone recently reported that many people are selling old and broken Ledger hardware wallets for cheap on ebay and other websites.
Maybe people buy them for spare parts but we know that ledger sold millions of this devices and they are all around the world.
Even that's not really needed because based on the info I received from Ledger's support team when I sent them those fake emails pretending I have various problems with the wallets, they are willing to replace broken devices even if they are out of warranty.

But do you know if anyone actually did a deep dive in to these things to see if there was any hidden stuff?  Would there be a way to easily hide malicious stuff inside these things?
If they are based on Trezor's open-source code, you can check it yourself and everyone else could as well. But most people don't know how to do that. Open-source doesn't make those Russian Trezors safe, it just means that the code can be independently verified. So if it has something that shouldn't be there, it could be discovered. 
legendary
Activity: 2282
Merit: 3014
I could see this happening.  Take a look at these fake Trezors
This mini-trezors are not available anymore and they used different hardware components, but I don't think they were a scam and they used exact same software/firmware like original Trezor.
It was just a smaller Russian version on Trezor wallet and it would be cool to have it as a collectible, nothing more.
There are even DIY wallets with full instructions how to make your own device and 3d print the case, so it's not that hard.

Someone recently reported that many people are selling old and broken Ledger hardware wallets for cheap on ebay and other websites.
Maybe people buy them for spare parts but we know that ledger sold millions of this devices and they are all around the world.
It would not be so hard for scammers to purchase those device, refurbish them, make modifications and load their malware software.
Maybe they come in box packages, but they can always make new boxes and do better job in adding foil over them.




But do you know if anyone actually did a deep dive in to these things to see if there was any hidden stuff?  Would there be a way to easily hide malicious stuff inside these things?  This is of course why I preach to all my friends/clients to buy from the manufacturer directly.  ( I would def love to  have one of these fake trezor's as a collectible!)
legendary
Activity: 2212
Merit: 7064
I could see this happening.  Take a look at these fake Trezors
This mini-trezors are not available anymore and they used different hardware components, but I don't think they were a scam and they used exact same software/firmware like original Trezor.
It was just a smaller Russian version on Trezor wallet and it would be cool to have it as a collectible, nothing more.
There are even DIY wallets with full instructions how to make your own device and 3d print the case, so it's not that hard.

Someone recently reported that many people are selling old and broken Ledger hardware wallets for cheap on ebay and other websites.
Maybe people buy them for spare parts but we know that ledger sold millions of this devices and they are all around the world.
It would not be so hard for scammers to purchase those device, refurbish them, make modifications and load their malware software.
Maybe they come in box packages, but they can always make new boxes and do better job in adding foil over them.


legendary
Activity: 2268
Merit: 18775
I am surprised by the quality of the blue film packaging. It immediately catches the eye and looks sloppy, poor quality and suspicious.
Everything about the package is sloppy. If you look at the photo of the letter which came with it, it is full of informal language and grammatical errors which you would not expect from an official document. The same goes for the set up guide.

The person who received this device did not order it, but received it just like that? Those, this should already be alarming in such cases: you did not buy or order, but you received a device.
They were targeted because their details were part of the Ledger database hack, so the attacker knew their name and address and knew they owned a Ledger device. But yes, receiving anything you aren't expecting through the mail should be a red flag. Just as you should never plug in a random USB drive you find or are given, you should never use a hardware wallet you find or are given - only use one you bought yourself directly from the manufacturer.
legendary
Activity: 2730
Merit: 7065
The person who received this device did not order it, but received it just like that? Those, this should already be alarming in such cases: you did not buy or order, but you received a device.
People who fall for scams, don't usually think straight or use common sense.

The information that came with those devices instructed the victims to use these brand-new devices because the old ones (the genuine ones) should no longer be trusted and aren't good enough. Something like that. They got info about their victims through the data leaks. But if you have a genuine copy of Ledger Live, you wouldn't be able to pair it with this fake device. Because only genuine Ledger HWs can be connected to Ledger servers on Ledger Live. You have to use their fake software. Essentially, this is the same thing as downloading or installing a fake Electrum wallet. Only this time, a hardware wallet is part of the deal. 

Someone who thinks straight would probably want to doublecheck this. It's only logical that Ledger would announce to their community that they are sending affected parties brand-new and improved devices. So you would check their website, blog, social media, etc. to find this information.

I fear what could happen if medical records of those who have been vaccinated leaked somewhere. I can only imagine how many people would inject themselves if they received a package with a vaccine instructing them to inject it in their leg, arm, buttocks, or whatever because the vaccines they were given previously have been proven to not be effective enough. This new self-injecting one we created is state of the line. Roll Eyes
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
Do I understand correctly that there have already been cases with the substitution of fake ledger wallets? This is the first time I hear about it. Can you tell me where I can read about this incident? Were there people who lost their funds because of this?
You can read about it here: https://www.reddit.com/r/ledgerwallet/comments/o154gz/package_from_ledger_is_this_legit/
Thank you for sharing this link and comments.


