I promise you, this technical problem is going to be a very interesting case....

[bossta]

Somebody (years ago) asked me for a little help. He lost some bitcoin to a receiving address, generated by a Ledger, that he could not access anymore with his device. He never changed his seed, he was 100% sure and never used a passphrase (25th word).
After alot of investigating i thought the same thing most of us would, he probably set a passphrase and forgot about it.

Two days ago i stumbled upon something that got me thinking again about that problem so i started to look at it again, i still have all the information.

So this is what he did:

1. In 2018 he used the Ledger Chrome app to create a BTC and a LTC address to receive funds.
2. They sent him the funds, both LTC and BTC, blockchain explorers confirm that the funds are received and confirnmed.
3. He wants to use his funds and faces the problem that his Ledger apparently does not hold the private key for his BTC address but it does hold the private key for his LTC address.
4. Both addresses where generated within a few minutes of eachother and inbetween the seed did not change, the device was not wiped or anything, everything was normal.

That's the background, from this point on things are gonna get very interesting.

Back in 2018 i already discovered that his BTC address (created by his Ledger) has funds in it on the BTC chain and the LTC chain, that got me thinking about a derivation problem or glitch. That wasn't the case because he sent funds to the BTC address on the LTC chain himself, a small amount of LTC to see if that would show up on his Ledger, it did not.

This is his LTC address: https://chain.so/address/LTC/36ezRREzDYH3uSvADoSSpoLZrFVigQkmLp
This is his BTC address: https://chain.so/address/BTC/36ezRREzDYH3uSvADoSSpoLZrFVigQkmLp

Both still hold the funds because his Ledger does not hold the private keys.

I started to trace back the transaction of the LTC he sent to himself to test, maybe i could see if his Ledger was doing something wrong with change addresses.

His small amount of LTC (sent by his Ledger to his "problem" address 36ezRREzDYH3uSvADoSSpoLZrFVigQkmLp) was sent using this transaction: https://chain.so/tx/LTC/e6afd6122f60db9fdd40e7009a644d64a29d6241040d20728378d569a2335b3b
from this address: https://chain.so/address/LTC/LRQTUERzgmNBeC8EzRpWFX9Ya7doCLCUXw

As you can see in the transaction a small amount was sent to his "problem" address and a small amount was sent to this address: 3HZgtFDmfwohrz2cRfzSECxeszpEzJqiYY : https://chain.so/address/LTC/LYNZgGrN1L7hGmCgtrRaGJbbixTipfu4jB

Keep in mind, at this point all he did was sent a small amount of LTC to the corresponding address on the LTC blockchain of the address he lost access to on the BTC blockchain, just to test if the LTC would show in his Ledger and we know now that it didn't.

Now this is what blew me away:

I Googled the address the other part of this transaction went to: 3HZgtFDmfwohrz2cRfzSECxeszpEzJqiYY

I discovered that also this address is active on the LTC and BTC chain and it's not his... kinda weird but ok, nothing to be blown away about, untill i saw this in the Google results: https://bitcointalk.org/index.php?topic=3310150.0

The owner of address 3HZgtFDmfwohrz2cRfzSECxeszpEzJqiYY had the exact same problem and asked for help on this forum back in 2018.

Uhm... what? This is another person, that had the EXACT same problem and even more, the addresses where created on the EXACT same day, May 22, 2018?

This can, in no way, be a coincidence so i started to look further.

One was using a Ledger with Chrome and the other one was using a Trezor with Chrome.
Both of them created an LTC and BTC address on the exact same day and both of them lost access to the BTC address.
Both of them lost access to a BTC address and the both addresses meet eachother within one transaction on the LTC blockchain.

Around that period, Google Chrome got this update:

Code:

The Web Authentication API adds a third credential type, PublicKeyCredential, which allows browsers to authenticate a user with a private/public key pair generated by an authenticator

as you can see here: https://en.wikipedia.org/wiki/Google_Chrome_version_history

Two people, that never saw eachother, don't know eachother and this happens?

The link is Google Chrome.

Discuss!

PS: This was not a copy/paste virus or anything like that, he took a picture of the address when he created it and the address IS created by his Ledger as you can see here: https://imgur.com/hxhaAfJ

[LoyceV]

PS: This was not a copy/paste virus or anything like that, he took a picture of the address when he created it and the address IS created by his Ledger as you can see here: https://imgur.com/hxhaAfJ

Where's the Ledger on that picture? It looks like a picture of a computer screen, while the whole point of using a hardware wallet is to verify the address on the hardware wallet. Anything else that happens on your computer shouldn't be trusted.

[bossta]

PS: This was not a copy/paste virus or anything like that, he took a picture of the address when he created it and the address IS created by his Ledger as you can see here: https://imgur.com/hxhaAfJ

Where's the Ledger on that picture? It looks like a picture of a computer screen, while the whole point of using a hardware wallet is to verify the address on the hardware wallet. Anything else that happens on your computer shouldn't be trusted.

