Topic: My ledger got hacked (Read 381 times)

I think hackers got into your laptop while you were using a public wifi hotspot at Stansted Airport, in London. now we have to be very careful in using public hotspots because hackers can enter laptops through public hotspot networks, we should store very important data on a special laptop at home and not to be taken out of the house to avoid hackers.

public wifi isn't safe anymore nowadays mate, wherien even you use a very secured wallet as long as you're connected to the wifi because that's how they can access your private information and etc..
I hope you read these if you used to connect public wifi especially when travelling..
 ^{"in this way, the criminal can access users' banking credentials, account passwords and other valuable information. Public Wi-Fi is inherently insecure — so be cautious. Laptops, smartphones and tablets are all" susceptible to the wireless security risks. Don't just assume that the Wi-Fi link is legitimate."}

Although I haven't used Hardware wallet yet for my crypto assets but we know that it is the most strong and secure system for crypto storing, then how is it possible i can't understand.
You used public wifi, maybe it your mistake. I know that public wifi is not secure, although i can't understand that what is the main mistake but i think it this was your mistake.       

One thing that I thought about when I read this is that Ledger has the paper to write your seeds on to, why did you even bother to put it in an online storage? The probability of guessing some random seed phrase that has balance is nearly impossible. If it was that easy, cryptocurrencies should be no longer existing because it's flawed but it's not. So it's still here.

Probably make amends with yourself and accept the loss. You can't do anything about it anymore. Anyway, did you see the transactions that had happened in your wallet? That it really left the address etc?

Export the history of your browser and take a look at each individual website that you visited and check any downloads that you recently downloaded which should be stored on your browser. The only way that someone could take that Bitcoin would be if your computer was hacked by a virus. The Trezor requires confirmation on the device to send a transaction which requires physical access. They would not be able to withdraw funds without that physical access unless you disabled that before it got hacked. Are you sure you did not make a mistake instead?

You should never use public wifi for sending Bitcoin transactions but the question is how did they get physical access to your device to confirm the sending of Bitcoin?

First thing I checked was the portal, where I put my credentials. So I went back to my browser history and this was the URL : portal.live.virginwifi.com

I couldn't access it, shows error 500, i guess because Im not connected to the AP. The details I used to connect where random. Something like test/test etc. I didnt use my real info.

The ssid I connected was : _stanstedairport_WiFi. I have already contacted the airport and I gave them the SSID, in case it was a fake SSID

Google knows your credentials, and what's the point of hardware wallet if you are going to keep seed words online...
Your ledger was probably not hacked, but you made some mistake, and it's possible that you had some clipboard malware on your computer.

Don't be silly please  

In that case, it's not clipboard malware, though it's weird that the hacker didn't touch anything but Bitcoin - unless the rest of the coins you had are not worth the effort. The only logical thing is that your seed is compromised.


Are you sure you have connected to the official wi-fi from the airport? Such public places are ideal for what is called an evil twin attack, and if you were connected to such a fake network and logged in to your e-mail or any other service, all your data fell into the hands of hackers.

Even if OP did not make any additional mistakes beyond storing his seed phrase on the cloud, or was using a perfectly clean computer on his own private WiFi, his seed phrase could still easily have been stolen from the cloud. We have no idea how many servers around the world OP's seed phrase was copied to, how secure those servers were (physically or digitally), which Google employees or third party employees could access them, how robust their encryption algorithms are, and so on. Google don't exactly have the best security practices, previously being caught storing passwords in plaintext for 14 years. This is why cloud storage is always a risk - you have absolutely no idea who else can access it.

There is no real reason not to do this. It takes a few seconds at most, and guarantees your security. Checking only the first ~3 and last ~3 characters still leaves you open to a small risk of theft from clipboard malware, and this risk will only increase over time as hardware becomes more powerful and vanity address generation becomes quicker.

