Need help with missing bitcoins from Ledger wallet.

[sgravina]

0.9 bitcoins have been moved from my Ledger wallet.
    Transaction ID: 63d60b9089d0bb9074c43e85e0ddd05137eee96c52ce060caa931a4e6e4fe938
    Ledger wallet Public Key: xpub6DNcmsc3CStHQcnfTiTgF2SkM91UfmT9SSYz49t64Zc6rnHqtuQnmxmXxDyHkL7tpqUfSsdoZ6c cWPoXHAiYeAwHGSk4NdbDivup2PGEX11
        https://www.blockchain.com/btc/xpub/xpub6DNcmsc3CStHQcnfTiTgF2SkM91UfmT9SSYz49t64Zc6rnHqtuQnmxmXxDyHkL7tpqUfSsdoZ6ccWPoXHAiYeAwHGSk4NdbDivup2PGEX11

These bitcoins were on a Ledger nano.  They were there from 12/2017 till 06/12/2019.

I did not do the last transaction.

Nobody has access to the Ledger device.  It has not been moved since the last time I used it.  Nobody has access to the secret words that set up the device.  They are on a piece of paper in a location separate from the device.  That paper has not been moved.  There are other secret words on that paper for other wallets and those wallets were not drained.

The receiving address is: bc1q9j4gmx73wxgeygwsnk93lamxejr44lr0fak0az.  https://blockstream.info/address/bc1q9j4gmx73wxgeygwsnk93lamxejr44lr0fak0az
From there they were joined with many other bitcoins and spent into many various addresses.  This is a new bc1 address.  The blockchain.com explorer does not recognize it.

The last transaction I did was: 890eb8e61d383e98b2e1acf4ce22ffd889c08ce23cf171e59946457217fcb000.  This was a move of 0.12167207 bitcoins from a Coinbase account to my Ledger wallet.

Does anyone have an idea of what happened?

Until I can figure out what happened I am not going to trust Ledger wallets.

[1714114873]

1714114873

[1714114873]

1714114873

[gentlemand]

You're much better off asking here - https://www.reddit.com/r/ledgerwallet/  which is where Ledger staff are active.

When was the last time you actually fired it up? It all looks very mysterious. Never heard of anything quite like that with a Ledger before.

[fiulpro]

  Unfortunately I do think that someone gained access to your account details because I don't think anything else is possible , maybe it was a family friend or someone ?

Because if it was ledger nano S then it is actually the most safe one I can think of , it is a hardware wallet , not an online one , I think somehow you know this person .

If cryptocurrencies are legal in your country how about you go to the police and let them track the details of this new wallet address , If that's possible.

[kryptqnick]

Sorry, I am not good with this kind of stuff, so I can't help you with your problem. I hope that the Ledger support will be able to at least provide some explanations. I'll be getting my Ledger Nano X this summer, so this post is very important to me. I wouldn't want to store my money in an unsafe way. I cannot imagine what could go wrong with an offline wallet, though. Perhaps fiulpro is right, and someone that was in the same room where you had your printed password decided to prank/rob you? Just try to recall everyone that was in a place where you have the data needed to access the wallet. Maybe it's not Ledger's fault after all. I hope you'll manage to resolve this problem. In case you find out anything - please make an update in this thread!

[therhslv]

Lets start where did you order your Ledger device , was it official site ? Does it came with seed words already on paper writen down ? There was some people who ordered from e-bay and they was made look like real only with copied seed words so they can steal fund from it later , as people was using already setup wallet in it

[o_e_l_e_o]

There are several vectors of possible attack which could occur here:

Ledger was accessed and returned without your knowledge
Mnemonic phrase paper was accessed and returned without your knowledge
You bought a pre-initialized or fake Ledger device
You restored your wallet from the mnemonic phrase at some point - as soon as the phrase is entered in to an electronic device, you should consider it compromised
You used your Ledger paired with fake software, such as the fake versions of Electrum which have been going around, and mistakenly signed a malicious transaction

You say:

Nobody has access to the secret words that set up the device.

When initializing a Ledger, it generates the words for you. Did you use words from elsewhere to set up your Ledger?

[gentlemand]

Lets start where did you order your Ledger device , was it official site ? Does it came with seed words already on paper writen down ? There was some people who ordered from e-bay and they was made look like real only with copied seed words so they can steal fund from it later , as people was using already setup wallet in it

I'd say on the surface this makes the most sense, but why would you wait a year and a half to empty it and when the price is still considerably lower than when the device was loaded? Hope OP gets some sort of answer at least.

[Lucius]

OP is post on Reddit, and it seems that some things in his story does not match. He say here that "Nobody has access to the Ledger device", but on Reddit he say : "I bought it. Gave it to a relative. I set it up with the Chrome Ledger app.".

From this we can conclude that at least one more person had access to seed, and that is a very likely reason why coins are moved.

https://www.reddit.com/r/ledgerwallet/comments/c494fu/need_help_with_missing_bitcoins_from_ledger_wallet/
https://www.reddit.com/r/Bitcoin/comments/c48xis/need_help_with_missing_bitcoins_from_ledger_wallet/

I'd say on the surface this makes the most sense, but why would you wait a year and a half to empty it and when the price is still considerably lower than when the device was loaded?

