As Husna QA pointed out, if you are not planning on using the QR scanning features of Electrum, you can just disable that permission. It's not going to affect your ability to send/receive bitcoin or use Electrum's coin control features. If you ever come to a point where you need to scan a QR code, try to remember that the permissions for that action need to be enabled first because it's not going to work. Your OS or the client might display an error message though, which will lead you to understand that a permission needs to be enabled in order to proceed.

I don't think that's as simple as it sounds. Binance and other exchanges aren't just going to listen to a random person asking to have certain addresses blacklisted. They are going to require proof (proof you don' have) and the involvement of law enforcement. But until that happens, the coins will be long gone.

If the goal of the hacker is to convert the BTC into fiat, he doesn't need to touch centralized exchanges at all. He can mix the coins or take advantage of coinjoin services and exchange them via a decentralized exchange like Bisq. P2P trades are another option.

Unfortunately, it seems like the OP's money is gone.

Stop it, before something happens.

Sure, but the point is you gambled for free and didn't lose any money, while leaving the option to make money open just in case you won. The casino also didn't make any money on your losses, which they should have.

Crypto casinos haven't been the fastest ones in the past to introduce new things, like SegWit for example. I remember it took some popular platforms years before they updated their systems to allow withdrawals to Bech32 addresses.

This time around, it's their profits and their money that's on the line, so they might be somewhat quicker. I still think they will wait to see what happens. And if they realize there are many players that abuse the zero-deposit feature, they will just disable it for new accounts while probably not doing it for longtime and loyal players.

Take a screenshot of the QR code on the device that generates it and send it to yourself via email. Or save it in your email as a draft. Then access your email from your desktop device, open the image with the screenshot, and scan the QR code from the laptop/PC screen. You don't have to scan anything with a phone from another phone's display that way.

No. Keep in mind that hardware wallets are intended to be a good combination of convenience and security, so everything is quite self-explanatory and created for beginners to understand. I don't have a Trezor, but the onboarding process shouldn't be that different from that of Ledger.

You generate a seed, make backups of it, enter the words into the device to test if you wrote them down correctly, and that part is done. Trezor One generates 12-word seeds by default, Ledger generates 24-word seeds for its HWs. One thing that is interesting is that with the Trezor One, the seed words are entered into the software application and not the hardware device itself. With Trezor T and all Ledger wallets, that's not the case. I am not particularly fond of that process, but what can you do.

After that, you need to select a PIN and confirm it. The PIN is used every time you connect the device to your PC to unlock it.
The Trezor Suite should then give you an option to create a standard or a hidden account. The hidden account requires a passphrase. If you remember my post above, I suggested it's recommended to set up at least one passphrase for your Trezor to increase your security.

Before you send any money to your Trezor, make sure you wrote down your seed words correctly. Generate a BTC address and save it somewhere. Then reset your device, recover it from seed, and check if you still get the same address in the same account that you saved earlier. They must match. Alternatively, you can send some pocket change to it and then send it back to a wallet outside of Trezor just to check everything is working as it should. Once that is done, you move the bigger bags of your BTC to your HW.   

Casinos have their methods to fight against doublespend attacks. Sportsbet.io, for example, allows instant bitcoin deposits. After a transaction is broadcasted to the network, it literally takes a few seconds for your account balance to be updated. You can then use your coins despite them still being in unconfirmed status to gamble.

But there is a catch. If you win some money and you attempt to make a withdrawal, it won't work unless your deposit transaction was confirmed on-chain. So cheating and doublespending isn't worth it in that particular case. Makes you wonder though if one could make a deposit and pay a low mining fee, quickly gamble, and if you lose, then you double spend the original transaction back to yourself with a much higher fee. Sportsbet surely has to have some security mechanisms in place to battle against this.     

When you say you made an Electrum wallet, I hope that doesn't mean that your imported your Trezor seed into your Electrum wallet, does it? If you did that, you have basically taken all the security away that you would otherwise preserve if only your hardware wallet is used with your seed phrase. A Trezor can be connected and used successfully with Electrum without importing a seed.

You don't need the Electrum's wallet file because you can't sign and broadcast any transactions without your Trezor connected. The transactions need to be signed with the corresponding private keys and those are only found on the HW. Electrum's wallet file doesn't have them, hence it isn't that important. You can still encrypt the wallet file making it inaccessible unless the Trezor wallet is also connected and unlocked. That would prevent someone loading Electrum, opening your wallet file in the client, and being able to see how many coins are in that wallet and derivation path.

What does this mean, and what are you trying to say?

I have no experience with setting up or using BTCPay Server, but it seems to me that those who can, could offer their services to other people for money. It goes against that self-hosted and no third-parties concept, but people have never minded choosing convenience over security. Still, I have never seen or heard of anyone doing that.

