hhanh00 (OP)
|
A friend of mine recently got his trezor wallet cleaned out and we are trying to figure out what happened. He gave me his ypub key and I imported it into Electrum to look at his transaction history. His last legit transaction was 2 weeks ago but yesterday he got two extra withdrawals. A test transaction was followed by a complete withdrawal of the entire wallet. https://www.blocktrail.com/BTC/tx/7a2f637bcd6f30a02c298c64022d4148c58d9587ed6e2191a3a758ad40c6fda2https://www.blocktrail.com/BTC/tx/7d708a9dc692ce79170a411563ebdcc4110bdfadfdfe1c726b8fb5d3d0bc17bfIMHO, the fact that there were 2 transactions points towards a compromised seed. The test tx actually returns most of the wallet amount back into the change address - which is a single use p2sh-p2wpkh address. Then the change address itself is cleared in the 2nd tx. The thief knows how to generate private keys for the entire hierarchical wallet. AFAIK, that requires the seed. So, it looks like a targetted attack. My friend says he never put his seed online, never took a picture of it, etc. He only kept it on a piece of paper, getting to it would imply someone who knows him. But the receiving address has activities that I don't understand then. https://www.blocktrail.com/BTC/address/18abkVcsfwvNHxFM1jN5WLAY9irB91FwTHThe address appear when he lost his funds and was itself cleared one day later. However, it also sees the transfer of over 1000 btc as if it was the staging area of a large scale attack. Does anyone know what has happened there? Thanks, --h
|
|
|
|
Woundur
Newbie
Offline
Activity: 52
Merit: 0
|
|
August 14, 2018, 01:57:47 PM |
|
Looks like there has been a case of hacking but I am still not sure about it by looking at the logs you provided. It is better if you contact Trezor directly. If the fault is from there end then there might be a chance of getting back the Bitcoins of your friend. But, if it has been due to the fault of your friend, I am afraid no one can do anything about it.
|
|
|
|
MilfordGannon
Newbie
Offline
Activity: 210
Merit: 0
|
|
August 14, 2018, 02:38:10 PM |
|
I guess he is being attacked by a person of his own. Someone has stolen data from his piece of paper, as Crypto-space is decentralized, once you are attacked, it is hard to be recovered. I suggest withdrawing all of the savings if he still has access.
|
|
|
|
mk4
Legendary
Offline
Activity: 2912
Merit: 3881
📟 t3rminal.xyz
|
|
August 14, 2018, 02:46:56 PM |
|
Hey. Might be a late reply but I heavily suggest you post this on the TREZOR subreddit[1] so the subreddit mods will more likely see your post and the other trezor users would be aware of this(if ever this is a vulnerability on trezor's side).
[1] https://www.reddit.com/r/TREZOR/
|
|
|
|
mocacinno
Legendary
Offline
Activity: 3556
Merit: 5187
https://merel.mobi => buy facemasks with BTC/LTC
|
|
August 14, 2018, 02:48:03 PM |
|
I'm on my phone right now so I didn't look up those transactions, however judging by your op, it does look like somebody got their hands on either his seed phrase or his xprv.
Questions that pop in my mind: - is he sure he isn't doing this himself? I've seen new users getting confused in the past? - how secure is he storing that seed? Can the cleaning lady/plumber/family member reach it? - did he enter the seed phrase in a desktop wallet to try restoring the wallet?
You *should* be able to run a trezor on an infected PC, and the odds of brute forcing a seed are extremely small, so the biggest odds are either somebody got their hands on the seed phrase or he's accidentally creating those tx's.
If he can find the physical person that stole his seed he can go to the police. If he's causing this himself he just needs to figure out whose address he's funding and try to ask the receiver to refund... Otherwise his funds are lost
|
|
|
|
merchantofzeny
|
|
August 14, 2018, 02:59:43 PM |
|
So, has the problem been fixed? I feel sorry for him. I've never used a hardware wallet before so I am interested to know what exactly happened to your friend's stash in case I'd eventually buy a Trezor. Has he already contacted their CS? I'm on my phone right now so I didn't look up those transactions, however judging by your op, it does look like somebody got their hands on either his seed phrase or his xprv.
Questions that pop in my mind: - is he sure he isn't doing this himself? I've seen new users getting confused in the past? - how secure is he storing that seed? Can the cleaning lady/plumber/family member reach it? - did he enter the seed phrase in a desktop wallet to try restoring the wallet?
You *should* be able to run a trezor on an infected PC, and the odds of brute forcing a seed are extremely small, so the biggest odds are either somebody got their hands on the seed phrase or he's accidentally creating those tx's.