The reason may be very simple, relative had seed all the time, but he wait that OP send more coins to wallet, or to price go up. Since price is above $10k, he probably concluded that is the time for sell those coins.

[DdmrDdmr]

<…>

Well spotted. I couldn’t wrap my head around this case, and even considered whether Ledger Live phishing attempt from late April 2019 might have had something to do with it. It may just be down to human trust, as often is …

[o_e_l_e_o]

From this we can conclude that at least one more person had access to seed, and that is a very likely reason why coins are moved.

Good catch. OP admits it here:

This wallet was a gift. The owner does not have the secret words. I have a copy of the words and I know my copy was not compromised. A possibility is that I gave the owner a copy of the secret words (on paper, I would never make an electronic copy) and his copy was stolen. He claims he never got a copy of the secret words.

He was given the wallet from a third party (doesn't say whether or not it was pre-initialized). He has a "copy" of the mnemonic phrase, meaning there were other copies out there. He gave a copy of the mnemonic phrase to the third party, who "claims" he never received said copy. It's pretty obvious that the third party had the mnemonic phrase the whole time, and was just waiting for the right time to rob OP. This has absolutely nothing to do with Ledger.

[Lucius]

It is obvious that something is wrong in the OP story, we all know that hardware device is very hard to hack, especially by remote attack, and he write something very different on Reddit, what has actually revealed in what way OP is lost his coins. But in this case the thief is known (although we can not be 100% sure), so I would visit my cousin and ask him to to return me stolen coins, or case will be reported to police. In any way this is better then just sit and cry.

Another story appeared yesterday, one user of Ledger claims he has lost 30 BTC, he has seed stored in two places, and one of them was online in e-mail, what a stupid move, $300k+ is in hacker pocket.

https://www.reddit.com/r/ledgerwallet/comments/c4mfwg/lost_30_btc/

[erikalui]

Another story appeared yesterday, one user of Ledger claims he has lost 30 BTC, he has seed stored in two places, and one of them was online in e-mail, what a stupid move, $300k+ is in hacker pocket.

https://www.reddit.com/r/ledgerwallet/comments/c4mfwg/lost_30_btc/

This guy had it on a piece of paper in his home and when he was not in the country, his money was stolen. It's most likely the case that someone stole the paper from his house. He had jumbled up words in his email draft and it's tough for anyone to first hack an unknown user's email and then wallet unless they know the user had 30 BTC. It's like the hacker knew the victim.

[bob123]

~snip~

While i agree that the most probable case is that someone stole it from his place while he was away, it is still very well imaginable that they got stolen from his email account.

This doesn't explicitly mean that someone targeted him. Email accounts get hacked daily. And once hacked, the inbox/outbox/drafts/trash is being searched for valuable information.
If the attacker knows anything about cryptos, he will recognize a mnemonic code.

However, it would have been a big coincidence that this happened while he was not at home (where the 2nd copy of his seed is stored). If you don't have a trusted place, it is getting hard to store sensitive information to be accessible without decryption.

[elda34b]

It would be really difficult to point out who's the guilty party as it seems his seeds is not only exposed to 1 guy (if the story is true).

Another story appeared yesterday, one user of Ledger claims he has lost 30 BTC, he has seed stored in two places, and one of them was online in e-mail, what a stupid move, $300k+ is in hacker pocket.

Ouch. Why don't people realize that seeds is essentially more important than the device itself?

[Lucius]

Ouch. Why don't people realize that seeds is essentially more important than the device itself?

These is a very common misconception when it comes to crypto wallets, but is perhaps most evident in case of hardware wallets. People often think in the way that when they buy hardware wallet, there is no need to worry about security anymore. The very fact that it is an electronic device should warn users that only way to save&recover their coins is backup of seed.

Hardware wallet can be lost, damaged, broken, stolen - but if users is protect such device with PIN and as extra security with passphrase, then such device does not pose a risk for owner. I think that manufacturers should make some extra info about security and put that in every package, even though everything important is online, people would maybe actually read something if you put them piece of paper in hand.

[gentlemand]

I think that manufacturers should make some extra info about security and put that in every package, even though everything important is online, people would maybe actually read something if you put them piece of paper in hand.

I haven't checked any packaging for ages but I'm sure they all emphasize that your seed IS your coins. Many people are so dim and lazy that their hardware wallet could shoot sperm in their face on the hour every hour until they secured it and they still wouldn't do it.

Perhaps in wallet reminders might jog a few people into action but there's no helping some no matter what.

[NeuroticFish]

I think that manufacturers should make some extra info about security and put that in every package, even though everything important is online, people would maybe actually read something if you put them piece of paper in hand.

Come on. You don't know that most people are "too smart" to read all the instructions and papers? They always "know better".
Those papers will be read when something goes wrong. And that means that in many cases it'll be too late.