There is absolutely nothing stopping your laptop from having multiple different pieces of malware on it, one which will change your clipboard and another which will steal your seed phrase. Indeed, the fact that you have one piece of malware on your laptop increases the risk of you having others, since you clearly do not have the best security practices or behaviors. I would be formatting that laptop and starting from scratch.

No, I didn't make any transactions at the time while I was waiting at the airport. I don't make transactions when I am at public places and I didn't need to make any transaction at that time. I found out that my copy-paste function has been compromised yesterday, when I tried to send the funds away from the hardware wallet. I double checked the address I copied and paste and they didn't match! So I stopped, I downloaded kaspersky, paid for it, set it up properly, reboot the pc, the malware gone!

I still don't know how the hack happened. but I am sure it happened at the Stansted airport.

I thought the same, to write emails to as many exchanges as possible and hope that they will freeze the funds. I am also going to meet the airport manager if possible to explain the situation. If their wifi is not safe for public use, then they should take immediate action.

If I understood you correctly, only BTC was stolen with the help of clipboard malware - which means that you had to make a transaction in which the malware replaced the address, and that the seed was not compromised.


Coins are still at that address, but by checking it I didn't find that it can be connected to some crypto service. What you can do right now is write an email explaining your situation and sending it to as many crypto-exchanges as possible, because a hacker might make a mistake and send stolen funds to one of those exchanges - and they can then freeze coins. What you definitely need to do is sign messages from all the addresses from which the BTC was stolen as proof that you are indeed the real owner.

I won’t lie to you that your chances are great, but you have the choice to come to terms with the loss, or to try to do something.

Public Wifi has nothing to do in your case unless your machine was itself infected in the first place. because the ledger has its own security mechanism.
since your saved your seed in the cloud. that seems the culprit.

also, never use any app which facilitates your SMS from your phone to your machine like YourPhoneCompanion in android and messages/imessages in mac. and also don't install 2FA apps in your machine like Authy. use them on your phone only and do not connect your phone with your machine all the time. do so while your internet connection is off.

and nope, guessing your seed is impossible. don't even think about it.
It may be someone in your close proximity who might be snooping on you. that's what I can think of in my expert opinion.

Never leave your password on your laptop or online server. I keep my passwords on two portable flash disks in case one fails. Which is the safest possible option. Clean your PC of malware and avoid fake websites that looks like the original website that steals your Metamask.

These clipboard hijackers are nasty -- you can read about them here: https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/

Any time you paste a crypto address, you need to check that the first few and last few characters of the address that you paste matches the address that you copied. 

(Ideally you'd check every last character of the address.  It's theoretically possible, but computationally expensive, for this malware to create a public address ahead of time for each of the addresses that they are watching that matches on the first few and last few characters).

BTW, it really is worth reporting this to the police.  You never know when a criminal will be caught, and they could sitting on a private key that generated the address where your funds are.  It's certainly possible -- though unlikely -- that you could get your money back.  It has happened before (at least in the case of crypto scams -- there are a couple of examples at the end of this article: https://cryptoassetrecovery.com/2021/07/15/best-practices-recover-funds-from-crypto-scams/)

Dont use google chrome, for anything. Even they announced about a week ago that it has been easy to exploit its software for the past months !

This might have happened through your connection to public WiFi which is never advisable for me. There more sophisticated tools hackers do use on public WiFi that do make connected devices to be vulnerable to them and becoming easier to manipulate. If you know that you have significant data on your system, it's better you keep it off from public WiFi than to lost your information.

I was almost a victim of hack the very time I connected my phone to public wifi. I was enjoying the free data I was using but suddenly my phone started hanging and I knew something is fishy somewhere. Within few seconds I noticed that my phone started operating itself without my consent which enlighten me of how dangerous connecting to public WiFi could be.

