Topic: Stolen funds from Ledger Live? (Read 335 times)

Probably, pin-hole camera or imagining radar something.

The two events don't have to be connected. During October, Ethereum accounts couldn't sync within Ledger Live. Their developer team found out that users who had Synthetix tokens, TIC, and sUSD couldn't sync their ETH accounts for whatever reason.

He used his Ledger Live account on 21 August. This is the official response from Ledger regarding the sync issues:
https://twitter.com/Ledger_Support/status/1318899089241743361

@ KrJS81
Did you, or do you still have any of those 3 tokens on your hardware wallet?
Can you walk us through (if you remember) your online activity on the day your funds were stolen? As much details as possible.

That's definitely an option for the over-paranoid (some of them probably even are right in being paranoid about this).

Another option would be a completely open source mobile where the software and the hardware is open source.
Precursor is such a project. This isn't just a mobile built with purely open source software, but even the hardware can be verified.

That's a project from bunnie who held a very interesting talk about the supplychain of hardware and how an open source design is not enough to protect against supply chain attacks. This 1 hour long video can be found here. It is definitely worth to watch.

While I'm quite paranoid about smartphones and cameras, imo if one gets to the point where they're so paranoid that they can't trust their smartphone at all anymore, it may be time to use a dumb phone instead. Like, I do this as a security and privacy practice - not necessarily because I'd be scared of someone monitoring my webcam activity.

For ambient sounds, if you're talking about microphones, it's quite hard to get the 3 microphones disconnected from a smartphone. I don't think there are any (or a lot of) smartphones out there that have modular microphones, they're usually soldered into the motherboard and requires micro-soldering skills to disconnect them. And that implies some very rough possible consequences: you'd have to only use headphones for microphone, so imagine having to call 911 in an emergency.

The thing is, even with your cameras and microphones removed, your phone's hardware and OS are the main issue. If you fear being spied through microphones and cameras, I'd have a much larger fear for the blobs and closed-source stuff the operating system has. At that point, Librem phones should be considered if you really need a smartphone (or a dumb phone, which is as cheap as a meal and can be disposed at any given time).

Another option is to use a Faraday cage to cut all external connections to the phone. Include a white noise generator next to it (or inside the cage) if you're afraid sounds are recorded offline only to be streamed once the phone reconnects to the internet.

Possible? Definitely.
But is it likely? Not so much.

If you want to be sure that no one is spying on you through your smart phones camera, i'd recommend a webcam cover, i.e. something like that:


Source: amazon.com

They are pretty cheap and are available for all kinds of cameras (smart phones, laptop, webcams).

However, if you fear getting spied on through your smartphone, you'd also have to make sure it can't record ambient sound.
Whether that is paranoid or a possibly used attack vector, is completely up to you and depends on you and the situation you are in.

Yes, this is entirely possible. It also applies to cameras on laptops or tablets or standalone webcams plugged in to a computer. When they are not being used, you should disconnect any cameras you can, and cover them if you cannot disconnect them. A piece of tape is a sufficient and cheap option, but you can also buy phone cases with physical sliders or shutters to block cameras.

This isn't just good security, but given the mass spying and surveillance conducted by the US government and others, it is just common sense. The ex-director of the FBI says he covers all his cameras when not in use.

I am everything but an opsec master here... but just in case, and sorry if the question is dumb, I have to ask, as this is something that I care about every time I take out the paper with the phrase out of the envelope:

Is it possible to have one's smartphone hacked, so when your lift it and the camera points to the desk with the paper in sight it captures the words taking a screenshot? every time I touch the paper I try to make sure no cameras can look at it (and I feel a bit paranoid, but hey! better safe than sorry).

Are you sure that no one had access to your desk?

Since the transaction happened shortly after this session and you had your mnemonic on your desk, the possibility of someone taking a photo of it to steal your funds theoretically exists.
As well as someone using your ledger to sign such a transaction.

Did you ever use your mnemonic code for anything?

There were (are) still some sophisticated phishing attacks against the ledger live app.

https://www.coindesk.com/phishing-attack-ledger-cryptocurrency-wallet

Even someone with good opsec can still mess up now and then.

And there have been a few fake extensions put up. They usually get taken down quickly but there are still up occasionally.

So even with what the OP said, there is still a chance that it came from elsewhere.

-Dave

you risk your privacy if you do so...

Your account name is known, your ip is known (bitcointalk uses cloudflare)... If you post your txid, people can couple some of your addresses to this account, and a couple of law enforcement agency's can do the same with your ip...
But other than this, you can do no harm by posting addresses or transaction id's.

Thanks and I agree - I rely a lot on the police now and hope they manage to investigate this properly.

Not sure whether I risk to blow up something if I share the transaction info?

Can you recall why you had the recovery phrase on your table for a while?
There must have been a reason for this... I never take my recovery phrase out...

I'm not saying you fell victim to phishing, but a month ago there were loads of phising mails going around... They were professionally made, and they pointed to a professional looking site that prompted you to enter your seed phrase for verification purposes.

The fact that you couldn't access your Ethereum accounts without an update a month ago is suspicious, especially since you were then robbed a few minutes later. Did you update Ledger Live or install any new software at this time?

When you first set up your hardware wallet, did you set it up as a new device with a brand new seed phrase, or did you import a seed phrase from another wallet? Since then, have you ever entered your seed phrase anywhere? (This includes in to Ledger Live, to restore it to another wallet, etc. Anywhere at all?)

Who else would have had access to your seed phrase while it was sitting on your desk? Who else would have had access to your unlocked device while it was connected?