If he can find the physical person that stole his seed he can go to the police. If he's causing this himself he just needs to figure out whose address he's funding and try to ask the receiver to refund... Otherwise his funds are lost
A family member or friend would be the first one I'd suspect. I don't think a random plumber would know what to do with some random words scribbled on a paper. This is why I prefer to also encrypt the seed phrase. Basically not writing down the actual phrase.
|
|
|
|
Lucius
Legendary
Offline
Activity: 3416
Merit: 6140
Crypto Swap Exchange🈺
|
|
August 14, 2018, 03:17:22 PM |
|
OP is also posted in Bitcoin Technical Support and he/she is obviously forgot on this thread. Thanks for the help everyone. At this point, all indications point towards an insider job. We have traced the chain of custody and it is unrelated to any technical issue with Trezor.
So it is clear that there is no problem with Trezor, insider job probably means that some of victim family/friends took advantage of the opportunity and wipe out his hardware wallet. Since it is over 35 BTC stolen this is classic case for police, the thief probably left some traces. What we can learn from this that even coins are on hardware wallet and seed written down on paper does not mean we are safe.
|
|
|
|
mocacinno
Legendary
Offline
Activity: 3556
Merit: 5187
https://merel.mobi => buy facemasks with BTC/LTC
|
|
August 14, 2018, 06:52:56 PM |
|
@op: I see a lot of people suggesting to contact trezor support, even going as far as claiming they'll reimburse you... I just wanted to warn you not to get your hopes up.
AFAIK, I haven't seen a flaw that would cause a remote hacker to gain access to your seed or xprv, odds of a technical flaw within the trezor hardware, firmware or wallet are extremely slim... If it wasn't their fault your friend got robbed, I seriously doubt they'll reimburse +30 btc. Sending logs to trezor might save future victims of being robbed (emphasis on *might*), however they will probably not be able to get you your btc back, so unless the funded address were in some way generated by the same seed, or if you can prove (without a doubt) it was trezors fault, or find the culprit yourself, I'm afraid the odds of getting your btc back are not good,no matter what anyone in this thread is claiming. I don't like to be the barer of bad news, but that's just the way it is.
PS: I realise op double posted, but I wanted to make sure to set the record straight in this, currently derailing, thread
|
|
|
|
iotarocket
Newbie
Offline
Activity: 140
Merit: 0
|
|
August 15, 2018, 01:10:06 AM Last edit: August 16, 2018, 12:15:21 AM by iotarocket |
|
OP is also posted in Bitcoin Technical Support and he/she is obviously forgot on this thread. Thanks for the help everyone. At this point, all indications point towards an insider job. We have traced the chain of custody and it is unrelated to any technical issue with Trezor.
So it is clear that there is no problem with Trezor, insider job probably means that some of victim family/friends took advantage of the opportunity and wipe out his hardware wallet. Since it is over 35 BTC stolen this is classic case for police, the thief probably left some traces. What we can learn from this that even coins are on hardware wallet and seed written down on paper does not mean we are safe. Wow. Thanks for the clarification! I am a firm believer that seed phrases should always, always be locked away and made inaccessible to absolutely everyone but you. There are so many cases of friends, acquaintences, or relatives coming across private keys or seed phrases and wiping out accounts.
|
|
|
|
Wind_FURY
Legendary
Offline
Activity: 3094
Merit: 1929
|
|
August 16, 2018, 07:31:25 AM |
|
I'm on my phone right now so I didn't look up those transactions, however judging by your op, it does look like somebody got their hands on either his seed phrase or his xprv.
Questions that pop in my mind: - is he sure he isn't doing this himself? I've seen new users getting confused in the past? - how secure is he storing that seed? Can the cleaning lady/plumber/family member reach it? - did he enter the seed phrase in a desktop wallet to try restoring the wallet?
You *should* be able to run a trezor on an infected PC, and the odds of brute forcing a seed are extremely small, so the biggest odds are either somebody got their hands on the seed phrase or he's accidentally creating those tx's.