Hi guys, thank you all for your replies. I spent a lot of time today to update my security protocols. 1 of my main protocols was not to connect to public wifi and routers I dont personally own, or know they are safe. At airports I always use my mobile hotspot. Except yesterday. Yesterday, my mobile was running out of battery and while I was charging it, I decided to connect to public wifi to do some work. Unfortunately, previous weeks were too stressful for me, and I didnt even think about my protocol. I cannot prove it's the wifi but today I realised this :

My laptop must have a malware, I tried to move all of my other funds from the ledger to exchanges until I sort my computer and my ledger out. I tried to copy an 0x hex address from the exchange, and when I pasted it, it was a different address!!!!

This is the transaction where my ledger funds were transferred to another address :

https://blockstream.info/tx/9744253a268a18c61b2d33addc0dcbcfae7e8471985868adcd001e396299d609


Whoever this person is, has made 0.5btc in less than 3 days.

I am so sorry for this, I thought this happens to a newbie but when I saw it 4 years down the line I know it was not a joke. I recently got to know that using public wifi is bad and can easily access ones' IP address and all.

What a unfortunate way of losing your funds and it's sad  that to happen in any person in the crypto world to be hacked. With so many hack incidents lately it's always to keep our seed safe from intrusion and that's the only way of preventing these to happen in the future. Connecting to public wifi is also risky and maybe that's the reason your assets were hacked.

@psycoclan1, now that we're pretty sure how your digital assets were stolen, it would be a good idea to edit the title - it's not your device that has been hacked, but someone has come into possession of your backup in one way or another. Unfortunately, this only proves that the weakest link in the security chain is still a person, and storing such sensitive data online is so wrong that it is not clear to me how anyone can do it at all.

You didn't write if someone stole $100 or $10 000 from you, but you can report the case to the police or hire a professional who can try to track the transaction and possibly find the perpetrator.

I think the obvious question to ask OP, is if he travels with his "Seed"?

You cannot transfer tokens out of the physical ledger (hardware wallet) ...without having the PIN and having access to the physical device. (I have to confirm the transfer of tokens on the Ledger Nano, with a key press and the PIN) 

So, the only way for people to get access to your coins, would be if you kept your Ledger Seed in your luggage and when they searched your luggage, one of those people took a photo of the Seed and then imported that to another software wallet and took the tokens on that wallet. 

I hope you do not travel with your Seed? 

I was thinking about this during the night... And i did manage to think up some more scenario's:

You saved your seed in your google drive. IF you have your drive open on your device AND the device contains malware, said malware should be able to access your drive from your actual device, not needing the 2FA (since you'll provide the 2FA token yourself when you use drive on the infected device).

A second one would be if you used the wifi in the airport and didn't use a vpn, there are still attack vectors if you do this... https://www.cloudwards.net/dangers-of-public-wifi/ (not mine, just one of the first google hits i got when searching for the dangers of using public wifi). Some of these attack vectors might be able to steal your google credentials, install malware,...

Bottom line is: it's allmost impossible somebody randomly guessed your 24 words in the correct order. The odds are so close to 0, that in reality you could say they're ~0.
I know, i know, when you see 24 words, you'll always think: "hey, it should be easy to brute force such a seed". But it's not... Ledger used to have a really interesting article about this, but they removed it when they cleaned up their site, but it's still in the google cache: https://webcache.googleusercontent.com/search?q=cache:xR-zGi4JaQ0J:https://ledger.readthedocs.io/en/stable/background/master_seed.html+&cd=1&hl=nl&ct=clnk&gl=nl

So, there are only 2 types of attack vectors left: either somebody got to your seed, or somebody compromised your ledger device... And in all fairness, it was probably the seed you saved in your google drive... Am i 100% sure: no, but the odds are stacked against you.

It's like if i rented a super new and hard to brake anonymous safe deposit box in the public basement of a bank, but i stored the key, the combination to the lock and the directions to the safe deposit box together under a rock in my front yard: if i get robbed, there's a small chance the robber found a way to break into a super hard to brake deposit box by crafting a new key and using a stethoscope to find my combination, but the odds are far bigger he just saw a strange rock in my front yard, picked it up and found a key, combination and directions to my safe...