Do I understand correctly that there have already been cases with the substitution of fake ledger wallets? This is the first time I hear about it. Can you tell me where I can read about this incident? Were there people who lost their funds because of this?

Yeah it happened and I have been writing all about that last year in one of my topics.
Packaging and case looked like original, they even had plastic cover (not that hard to make even at home), fake packaging bag, so newbies could fall for this trap easy.
Only difference was with fake instructions, inside of device pcb was different and fake software that was pre-loaded on device.
Experienced users and previous ledger owners would probably notice suspicious scam device and report it like one of them did.

 

 

Thanks for posting this info here. This will not only satisfy my curiosity, but may be useful for future Ledger buyers.

I am surprised by the quality of the blue film packaging. It immediately catches the eye and looks sloppy, poor quality and suspicious.

The person who received this device did not order it, but received it just like that? Those, this should already be alarming in such cases: you did not buy or order, but you received a device.
legendary
Activity: 2282
Merit: 3014
I could see this happening.  Take a look at these fake Trezors- https://bitcointalksearch.org/topic/trezor-wallet-fakes-to-be-aware-of-5227930

legendary
Activity: 2212
Merit: 7064
Do I understand correctly that there have already been cases with the substitution of fake ledger wallets? This is the first time I hear about it. Can you tell me where I can read about this incident? Were there people who lost their funds because of this?

Yeah it happened and I have been writing all about that last year in one of my topics.
Packaging and case looked like original, they even had plastic cover (not that hard to make even at home), fake packaging bag, so newbies could fall for this trap easy.
Only difference was with fake instructions, inside of device pcb was different and fake software that was pre-loaded on device.
Experienced users and previous ledger owners would probably notice suspicious scam device and report it like one of them did.

 

Fake Instructions is asking users connect the Ledger to their computer, than import recovery phrase from their old device, and that is sent to the attackers who imports it on their own devices and steal crypto.



Guy who received this fake ledger opened the device that was later compared with original device and you can see the clear difference inside both front and back as well as some sloppy soldering work.

They added a flash drive inside Ledger case and wired it to the USB connector with the purpose to be used for malware delivery to attackers.

 
legendary
Activity: 2268
Merit: 18775
Do I understand correctly that there have already been cases with the substitution of fake ledger wallets? This is the first time I hear about it. Can you tell me where I can read about this incident? Were there people who lost their funds because of this?
You can read about it here: https://www.reddit.com/r/ledgerwallet/comments/o154gz/package_from_ledger_is_this_legit/

I'm not sure if anyone has lost funds to this attack.

Essentially it involves replacing the hardware inside a Ledger device with different hardware which causes the hardware wallet to behave like a simple mass storage device (essentially a USB drive). The scammers mail out these devices along with instructions telling people to connect their "hardware wallet", open the software on the mass storage device, and enter their seed phrase, all under the guise of "securing their coins" or some similar bullshit story. As soon as you enter your seed phrase, it is sent to the scammers and your coins are stolen.

So yes, while fake Ledger wallets exist in the wild (along with fake devices of several other brands of hardware wallets), they do not behave the same as a genuine hardware wallet and you have to be very naive to fall for them and ignore all the real advice, guides, and warnings which come with your genuine device and are on all the relevant hardware wallet manufacturer websites.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
Design and build a fake hardware wallet
This already happened before with fake ledger wallet that was looking exactly the same from outside, but from inside it was different and it was pre-loaded with fake ledger software already.
Nobody knows exactly how many people received this devices but we know that scammers used ledger amateurs leaked database with home addresses information.
With recent stupid changes ledger is making it's not even possible to verify if your device is genuine because they are gluing pcb with battery  Roll Eyes

Do I understand correctly that there have already been cases with the substitution of fake ledger wallets? This is the first time I hear about it. Can you tell me where I can read about this incident? Were there people who lost their funds because of this?
legendary
Activity: 2212
Merit: 7064
Design and build a fake hardware wallet
This already happened before with fake ledger wallet that was looking exactly the same from outside, but from inside it was different and it was pre-loaded with fake ledger software already.
Nobody knows exactly how many people received this devices but we know that scammers used ledger amateurs leaked database with home addresses information.
With recent stupid changes ledger is making it's not even possible to verify if your device is genuine because they are gluing pcb with battery  Roll Eyes

It's much quicker and easier to setup a scam coin or fake electrum site and drive people to it or a bad link to metamask or something else.
Those are cheap phishing scam and fake tech support that gets recycled all the time.
There are different level of scammers, lowlife and upper class, but biggest scam would be to just infiltrate one STM32 chip manufacturer that is used in most hardware wallets.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
The issue is that you would have to:

1) Design and build a fake hardware wallet
2) Make software that will work with it
3) Sell it / give it away to have people use it
4) Have the source complex enough to get away with people not noticing what you are doing.

