Topic: My Ledger Nano S has been hacked - page 2. (Read 8446 times)

Woah! I think I'll stick with a Trezor if they are so slow in getting back to customers.

ah yes! actually it wasn't the chrome app to update but the bitcoin app on the ledger wallet itself, anyway it solved the issue, thank you!

I'm having the exact same issue and just wrote to ledger support and got the same automatic reply saying I will get an answer in up to 3 weeks  I'm glad to find out that I'm not the only one, I too am not authorizing the "output#2" transaction since as it was pointed out, it does look like a hack and even if it isn't it is a bit scary to "authorize" a transaction to an address I don't know. I hope Ledger will resolve this or clarify

Are you  serious, you could be waiting nearly a month for a response?   I'd be expecting a few days.

https://www.reddit.com/r/ledgerwallet/comments/6zgy1x/nano_s_asks_to_confirm_change_output_when_sending/

update the chrome app and you should be fine.

So this is happening to me too.  I've posted over at the Ledger subreddit (https://www.reddit.com/r/ledgerwallet/comments/701eth/multiple_activations_on_ledger_nano_s_required/), to me it looks exactly like a hack.  We need to get the awareness out there on this as people could just be clicking through on their keys not thinking about it and sending BTC to an unknown address.    Absolutely crazy, if this is a hack then it's disastrous for ledger.  If it's not a hack and it's intended behaviour of the Nano S following the SegWit implementation, then it is still a disaster because it looks like, what else, a bloody hack.  Frankly not sure what possibly resolution there can be to this that is satisfactory - I woke up this morning trusting Ledger with my bags and now that trust is shattered.  Spread the word people, terrifying.

Have all the addresses been used for a transaction or have you done more than 20 transactions sent/recieved.
If any of these have happend then you'll have to reproduce more addresses from te console (these will be produced from your PUBLIC key, nothing will be done to your hardware wallet from this).
Use these commands and check again for the second output address:
wallet.storage.put('gap_limit', 70)
wallet.storage.write()

---

If this doesn't work, both you and OP can import your seeds into an offline and sand boxed computer (preferably one running a fresh OS) - but do not try this until you have exhausted all other options, it is a bit more riskier than leaving your coins on a ledger and it is unlikely your ledger has been hacked.

Thanks for this, tried it and the output #2 address isnt on there

I'm experiencing the same thing only diff is that the Output #2 is worth about $102 and not my account balance. But I don't recognize the address

As Coin-Keeper has suggested... importing your Master PUBLIC Key into Electrum is a relatively painless and safe way to check your addresses...

Just download Electrum from here: https://electrum.org/#download

Then create a "new" wallet -> Standard Wallet -> Use a hardware Device -> Connect the ledger then follow the prompts...

After it has created your addresses and opened the wallet, you can view the addresses using "View -> Show Addresses" and then click on the "Addresses" Tab... your Output #2 address should be showing under "Change" (Note: you may need to click the '>' symbol to get the Change section to expand)

How about generating the MPK's from the Ledger wallet and then creating a watching only wallet in Electrum?  I do this all the time using a Trezor, so I am thinking it should also be easy on a Ledger (I have not used one).  Taking Electrum online with a watching only wallet is safe and you can see all the addresses, including the change addresses, easily.

Thanks for response... This is helpful. Pls if anyone knows a simplified way to check address, pls provide a link or instructions as I'd feel better about this confirming the address for output #2 (at least for the first time).  Much appreciated.

It seems that this is "normal" behaviour since the updates for SegWit were put in... https://www.reddit.com/r/ledgerwallet/comments/6wws8e/comfirm_output_2/

Chances are that this Output #2 is in fact a change address in your wallet, so I don't think that you need to worry that your ledger s might have been "hacked"

Checking your addresses is actually pretty easy, so if you need detailed step by step instructions, I'm sure one of us will be able to help out

Thanks for instructions, but I am pretty new to all this and half of what you said a way beyond me. Even if I somehow managed to translate and complete the steps I don't understand why only now after dealing with the Hashflare site did this situation occure. In all other transaction, all of which had "change" left over in my account, never was the transactions presented in such a way.

When the ledger does a transaction where change is involved it generates a new address for the change each time. This is to obfuscate the transactions as much as possible.

You can verify you own the change address by downloading https://iancoleman.github.io/bip39/ (preferably to an air gapped computer) and then while offline input your ledger seed and passphrase if used.

Then under 'Derivation Path' select BIP44 you can find your path in the Chrome app by clicking on the account then selecting ACCOUNT SETTINGS, under ADVANCED you will see the 'Root Path' mine was 44'/0'/0'. This will show you all the derived addresses that you may have used for receiving.
To look at the change addresses try adding a 1 in the External/Internal field. If the address it is trying to send output #2 is listed there then you are good to go knowing those funds are going back to your device.

Just tell me one thing. The Ledger wallet can have multiple Bitcoin addresses, right? I have never used Ledger, so I am not sure. The address in Output #2, is there a possibility that it is another address in your own wallet? In that case, you are just moving coins from one of your wallets to another. (I am not sure).

Yes, I reported it to Ledger wallet support. The email confirmation that they received my concern said 1-3 weeks for  response. I can't think of any purpose for Ledger to have a setting that would do what was described above. Sorry if situation isn't clear, don't know how else to explain it.

It is confusing. I am also not sure exactly what happened. But I don't think that your wallet is hacked. Perhaps you changed some of the settings, or the software got corrupted. But to confirm everything, have you written to Ledger wallet support ([email protected], please correct me if I am wrong)?

My first post, new member...
Two days ago I tried to buy into the cloud mining pool Hashflare. When I tried to purchase with Bitcoin (held in my ledger Nano S) I noticed something strange. My device was asking me to confirm "output #1" with the correct btc amount and address (i thought this strange, as I've never seen "output #1" before when moving btc, but because the amount and address we're correct I confirmed the transaction. Then right after the device said "output #2" (very scary) with a btc amount equal to what would be the remaining amount in my account and the address was not known to me. I did rejected that confirmation and the entire order failed. Now anytime I try to move bitcoin from my ledger Nano S for any purchase this same sequence happens. I am not able to move btc without any remaining funds being attempted to be sent to an unknown address. I tried to move all my Bitcoin to a new account within the wallet, but each attempt fails. I have not tried to move my other coins (Bitcoin Cash and Ethereum) but fear the same thing may occur. I sent an email to Hashflare and to Ledger but responses will be 1-3 weeks.
Possible solutions?
My only thought and plan at the moment is to order a Trezor and move all but a very small amount over from the Ledger to the Trezor and allow the tiny amount that I don't send over go through to the unknown address. Good idea? I already bought a Trezor and it is on the way.