I get your point. I'm trying to figure out how this can happen, recall my Ledger-session that day and whether I had my fingers on the recovery phrase.

I don't think it's a matter of the recovery phrase since the fraud happened shortly after I was logged in (for the first time in many months). Coincidence? That day I did not make any tx's - I just checked my balances and tried to figure out, why I could not access my Ethereum balance.

That said I did put my fingers on the recovery phrase and put it on my table for a while. And I did leave my desk - maybe with the Ledger device connected. But even if that is the case, how can it happen that the money left my account (as I didn't do anything related to a transaction or approving anything physically other than logging in a couple of times).

Although it is not easy to suspect any of your family members, the way you kept your seed leaves enough doubt that any of them (or their acquaintances) came into possession of that information. Why the funds disappeared after you last logged in to Ledger Live remains a question, maybe it's just a coincidence or someone wanted you to think so.

---

In that case, the police should do their part and determine if anyone has touched the paper on which the seed is (check the prints), and if anyone other than family members has entered your office. Furthermore, your computer should be thoroughly checked by someone who knows what to look for.

What's even more important is to follow the trail left by the hacker, which means to find out where the stolen coins ended up - so if you want to post both transactions it may help, of course be aware that this can always be a privacy issue.

Not exactly.
OP logged in today after receiving an email.
But his funds were stolen 1 month ago (29th October), roughly 30 minutes (a guess from OP) after logging in.

That's at least the information according to the OP:



OP, in addition to the questions of mocacinno, could you please also answer these:

• Does anyone have access to your hardware wallet ?
• Is your PIN truly random and no one could guess it ?
• Does your Nano look like it has been tampered with (case being opened) ?

As a summary, it it correct to assume the following:

• you bought the nano S about 2,5 years ago
• you funded your addresses a long time ago
• this morning, you received an email
• after receiving the email, you checked your hw wallet, and shortly after this, you got robbed

Some follow-up questions: this morning, when you received said mail, just before you were robbed:

• did you click any link in said mail? It doesn't even matter if you closed the browser window afterwards, but did you click the link?
• just before you got robbed, did you physically touch the piece of paper used to write down your seed phrase? If so: what was the reason?
• did you install any program on your pc recently?
• just before you got robbed, did you create a tx for any altcoin(s) using your ledger?
• just before you got robbed, did you spend any BTC from your ledger? (i'm thinking about copy/paste virusses here)
• are you running the latest version of ledger live and an updated version of ledger's firmware?

Well, he either got you to confirm the transaction (potentially by abusing the vulnerability i talked about in my previous post... You could have been thinking you were signing a tx to send 3 DOGE, but sent 3 BTC instead due to the vulnerability) OR the thief got your seed phrase...

IF he had your seed phrase, you wouldn't have to confirm anything... The seed phrase is used to calculate the xprv, the private keys get derived from this xprv. Anybody who has your seed can restore it into any wallet he wants, and spend your funds without you having to confirm anything.

Once again: i'm not victim blaming... For what it's worth, you could have had the worst opsec in human history, that still didn't give the thief any entitlement to your funds. You were robbed, you are the victim here... Anything I ask is because i've been around for a while, and believe it or not: i do have some experience in this field... And from my experience, the odds somebody phished you, or had access to your physical device, or found your seed phrase an other way, or installed a copy/paste virus on your device are far greater than the odds of a firmware vulnerability. This does not mean a firmware vulnerability is impossible: i'm just relying on my experience and telling you what the biggest odds are...
I mean: i've seen loads of people with good opsec getting phished... I've seen people that suddenly remember they saved a picture of their seed on their dropbox ages ago...  I've seen people that suddenly remember they sent funds while they were drunk... I've seen people that got confused with change addresses... I've seen people getting confused when splitting their coins into BTC and BCH... I've seen people falling victim to copy/paste virusses by signing tx's without verifying which addres they were going to fund... But I haven't seen that many people that fell victim to a HW wallet vulnerability that couldn't been avoided by good opsec... Maybe once or twice: i can't remember a single one i've personally met, but i have a bad memory...

I bought my device 2.5 years ago. I haven't got any phishing emails until this morning which reminded me about my crypto's. I logged into my account just to how my crypto's were going. I didn't click on links in that email or replied back. Furthermore I haven't received any text messages related to crypto.

No idea how this can happen as it seems like someone was aware that in that exact moment for the first time in many months I logged in - shortly after the funds left my account - which I guess underlines that the recovery phrase wasn't in use?

Exactly - and that was the whole point getting a physical device for my crypto currencies - to approve things physically on the device. I did not approve anything that day - and actually I had problems entering/seeing my Ethereum balance that day due to a software bug I guess. I remember I seeked info in Ledgers Q&A but didn't manage to solve it quickly and therefore I pushed it for today where I did a Ledger Live update which apparently solved the Ethereum bug (as I can now see my balance and the fact the funds left on 29th (wondering how that could happen since I couldn't even access the Ethereums myself)).

Yes, some knew about my crypto currencies. But what I don't understand is how it can happen, really?

I was logged in on 29th of Oct. for the first time in 4-5 months and just shortly after the transactions took place apparently. So I guess it's likely that a Trojan horse was surveilling me rather than someone abused my recovery phrase (as if it was caused by leak of recovery phrase I guess the coins were stolen independent from my login?).

Let's say it was a Trojan horse and everything which I did that day was captured by a thief. I guess the person still needs to confirm the transactions physically on the Nano device?