BTCPay Server has a good docs section with explanations, but technically not-gifted individuals wouldn't be interested in doing that themselves. 

A small correction: the Coldcard is based on open-source code but the final product does not come with an open-source license. That means, you are not allowed to modify or redistribute Coldcard code. You also can't use their code to create your own hardware wallet. The codebase is verifiable though, and that should be the point you should focus on if that's something that is important to you.

---

@tread93
A few things about the Ledger.

- You have ways to check and ensure that the software and hardware of a Ledger is genuine. For instructions on how to do that, you go to the official website or read this support document.
- Only a genuine Ledger HW can connect to Ledger Live (the native app for your hardware wallet) servers. The fake ones can't.
- You can also physically open the device and check the hardware inside, but you should know that by doing that, you void the warranty. This is the link with instructions if you want to do that.   
- When you first turn on your Ledger HW, it's supposed to display a welcome message of some sorts. I am not sure what exactly it says now. "Hi Ledger", "Welcome to Ledger", or the screen simply displays the ledger logo. Keep an eye on that. It only happens during the onboarding process and the first time the device is turned on. If it doesn't, you aren't the first one who has turned it on.
 
To sum up.
Never use a HW with preinstalled seed. Confirm everything with the information available on the official site. Download software only from the official site, not based on instructions given to you elsewhere. Verify if your device is genuine before using it. Stop and ask questions if you are in doubt, like you did with this thread. Ask the Ledger support or people on this forum if something is not clear.

Harmful for privacy in what way? Are you saying that the difference in the sequence number can help identify the user or can it help in identifying that the person creating the transaction is using a wallet that has a console? Knowing that the person is using a console, limits the scope of potential wallets being used.   

People shouldn't be blinded by big bonuses and special promotions new casinos organize to acquire new players. That's how they lure you in, and it works. People don't really care as long as they can get their hands on some juicy bonuses. Or they think they can. If you are a serious gambler, your money should only go to a handful of casinos that have been around for many years. From the top of my head, I can't think of more than 2-3. I generally avoid anything new, especially those trying to entice me with offers that are too good to be true.

Lijepa incijativa, ali ovo ne bi smio raditi na forumu. Ako neko od moderatora zaluta u našu altcoin sekciju i pronađe ovu temu i prevede je da provjeri sadržaj, mogao bi ti i svi koji su učestvovali dobiti kratkotrajni ban na 1-2 tjedna. To se je dešavalo u prošlosti u engleskom dijelu foruma.

Bilo koja vrsta altcoin giveaway-a je zabranjena po pravilima. Samo se Bitcoin smije davati u zamjenu za poruke koje sadrže adrese od korisnika. Altcoini ne.
Ja bi ti preporučio da napraviš Google doc gdje se onda oni koji su zainteresovani mogu prijaviti i poslati podatke za isplatu MATICa. Alternative je da ti se ljudi jave preko PMa.     

I have been thinking about that in the past as well. I sometimes order stuff online to have it delivered to my address (person to person), and the shipping company is obviously not going to check the content and verify it's what I ordered. Unless it's a trusted seller, you could end up with a brick in a box. Good luck proving that's what the other party sent and you aren't lying and faking it.

Some people have suggested making a video of yourself opening the package. That's not a bad idea. At least you can prove the brick was inside when you opened it. Couriers in some countries allow the buyer to open the package in their presence. That's also a good way to go about it, especially for expensive items. If you open it, and there is a brick inside, the courier is a witness to it.

That's like the fake Ledger HWs that were sent to people following the data leak incident. A cautious person shouldn't fall for that. You ought to know where to go and verify the authenticity of the device and the instructions provided with it. If you are buying a Ledger, that's https://www.ledger.com/, not https://www.daves.fakeledger.com/. Getting phished is a serious problem, but you overcome it with knowledge, caution, and logic.

Good choice. Trezor has been around for ages and their Trezor One is the first ever hardware wallet. Putting aside the design fault I talked about previously, it's still a great keeper of your private keys if you spend some more time to secure it. If you are only thinking of keeping BTC on it, you can install the Bitcoin-only firmware. You don't even have to go for the more expensive T model. Model T supports Shamir's Secret Sharing, more altcoins, and some more modern features. 

I personally like what Foundation Devices is doing with their Passport HW, but for me, it's still a relatively new device. I think they only sold a few thousand devices in total compared to Trezor that sold 2 millions or Ledger with 5. Ledger and Trezor have surely been scrutinized much more and have had more eyes checking up on them than Passport has. That alone is enough for me to wait a little bit before storing any serious coins onto a Passport.

Before I get attacked with the Foundation is open-source and you can check everything responses, no I can't. I can't check the code, and neither can many of those who use that argument. I am not talking about verifying the builds and ensuring the codebase is identical to what is publicly available, or using Wallet Scrutiny for the job. Everyone can do that by following a set of instructions. I am talking about sitting down and going through the code and understanding what it does. Since many can't do that, we rely on others who can. We hope and trust they did a good job.