If he can find the physical person that stole his seed he can go to the police. If he's causing this himself he just needs to figure out whose address he's funding and try to ask the receiver to refund... Otherwise his funds are lost
Another important question to ask would be, where did you buy your Trezor? I hope it wasn't from Ebay, or some online store, or from a "friend". Your Trezor should come from Trezor themselves, straight from where it is made in the Czech Republic, and arriving in your doorstep without the package tampered.
|
| .SHUFFLE.COM.. | ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ | ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ ███████████████████████ | . ...Next Generation Crypto Casino... |
|
|
|
odolvlobo
Legendary
Offline
Activity: 4494
Merit: 3401
|
|
August 18, 2018, 03:48:47 AM |
|
Also, it is possible to derive all of the private keys if both the extended public key and a single private key are known.
|
Join an anti-signature campaign: Click ignore on the members of signature campaigns. PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
|
|
|
swogerino
Legendary
Offline
Activity: 3332
Merit: 1248
Bitcoin Casino Est. 2013
|
|
August 18, 2018, 05:10:25 PM |
|
I suspect two things:
If the user has really secured the hw as he should and keeping the seed only for himself in a safe place, probably on an old Linux laptop where no one has access except the user and is strongly password protected both in the BIOS both before login to OS.
If the user bought the Trezor used, no matter where he bought it from that must be the reason why his bitcoins are gone. Always buy from the manufacturer.
Before this case is solved we need to know the source where the Trezor comes from. If it is bought from the official website, then it is an inside job. If it is bought used somewhere, it is the work of the person/entity who sold it. No other possible explanation based on the data in this thread.
|
| | | | | | | ███▄▀██▄▄ ░░▄████▄▀████ ▄▄▄ ░░████▄▄▄▄░░█▀▀ ███ ██████▄▄▀█▌ ░▄░░███▀████ ░▐█░░███░██▄▄ ░░▄▀░████▄▄▄▀█ ░█░▄███▀████ ▐█ ▀▄▄███▀▄██▄ ░░▄██▌░░██▀ ░▐█▀████ ▀██ ░░█▌██████ ▀▀██▄ ░░▀███ | | ▄▄██▀▄███ ▄▄▄████▀▄████▄░░ ▀▀█░░▄▄▄▄████░░ ▐█▀▄▄█████████ ████▀███░░▄░ ▄▄██░███░░█▌░ █▀▄▄▄████░▀▄░░ █▌████▀███▄░█░ ▄██▄▀███▄▄▀ ▀██░░▐██▄░░ ██▀████▀█▌░ ▄██▀▀██████▐█░░ ███▀░░ | | | | |
|
|
|
bob123
Legendary
Offline
Activity: 1624
Merit: 2481
|
|
August 19, 2018, 11:31:35 AM |
|
Also, it is possible to derive all of the private keys if both the extended public key and a single private key are known.
This does only apply to unhardened derivation. BIP44/49 does use hardened derivation. Unhardened derivation: privKey(n) = k + h(xpub,n) Hardened derivation: privKey(n) = k + h(xpriv,n) With h being a hashfunction. This means that with unhardened derivation one private key together with the xpub is enough to calculate all private keys. But with hardened derivation you would need the xpriv additionally to the private key. And with knowing the xpriv, you could generate all priv keys anyway.
|
|
|
|
Spendulus
Legendary
Offline
Activity: 2912
Merit: 1386
|
|
August 20, 2018, 12:41:59 AM Last edit: August 20, 2018, 01:23:23 AM by Spendulus |
|
I suspect two things:
If the user has really secured the hw as he should and keeping the seed only for himself in a safe place, probably on an old Linux laptop where no one has access except the user and is strongly password protected both in the BIOS both before login to OS.
If the user bought the Trezor used, no matter where he bought it from that must be the reason why his bitcoins are gone. Always buy from the manufacturer.
Before this case is solved we need to know the source where the Trezor comes from. If it is bought from the official website, then it is an inside job. If it is bought used somewhere, it is the work of the person/entity who sold it. No other possible explanation based on the data in this thread.
It's possible to buy a used Trezor, or have one that is compromised, and change the recovery seed. This would make it a new fresh unit, particularly if you added a 25th word - a "passphrase." As for the possibility of someone close to the victim being the perp, I'd look for the obvious - someone spending more than they were in the past, who had the necessary skills. If the card with the 24 words had been cut in half and the pieces put in separate secure locations, then the suspect list would narrow to those who had access to both those locations. I'm not sure I agree with Trezor's advise to not move the bitcoins off the Trezor during the process of changing the seed, but that's not at issue here. There are a variety of attack scenarios which involve prior knowledge of the internal workings and seeds of the Trezor. These should be all thwarted by adding a 25th seed word.
|
|
|
|
merchantofzeny
|
OP is also posted in Bitcoin Technical Support and he/she is obviously forgot on this thread. Thanks for the help everyone. At this point, all indications point towards an insider job. We have traced the chain of custody and it is unrelated to any technical issue with Trezor.