Saving a hardware wallet's seedphrase in a cloud storage is reducing your hardware wallet's security to the level of any run of the mill online wallet.

Now, the above bolded part might seem like i'm victim blaming, but believe me: i'm not... I just tought it needed to be bolded out to make sure newbies with the same idear as you had see this part straight away. I'm very sorry for your loss (like it has been said before: transactions are irreversible). Even if you made mistakes, nobody has the right to take your funds from you... It's not because i leave the doors to my house open that somebody has the right to steal my stuff... But if i want to know why my stuff has been stolen: it's because i left the front door open...

Saving seed online defeats the purpose of having a ledger in the first place. Thats is worse than saving your private key on your email because with seed, you dont need anything else to access your wallet.
I am worried for having seed written on two pieces of paper at home in case of fire or something, dont even imagine how paranoid i would be if i saved it online.

If they did get access of your computer then they've probably spoofed your email to somehow circumvent the 2FA, it's not a new thing, a lot of hackers use that to try and bypass 2FA and if they're able to do that then you wouldn't notice that they've logged in. Plus, you have a physical device so it's much more difficult to access your wallet in that manner. Can you show us the transactions?

I had this experience at the beginning. At that time, the whole person didn’t know what happened. After seeing this post, I probably understood the reason, and as a lesson learned, I posted it on the forum to let more novices notice and avoid losses.

Condolences to your loss , You need to be extra careful with all of today's sophisticated crypto asset misappropriation , Especially passphrase keys. Your files should be stored in a place do not choose google drive or store documents in your computer , The best advice is to write it down by hand and save it in a journal.
We all should be careful nowadays there are a lot of hackers and sophisticated acts that infiltrate our computers and all our information , You have learned from this loss I believe you have learned the lesson , My sincere advice is that you should record in the logbook of all manual operations , Then we can safely protect our assets by hackers.

AFAIK, there is no way to obtain the seed or the private keys from a Ledger without physically accessing the hardware inside it.

If someone stole your coins, there will be one or more transactions showing it. Please post the transaction IDs.

You're wrong, it's totally safe to use a public Wi-Fi, I will give you a link about a video regarding the true stuff behind the protection offered by almost any VPNs in the market, it's a short one so it's not that tiring to watch.

https://youtu.be/WVDQEoe6ZWY

I'm sorry to burst the bubble for you but there's no way to get back your money. Probably the hackers have been using mixer to obfuscate their foot prints in the blockchain.

Expensive lessons here and I do hope that many members here will learn from the OP experience and not repeat the mistakes of using public wifi or cloud storage to hide your sensitive data.

I don't think you've caught some malware somewhere but not the airport, you connecting to the airport Wi-Fi has nothing to do with you being hacked, the VPN ads lies about that part, I think the abuse has been obsolete because the Wi-Fi tech was changed. Maybe the people behind that hack was biding their time.

Guessing your 24 word recovery phrase randomly is not remotely possible. If it were, the entire network would have collapsed already as anyone lucky enough would be able to guess the recovery phrase of any wallet and steal the coins linked to them.
Any of the suggestions given above by @mocacinno could be the exact scenario that happened, or there was some other source of security leak which you are not yet aware of.

It’s easier to steal the words then to guess them. It’s just not worth it.

Nobody knows my credentials (as far as I know). It was just me and noone else around. I can't really tell how this happened and that confuses me. 2FA in my google authenticator app on the phone. Yeah it's an expensive lesson I guess.

Is there any possibility that anyone could guess the 24 words correctly randomly?

Google 2FA is trash. There are ways to get into the account with for example access to pw and recovery email.

My account got hacked via a malicious browser extension. They had access to everything, took me about 4 months, the police and hours on the phone with unhelpful google employees, to recover access.

If you had your seed in the cloud, that’s 100% how they got it.