I recently posted an article where researchers claimed that it takes on average a year to fix vulnerabilities in open-source software. Some previous examples have shown that faulty code was public for 800-1000 days before someone found out there were vulnerabilities and had them fixed. So If I have a choice of using a Trezor, released in 2013/2014, or a Passport, which came out in 2021 (I think), It's clear to me who the favorite is. And it's clear to me which one has been out there longer, has been used more by the community, and has had all sorts of attack attempted against it.   

Sure, but you can imagine how small that userbase is. We (as in all crypto users) are still quite a small part of the global financial economy. Then you have to take into account how many of those crypto users use crypto on a regular basis, which I consider at least once or twice a week, if not more. When you have gotten that far, it comes down to how many people own hardware wallets, and then an even smaller group who owns airgapped hardware wallets or airgapped computers. Lastly, how do those who use airgapped systems interact with their wallets. QR codes is one way of doing it. The other one is via USB drives. 

I tried to Google the issue, but except a few similar questions where people have reported the same things as you (having issues to scan QR codes on devices that had screen protectors), I didn't come across a source with a reasonable explanation. Scanning a QR code from a different phone isn't as common as scanning codes from other surfaces in order to make payments. One could assume that the error correction features that QR codes have, would be enough to make the codes readable even under a screen protection, but obviously that's not the case.

You could try to contact some of the companies that produce screen protectors and ask them for more information and feedback about the problems.
It would be interesting to see if the codes are scannable if only part of the screen is covered with a screen protector (a third or half of it). No one would use a screen protector in that way, obviously, but it's also an experiment to see how good the QR code error correction capabilities are.

I understand your concerns, but no matter the quality of the packages, most things can still be faked. Luckily you can always rely on software and/or hardware authentication to verify if you have received a genuine hardware wallet or not.

Web Authentication: A Counter to Supply Chain Attacks

The article explains that each Keystone comes with preinstalled public and private keys in the secure element chip that are only used for verifying whether or not the device is genuine. These are not the private keys that sign transactions during transactions of your coins. During the setup process of your HW, you will be asked to visit the official Keystone authentication website. It's connected to a server that also has a public and private keypair just like your wallet. A genuine Keystone HW knows the public key of the server, and the server knows the public keys of genuine hardware devices. Once you start the authentication, you need to scan a QR code on the website which is encrypted with your device's public key and signed with the private key from the Keystone server. During the verification process, your HW will check the signature to make sure it comes from the official authentication page. The hardware device will decrypt the scanned message with its own private key. The result should be an 8-digit code that needs to be entered on the website. If the verification succeeds, you are good to go. If not, there is an issue with your device.     

I just tried scanning both codes from my Nokia 8 smartphone, which is already several years old. I made 8 scans altogether. 4 from my laptop screen and 4 from the connected external monitor. Both QR codes were scanned from both monitors using two different apps: Electrum and Google Authenticator. I know that Google Authy can't do anything with the codes, but that's not the point. I just wanted to test the scanning capabilities. I had no problems with any of the scans. I didn't even have to position the phone or keep the device steady. It had no problems capturing either code.   

Do keep in mind that this is not a recommended way to do things. If we have doubts about Trust Wallet, its trust, quality, motives of the developers and partners working with them, we shouldn't be trusting a recovery phrase that was generated in such an environment either. Exporting the seed from Trust Wallet and importing it it into Blue Wallet or anywhere else doesn't make that seed more secure because it got created by a wallet you don't trust.

It's much better to create a brand-new seed on Blue Wallet and move your coins from Trust Wallet altogether.
Another example: A seed created on a computer that is non-stop connected to the internet and used for various activities isn't the same as a wallet that is set up and generated on an airgapped system that is permanently disconnected from the internet or a hardware wallet.

There are several things you need to consider. Always remember that Bitcoin uses a public ledger, and transaction data is available for the general public to look at.
The "age" of the transactions doesn't matter as long as they are confirmed or will soon be confirmed.

Let's say you have several different UTXOs.
- 3 BTC
- 1 BTC
- And a few small ones like 0.01 BTC, 0.005 BTC, etc.

If you are paying for something that costs 0.02 BTC, you can do as pooya87 said and spend 2x 0.01 UTXOs (actually a little bit more because you need to pay mining fees as well). Or you can spend the 1 or 3 BTC coin and pay with that.

Now consider the following points and decide what is more important for you:
- The more UTXOs you spend, the larger the transaction. That means more sats spent on transaction fees.
- If you spend a 3 BTC UTXO when paying for a low-cost item/service, do you really want the other party to be able to check that you have 3 BTC (at least) in your possession?