So it is clear that there is no problem with Trezor, insider job probably means that some of victim family/friends took advantage of the opportunity and wipe out his hardware wallet. Since it is over 35 BTC stolen this is classic case for police, the thief probably left some traces. What we can learn from this that even coins are on hardware wallet and seed written down on paper does not mean we are safe. Most people find it hard to believe family and friends would steal from them. Anyway, I had a previous thread asking for suggestions on encrypting or storing the passphrase more securely. The method I ended up using is taking a jigsaw puzzle and marking some pieces in the back. I then made a grid with several words on it (unencrypted though) and the words in the phrase correspond to the markings on the jigsaw. The the grid is the cut up. To get the phrase, the grid need to be assembled correctly and the jigsaw assembled on top. The marked jigsaw are then removed, revealing the word. Which they then need to sort in the correct order. Threw in an extra incorrect word to make that harder. Not as secure as encrypting it but you can break them into even smaller groupings, making it harder for one person to assemble it but still easy enough for the owner to use since he's familiar with the sequence. I would still like to hear from OP, if ever they'd be able to track who did it and how.
|
|
|
|
Spendulus
Legendary
Offline
Activity: 2912
Merit: 1386
|
|
August 23, 2018, 04:02:18 PM |
|
.... Another important question to ask would be, where did you buy your Trezor? I hope it wasn't from Ebay, or some online store, or from a "friend". Your Trezor should come from Trezor themselves, straight from where it is made in the Czech Republic, and arriving in your doorstep without the package tampered.
I agree about not buying from Ebay, what about Amazon?
|
|
|
|
Spendulus
Legendary
Offline
Activity: 2912
Merit: 1386
|
|
August 23, 2018, 09:14:37 PM |
|
Since from post history OP never mentioned where his friend bought the Trezor wallet, i would suggest contact Trezor if his friend bought the HW wallet from 3rd party. Ledger CEO mentioned in past that "we can help you file a formal criminal complaint and bring the eBay seller to justice"[1] and AFAIK it's the only way to recover loss stolen Bitcoin. [1] https://www.reddit.com/r/ledgerwallet/comments/7obot7/all_my_cryptocurrency_stolen/ds8mbbq.... Another important question to ask would be, where did you buy your Trezor? I hope it wasn't from Ebay, or some online store, or from a "friend". Your Trezor should come from Trezor themselves, straight from where it is made in the Czech Republic, and arriving in your doorstep without the package tampered.
I agree about not buying from Ebay, what about Amazon? Amazon should be okay if it's sold by amazon directly and there are many good/detailed review. Even so it's better to buy from official HW wallet website or check the package/content carefully if you buy from amazon. On thinking about it this, it's incorrect. Suppose you had a trezor, and for a period of time it was in other peoples' hands. It's compromised, period. You need to wipe it and create a new fresh set of seed phrases, then reload the coins. When you get a trezor, it's been in someone else's hands, therefore it should be considered compromised. Again, you need to wipe it, not ever use the initial set of seed phrases it comes up with, and generate a new fresh set.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
August 23, 2018, 09:49:16 PM |
|
When you get a trezor, it's been in someone else's hands, therefore it should be considered compromised. Again, you need to wipe it, not ever use the initial set of seed phrases it comes up with, and generate a new fresh set.
AFAIK, Trezors from the factory come uninitialised and require you to go through the full setup process on first use (my Trezor "One" did) If it has already been initialised and there is a note to text a number to get your seed mnemonic (or includes a pre-printed card with the seed mnemonic already on it)... then someone has most likely been "tampering" with it.
|
|
|
|
Spendulus
Legendary
Offline
Activity: 2912
Merit: 1386
|
|
August 23, 2018, 10:41:46 PM Last edit: August 24, 2018, 12:44:30 AM by Spendulus |
|
When you get a trezor, it's been in someone else's hands, therefore it should be considered compromised. Again, you need to wipe it, not ever use the initial set of seed phrases it comes up with, and generate a new fresh set.
AFAIK, Trezors from the factory come uninitialised and require you to go through the full setup process on first use (my Trezor "One" did) If it has already been initialised and there is a note to text a number to get your seed mnemonic (or includes a pre-printed card with the seed mnemonic already on it)... then someone has most likely been "tampering" with it. I'm questioning whether that first process truly is secure. Assume there is a Bad Guy at the factory checking units before sealing them in those nice little boxes. He simply notes the seed phrases in a unit, then seals it and ships it out. Is the initialization process upon receipt of a unit such that this is impossible? Let's not approach this from the point of view of "what does Trezor say you should do." Let's consider it a blank sheet of paper and start with first principles of security and see where that leads.
|
|
|
|
|