He took a picture of the public address so it could be scanned. What's wrong with that? Yes, his Ledger or something did derive this address and prompted him with the address and Scan code, that's what Ledger Chrome app did in those days.

Did you read the entire post? The fact that he took a picture has absolutelly nothing to with it, funds where not stolen, they are still on the blockchain in the same public key.

[o_e_l_e_o]

Back in 2018 i already discovered that his BTC address (created by his Ledger) has funds in it on the BTC chain and the LTC chain, that got me thinking about a derivation problem or glitch.

Have you tried extracting the account extended private key for the Litecoin account which created the address he does have access to, and then using that account extended private key to generate bitcoin addresses? It could be that there was a bug in the Chrome apps causing the Bitcoin app to continue to use the Litecoin derivation path or account extended key by mistake. Ledger have experienced other such bugs with derivation paths getting crossed between different coins: https://support.ledger.com/hc/en-us/articles/360015738179-Derivation-path-vulnerability-in-Bitcoin-derivatives?support=true

[bossta]

Back in 2018 i already discovered that his BTC address (created by his Ledger) has funds in it on the BTC chain and the LTC chain, that got me thinking about a derivation problem or glitch.

Have you tried extracting the account extended private key for the Litecoin account which created the address he does have access to, and then using that account extended private key to generate bitcoin addresses? It could be that there was a bug in the Chrome apps causing the Bitcoin app to continue to use the Litecoin derivation path or account extended key by mistake. Ledger have experienced other such bugs with derivation paths getting crossed between different coins: https://support.ledger.com/hc/en-us/articles/360015738179-Derivation-path-vulnerability-in-Bitcoin-derivatives?support=true

I don't have his seed but he also made some threads about it on this forum, same as the other person and if i remember correctly he tried it all using Iancolemans tool.

[LoyceV]

He took a picture of the public address so it could be scanned. What's wrong with that?

This doesn't prove the address was created by the Ledger. Without verifying the device itself, this address could have been created by malicious software.

The fact that he took a picture has absolutelly nothing to with it

You said it proves the address came from the Ledger:

the address IS created by his Ledger as you can see here: https://imgur.com/hxhaAfJ

[bossta]

He took a picture of the public address so it could be scanned. What's wrong with that?

This doesn't prove the address was created by the Ledger. Without verifying the device itself, this address could have been created by malicious software.

The fact that he took a picture has absolutelly nothing to with it

You said it proves the address came from the Ledger:

the address IS created by his Ledger as you can see here: https://imgur.com/hxhaAfJ

So somebody creates a malicious software and doesn't empty the address? +4 BTC total? I think i have made a good and strong case that this was probably a technical problem and still.... you focus on the fact that he took a picture of his public address and scan code.

Ok.

[larry_vw_1955]

PS: This was not a copy/paste virus or anything like that, he took a picture of the address when he created it and the address IS created by his Ledger as you can see here: https://imgur.com/hxhaAfJ

Where's the Ledger on that picture? It looks like a picture of a computer screen, while the whole point of using a hardware wallet is to verify the address on the hardware wallet. Anything else that happens on your computer shouldn't be trusted.

Did you read the entire post? The fact that he took a picture has absolutelly nothing to with it, funds where not stolen, they are still on the blockchain in the same public key.

the picture wasn't taken of the ledger screen was it? if not then that's the point.

i will say though that it's a very confusing explanation situation. probably a chrome bug. no one said it was malicious doesn't need to be. just some irresponsible computer programming at work there perhaps.

[Lucius]

1. In 2018 he used the Ledger Chrome app to create a BTC and a LTC address to receive funds.
2. They sent him the funds, both LTC and BTC, blockchain explorers confirm that the funds are received and confirnmed.
3. He wants to use his funds and faces the problem that his Ledger apparently does not hold the private key for his BTC address but it does hold the private key for his LTC address.
4. Both addresses where generated within a few minutes of eachother and inbetween the seed did not change, the device was not wiped or anything, everything was normal.

From my personal experience with Ledger I can say that it is possible that the problematic BTC address may be a change address that your friend took from the Ledger Chrome app because then it was possible. In case the change address is deep enough outside the gap limit that Ledger checks, you will not be able to see the balances for that address. This happened to me and I was able to fix the thing with using Electrum and increasing the gap limit for change address.

I think it is worth trying to change the gap limit in the way described in this post. It is important that the number of addresses can be changed to 100, 200 or a number of your choice - in my case, if I remember correctly, it was necessary to increase the gap limit by 150 to find the change address.

Code:

wallet.change_gap_limit(50)

It is extremely important that you be careful with Electrum. There are a lot of fake wallets, so always verify the wallet file before installation.

[bossta]

1. In 2018 he used the Ledger Chrome app to create a BTC and a LTC address to receive funds.
2. They sent him the funds, both LTC and BTC, blockchain explorers confirm that the funds are received and confirnmed.
3. He wants to use his funds and faces the problem that his Ledger apparently does not hold the private key for his BTC address but it does hold the private key for his LTC address.
4. Both addresses where generated within a few minutes of eachother and inbetween the seed did not change, the device was not wiped or anything, everything was normal.