It's much quicker and easier to setup a scam coin or fake electrum site and drive people to it or a bad link to metamask or something else.

Could it be done? Yes.
Would it be worth it? Probably not.
If money was no object and you have a specific person / target in mind could you do do it? Yes

-Dave
newbie
Activity: 19
Merit: 3
If I understand the OP correctly, he is asking if it would be possible to create a wallet that always displays one or more receiving addresses of the hacker independent of what seed + seed extension the victim is using. The software of such a device would have no role at all, and would work as a regular hardware wallet where you are shown a seed to write down. But no matter what seed or passphrase you use, the device ends up displaying the same receiving addresses that ultimately leads to the victim making transactions to addresses that belong to the hacker. Is that it?

I don't think this is impossible.  

YES pretty much

i know the HW would need a hard mod(ledgers easliy known for this)

on top of that a softwear mod to falsley display BTC wallet address that the scammer has control of
newbie
Activity: 19
Merit: 3
lets say you make a fake  HW wallet
I don't understand what do you mean make a fake hardware wallet? You mean ordered or DIY made device? Explain it better.

You can add multiple passphrases to your wallet as extra protection that is working only in combination with your seed words, but keep them in different locations.
For accessing any funds on that wallet, you also need to have pin code, and you need to know correct passphrase.
You can also reset the device, and generate new random decoy wallet.

i mean make a fake a device thats is assumed to be 100% geuine(NOT FAKE)
but the guts are programed to display a fake SEDD then a fake wallet address(a scammer control address)
HCP
legendary
Activity: 2086
Merit: 4363
This "scam" isn't really any different to the one where certain paper wallet generators were giving out a set of pre-generated private keys known to the scammers.

It could just as easily be perpetrated using any type of wallet... web wallet, desktop wallet, mobile app or a "scam" hardware wallet.

The key is to ensure you have some way of ensuring that the addresses being displayed do indeed belong to the seed/private keys being generated. In the case of hardware wallets, having 2 from different manufacturers is certainly one way to be able to determine if the addresses being displayed are indeed correct for a given seed.

However, as someone else mentioned earlier... it doesn't really guarantee that the seed/private keys themselves are actually being randomly generated. For that, you'd probably need to generate your own seed (offline) using dice or something similar.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Sorry, the article was not written by me, but specialists from Trezor. It states that to brute force a passphrase of 10 characters, you will need to pay about $ 1,000,000 today. For 12 characters - $ 128,000,000. By renting servers on Amazon. Do you think this is insufficient protection? Or are you going to store hundreds of millions $ on one wallet?

Never mind Amazon, you can't even rent $100 of computational capacity without filing a service limit increase request, and if you're not linking a credit card you got officially from a bank office then chances are you are going to be hit with an account suspension shortly after you commence the attack. Same goes for other cloud platforms near the size of AWS. A botnet is the most likely way to get power even remotely close to $1,000,000.
full member
Activity: 343
Merit: 167
-snip-
Even if we assume there are 2.1 trillion 24-word BIP39 wallets with coins in them (as in, all 21 million bitcoin ever split up across 2.1 trillion wallets with only 1000 sats in each wallet), then you are still looking at a 1 in 5.5*1064 chance of finding a collision. To find a single 10 character lowercase letter password is a 1 in 141,167,095,653,376 chance. The differences between these two numbers really cannot be overstated. That difference is comparable to the difference between a single atom and all the atoms in the entire world.

Using a passphrase of that strength is almost certainly going to be fine if your seed phrase is secured. But in our scenario here of a seed phrase which is known to an attacker, then it is simply not good enough. You are massively reducing your security.

Sorry, the article was not written by me, but specialists from Trezor. It states that to brute force a passphrase of 10 characters, you will need to pay about $ 1,000,000 today. For 12 characters - $ 128,000,000. By renting servers on Amazon. Do you think this is insufficient protection? Or are you going to store hundreds of millions $ on one wallet?
For this attack, the attacker must know your seed and be prepared to invest huge amounts of money with dubious results.
legendary
Activity: 2268
Merit: 18775
-snip-
Even if we assume there are 2.1 trillion 24-word BIP39 wallets with coins in them (as in, all 21 million bitcoin ever split up across 2.1 trillion wallets with only 1000 sats in each wallet), then you are still looking at a 1 in 5.5*1064 chance of finding a collision. To find a single 10 character lowercase letter password is a 1 in 141,167,095,653,376 chance. The differences between these two numbers really cannot be overstated. That difference is comparable to the difference between a single atom and all the atoms in the entire world.