DO NOT PUT YOUR SEED ANYWHERE DIGITALLY. (No NAS, no usb, no phone notes)

I have my seed laser engraved in a metal plate (my own personal laser not connected to the internet) and then hidden in the wall in my apartment.  

Regret do always come in the end and not from the start.You should have known that it is risk on storing up seeds on the cloud and it would be much better if you do save it offline.
Having those keys or seeds written on a paper is less risky than you had save up your keys on the cloud which its never been advisable.In talks about your question about
recovery then this is something the sad part.There's no way on getting those coins back and sorry for your loss. I know its hard to move on but there no such
thing you could do.

Even if you log in to a public wifi, your funds are supposed to stay intact on your ledger, unless of course there are other people knowing your login credentials that is. Or your machine itself is infected by something, but even then the funds should still remain intact.

Have you checked whether there are others around you that know of your crypto activities? They could possibly be the ones who might be behind this.


Where are you receiving your 2FA notifications? Through your mobile device or some other machine?

As for recovery, I don’t think there is a way for you to get back the funds as it was already sent to another address.

Well so sad to hear about your loss.
Yes, it is your lesson to learn and be careful next time that it won't happen again. How many newbies like you will fall victim first before they will learn?
Most newbies I saw a problem like this which is they can completely be avoided if they know how to avoid on their own. We should always be knowledgeable enough before using bitcoin because that has a value and the transaction is irreversible, once it will send to the hacker's address it will never retrieve. So, therefore, next time you must be careful.

To be honest I should have deleted this seed from the cloud. I saved it in June 2017 and I completely forgot about it. This was the very first time I have ever used crypto. I guess it's a way to learn a lesson. The 1 million dollar question is if there is any way to recover. I know it is not possible, just asking...mostly out of desperation

Yup as above cloud storage is fine for photos of your pets and your car but not for
sensitive information. The trouble with free email and storage is its too convenient
to use and a lot of people use it by default rather than spending a bit more time to
make use of a securer alternative.

How does your 2FA work, does it go to a second email account? maybe the hackers
had access to that also over the public wifi?

Sorry to hear this.

It's never advisable to store your seeds or private keys into cloud storage such as google drive. That's probably the reason why you've been hacked. I thought about when you've access on the public wifi, maybe there's also something to do with that as it's also never advisable to do that with your laptop that you use to access your funds.

It's very hard to say for sure, especially without knowing you or being able to physically inspect any logs related to you... But saving a seed in your mail is a big red flag... I did see several people in the past that used this method and lost their money... Same for icloud, witch was even worse...
I'm not saying this is the case for you, but i doubt somebody without physical access to your metadata will actually be able to pinpoint the exact problem and cloud leaks are not that uncommon so they're probably the vulnerability with the highest odds in this case.

From all of these suggested possibilities, I do admit I saved the seed in my google drive. To access my gmail account though, requires 2FA. Google did not notify me for a remote login etc. I used the same seed since 2017 on the same ledger device.

Very hard to say... theoretically you should be able to use your ledger on an infected pc and still not lose your funds...

I can think off a couple very remote scenario's that happened, or were at least discussed in the past:

• You saved your seed in the cloud, and your account got hacked (icloud, dropbox, gmail,...)
• You saved your seed on a physical carrier, and somebody found said carrier
• You entered your seed in a different (vulnerable) wallet
• You were the victim of a clipboard virus (eventough, this would have required you to actually make a transaction)
• You received a device that had been tampered with... either preloaded with a seed, or plain fake
• You were the victim of an evil maid attack (somebody had physical access to your device)

Hi guys,

unfortunately, my ledger hardware got hacked last night and 100% of the funds were transferred into another address. I have no idea how this happened. I have never shared my seed words to any websites. I used the same wallet for over 4 years with no problem. The only thing I can think of is that I connected my laptop yesterday afternoon in a public wifi hotspot at stansted airport, in London. I flew from there later that day, and as soon as i landed, i checked the balance and it was 0!!! Any idea how did this happen, as Im running out of hope!