From my personal experience with Ledger I can say that it is possible that the problematic BTC address may be a change address that your friend took from the Ledger Chrome app because then it was possible. In case the change address is deep enough outside the gap limit that Ledger checks, you will not be able to see the balances for that address. This happened to me and I was able to fix the thing with using Electrum and increasing the gap limit for change address.

I think it is worth trying to change the gap limit in the way described in this post. It is important that the number of addresses can be changed to 100, 200 or a number of your choice - in my case, if I remember correctly, it was necessary to increase the gap limit by 150 to find the change address.

Code:

wallet.change_gap_limit(50)

It is extremely important that you be careful with Electrum. There are a lot of fake wallets, so always verify the wallet file before installation.

Hi... thx. Already tried it with gap limit up to 1000 and no luck. It is clear to me the problem is outside of Ledger or Trezor, if you have some time, read the whole post.

This could be the starting point for alot of people finding their funds back.

[BitMaxz]

he tried it all using Iancolemans tool.

Why not try to tell him to connect his ledger to Electrum and follow Lucius's suggestion above(It seems it doesn't work to you).
Or get the master public key of that wallet and use a tool called xPub analyzer you can find it here https://blockpath.com/wallets/new?action=appxpub
It could scan all possible paths and find the used addresses.

Another option is the tool from Ledger they have their own xPub scanner created a few months ago and this should be the tool you must use if you want to recover your wallet.
Here's the link:
- https://github.com/LedgerHQ/xpub-scan

Just edited the link I forgot to put the link of ledger xPub scanner.

[bossta]

he tried it all using Iancolemans tool.

Why not try to tell him to connect his ledger to Electrum and follow Lucius's suggestion above(It seems it doesn't work to you).
Or get the master public key of that wallet and use a tool called xPub analyzer you can find it here https://blockpath.com/wallets/new?action=appxpub
It could scan all possible paths and find the used addresses.

Another option is the tool from Ledger they have their own xPub scanner created a few months ago and this should be the tool you must use if you want to recover your wallet.
Here's the link:
- https://blockpath.com/wallets/new?action=appxpub

Hi thx for your reply.

Tried all those things, up to three times just to make sure.
The only possible things i can think of is letting somebody write a python script that makes derivations from m/0 up to m/49'/2000'/2000'/2000/2000 ans see if that works

I think that somehow there was indeed a problem with derivation BTC-LTC and i think it is Google Chrome related, that's why people with different HW wallets (Trezor and Ledger) had the EXACT same problem in the EXACT same period.

Apart from the fact that i like a challenge finding the solution could help people get their funds back.

[Lucius]

if you have some time, read the whole post.

I read the post with a little more attention and I have to admit that my answer didn't make too much sense given the unsolved mystery that connects your friend and user @davedee. What they both have in common is really Google Chrome and the fact that they generated a BTC and LTC address on the same day using two different HWs.

This could be the starting point for alot of people finding their funds back.

The case of the first user mentioned has remained unsolved, and perhaps this new data will help someone understand what actually happened. I assume you contacted Ledger back then about what happened, was there any useful feedback from them?

[DaveF]

Or, it's possible that there was something else at play. We think it's not malware since the funds are still sitting there. But could it have been a clipboard malware / something else that did generate an address that even the person who wrote the code does not have access to. We have seen at times malware / virus code that is broken. Could this be a case of that.
OR

Could it be such an edge case that it's going to be almost impossible to duplicate.
i.e. chrome version x, with windows version y, with these updates installed and this AV software and browser extensions 1 and 2 and 3. And then poof this happens.
It should not happen, it should not even be a possibility that is happens. But as we all know, stuff like this does happen.

-Dave

[larry_vw_1955]

Or, it's possible that there was something else at play. We think it's not malware since the funds are still sitting there. But could it have been a clipboard malware / something else that did generate an address that even the person who wrote the code does not have access to. We have seen at times malware / virus code that is broken. Could this be a case of that.

I guess that is a possibility. But if that was the case, you would see alot of other similar stories maybe.

OR

Could it be such an edge case that it's going to be almost impossible to duplicate.
i.e. chrome version x, with windows version y, with these updates installed and this AV software and browser extensions 1 and 2 and 3. And then poof this happens.

Maybe the OP's friend could have tried to duplicate this issue on his own computer but by now he probably changed some of the software and stuff on it if he even has it anymore. that would certainly be an interesting experiment.

It should not happen, it should not even be a possibility that is happens. But as we all know, stuff like this does happen.

-Dave

indeed.

[FatFork]

1. In 2018 he used the Ledger Chrome app to create a BTC and a LTC address to receive funds.
2. They sent him the funds, both LTC and BTC, blockchain explorers confirm that the funds are received and confirnmed.
<cut>

Something's not adding up here.

You stated that both addresses were generated by the Ledger app in 2018, but, according to this transaction, the Bitcoin address received the funds on Dec 29, 2017 and that is the only transaction to that address. How is that possible?