Using a passphrase of that strength is almost certainly going to be fine if your seed phrase is secured. But in our scenario here of a seed phrase which is known to an attacker, then it is simply not good enough. You are massively reducing your security.
full member
Activity: 343
Merit: 167
passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed
It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short.

When you iterate over a seed of 24 words (256 bit), you have the opportunity to find millions of other wallets, since most wallets use the bip39 standard, in this case there should be sufficient redundancy. When you iterate over the passphrase, you have the opportunity to find only one single wallet, so such protection (10 -12 characters) will be enough. Read again the article https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8 there is a table with examples of password phrases and the approximate cost of attacks
legendary
Activity: 2268
Merit: 18775
The question was asked about a pre-installed BTC address by an attacker and I answered it.
Sure, your method protects against that specific attack, but it does not guarantee your wallet is "normal" as you suggested.

passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed
It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short.
full member
Activity: 343
Merit: 167
To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.
But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe.

You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins.
The question was asked about a pre-installed BTC address by an attacker and I answered it. If you have doubts about the work of the built-in random seed generator, then you have two options: create your own seed manually or additionally protect the seed with a passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8
legendary
Activity: 2268
Merit: 18775
To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.
But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe.

You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins.
legendary
Activity: 2730
Merit: 7065
If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use.
Those are exactly the victims that scammers target. What you explained is not different from any other scheme that is created for newbies, those who are greedy, careless, and don't take the required amount of time to consider the consequences of their actions.   

Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address.
It wouldn't be enough if someone managed to create what I explained in my previous post in this thread. Besides, the scammers could use the leaked Shopify/Ledger databases to send out their fake products. We have already seen something like that not so long ago.
full member
Activity: 343
Merit: 167
lets say you make a fake  HW wallet

people add a passphrase for extra secuirty and keep seed safe


could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

This situation is theoretically possible. To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.
legendary
Activity: 2548
Merit: 1234
I don't see that there's a scam next if someone making their own fake HW wallets.  If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use.

Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address.

All I see on this matter, it's unrealistic to happen.  No one will risk their crypto assets from an unknown source of HW wallets.
legendary
Activity: 2730
Merit: 7065
If I understand the OP correctly, he is asking if it would be possible to create a wallet that always displays one or more receiving addresses of the hacker independent of what seed + seed extension the victim is using. The software of such a device would have no role at all, and would work as a regular hardware wallet where you are shown a seed to write down. But no matter what seed or passphrase you use, the device ends up displaying the same receiving addresses that ultimately leads to the victim making transactions to addresses that belong to the hacker. Is that it?

I don't think this is impossible.   
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

As I see this, the so-called pre-programmed extra address will not be part of the seed based HD wallet. So whenever one uses this... device... will have a HD wallet+1 address. This means that the scammer will probably have to make his own wallet software too to import the extra address somehow.

While some very new n00bs can be caught with this, I don't think that many can be so stupid to use both counterfeit HW and bad wallet software too, especially as legit wallet software comes free.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
what i mean is it wouldnt matter if a new seed was generated
if it was a pre programmed BTC address the new user wouldnt know

If you buy a used HW that is basically original, and someone has already intentionally or accidentally set it up (generated seed), then it is generally considered that resetting such a device to factory settings is quite enough to use it safely later by generating a new seed. However, the question is whether such a device may have been modified in some way (hardware modification), and can allow the original owner to try to hack you.

On the other hand, if someone were to make an effort to modify the HW in such a way that it always generates identical seed or perhaps to generate several sets of seed known to the hacker, in that case, no reset of the device would help.

Even when someone buys an original HW directly from the manufacturer, you don't need to make a big deposit right away - because there is always the possibility of a new vulnerability that no one knew about before - test with small amounts, wait a few days and if everything is fine continue to use HW normally.
legendary
Activity: 2212
Merit: 7064
lets say you make a fake  HW wallet
I don't understand what do you mean make a fake hardware wallet? You mean ordered or DIY made device? Explain it better.

You can add multiple passphrases to your wallet as extra protection that is working only in combination with your seed words, but keep them in different locations.
For accessing any funds on that wallet, you also need to have pin code, and you need to know correct passphrase.
You can also reset the device, and generate new random decoy wallet.
newbie
Activity: 19
Merit: 3
If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

what i mean is it wouldnt matter if a new seed was generated

if it was a pre programmed BTC address the new user wouldnt know
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
lets say you make a fake  HW wallet

people add a passphrase for extra secuirty and keep seed safe


could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

This is why you should only buy a hardware wallet official retailer or from the manufacturer . You shouldn't be buying one on eBay .

There are even some attacks on official devices which become compromised with a physical attack, if the attacker has access to the device.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.
newbie
Activity: 19
Merit: 3
lets say you make a fake  HW wallet

people add a passphrase for extra secuirty and keep seed safe


could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would SHOW to the new user as there newly setup seed linked wallet?)

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already
Jump to: