Be Careful Fake Keep Key Chrome Extension

[Chikito]

Twitter user lost all his Bitcoin after installed Fake keep key chrome extension and put seed restore on his PC.
https://twitter.com/ericsavics1/status/1271446842979409920

I had all of my Bitcoin stolen from me in a hardware wallet phishing scam.

This fake malware has detected 7 days ago by https://shapeshift.zendesk.com/hc/en-us/articles/360013151359

Please be aware of fraudulent KeepKey apps in the Chrome Store. It is essential to use either of the two official software clients for your KeepKey: The ShapeShift Platform or the KeepKey Chrome Client. We will never ask you for your 12 word seed phrase, if anyone does that is a scam. Phishing attempts, such as these fake wallet apps, can lead to users losing their crypto.

and Erick never know that news, this lesson to us always update news related to your wallet.

Be careful, the newbie don't install anything not related official website. the hacker used some bots pushing this fake extension up in the rankings. before action take a look on the official website and double check it before installs anything.
https://twitter.com/btcbraj/status/1271449671018393601

Most important have to know is Hardware wallet never ask your seed and never ask you to write it on PC.

[1714969238]

1714969238

[1714969238]

1714969238

[skarais]

The question is, why does chrome give room for damn cheats to place phishing applications in their stores ? Does chrome not do verification or some kind of warning to potential users who want to install something on a PC like (always be careful to install anything if the extension does not yet have a good rating and feedback).

Unfortunately, this web shop has become a potential means for fraudsters to cheat victims. I have heard that there are many others who are victims of fake extensions on the web store. Especially for crypto fans, you really need to be careful. @DroomieChikito, thank you for sharing information about this.

[Little Mouse]

Most important have to know is Hardware wallet never ask your seed and never ask you to write it on PC.

That user Eric is an old guy in crypto and have used crypto for almost 6/7 years according to one of the reply in his post. How can he not know this and get phished? He was trying to update the extension may be, it is common that why would it ask for the seed.

[Darker45]

I've just listened to his plea to whoever took his Bitcoin. He's now begging the robbers for some spare change from his stolen 7-year savings so that he won't be starting from zero. Poor guy, asking for a little share of his own money!

This has happened before. And not just with Keep Key but also with Ledger and Trezor.

I hope lesson will finally be learned. It is actually not necessary to constantly monitor news updates of your hardware wallet. Just say NO to browser extensions! Just say NO to whoever or whatever that asks you for your seed or your private keys!

We want freedom. And we have it. Now, with freedom comes terrible responsibility!

[skarais]

That user Eric is an old guy in crypto and have used crypto for almost 6/7 years according to one of the reply in his post. How can he not know this and get phished?

We dont know when the attack came, even though someone already has a lot of experience here, I think there are times when its called bad days in life.

Just say NO to browser extensions! Just say NO to whoever or whatever that asks you for your seed or your private keys!

This is far better done as a step to anticipate the efforts of bad people. This will be a valuable lesson for everyone.

[Chikito]

The question is, why does chrome give room for damn cheats to place phishing applications in their stores ? Does chrome not do verification or some kind of warning to potential users who want to install something on a PC like (always be careful to install anything if the extension does not yet have a good rating and feedback).

Google isn't manually approving or rejecting any submitted. The application will automatically approve if it has completed policy. in this point, Google can't automatic detecting any fake application. https://developer.chrome.com/webstore/faq#faq-listing-108

This is KeepKey official chrome extension: https://chrome.google.com/webstore/detail/keepkey-client/idgiipeogajjpkgheijapngmlbohdhjg
Official website: https://shapeshift.com/keepkey

[libert19]

The question is, why does chrome give room for damn cheats to place phishing applications in their stores ? Does chrome not do verification or some kind of warning to potential users who want to install something on a PC like (always be careful to install anything if the extension does not yet have a good rating and feedback).

They only lighten up when something gets reported several times, feedback/ratings can easily be gamed. Best bet is always to go on official site and download from there.

[o_e_l_e_o]

The question is, why does chrome give room for damn cheats to place phishing applications in their stores ?

Google doesn't care about you, like, at all. The sooner people realize that the better. Every Google product that exists - search engine, email, maps, Chrome, etc. - exists to harvest your data and make money from it. Why do you think they offer you all these services for free? Your data is the most valuable asset you own, and then can make a lot of profit from selling it.

Google are primarily a data harvester. They don't care if their app store is filled with scams, if their extension store is filled with scams, if their search engine returns scam sites. In fact, they will happily accept money from scammers to place adverts for said scams at the top of your results page. They don't care if you get scammed, as long as they can get your data.

Just say NO to browser extensions! Just say NO to whoever or whatever that asks you for your seed or your private keys!

Obviously you should always say no to anything asking for your seed, but too many people just install apps and browser extensions without a second though. Often these things ask for almost total permissions over your phone/browser, and again, people just accept without a second though. I've seen people having their coins stolen due to custom keyboard app on their phone (which also recorded their seed phrase when entered and sent it to a third party), or from a Chrome extension that allowed a user to change the background and display settings of various websites, but also stolen the login details to their web wallet.

Stop downloading random apps, browser extensions, software, programs, etc. Stop trusting third parties to do basic diligence for you. Don't trust, verify.

[LoyceV]

I hope lesson will finally be learned. It is actually not necessary to constantly monitor news updates of your hardware wallet. Just say NO to browser extensions! Just say NO to whoever or whatever that asks you for your seed or your private keys!

Why would someone go through the hassle of buying and installing a hardware wallet, if he's going to use his seed phrase elsewhere anyway? The whole point of using a hardware wallet is so you don't have to trust your software.

We want freedom. And we have it. Now, with freedom comes terrible responsibility!

Many people can't handle responsibilities, unfortunately. If crypto ever becomes mainstream, those people will rely on centralized organisations (let's call them "banks") to keep their funds safe.
How can people be so dumb with such a simple rule: "keep your keys offline!"

[hatshepsut93]

How can people be so dumb with such a simple rule: "keep your keys offline!"

Because people never encounter anything like that with other software, generally using a computer or a smartphone is very forgiving, and mistakes can be undone. Even if someone gets their accounts hacked, they manage to restore access and carry on as usual. Crypto is like a hardcore mode in videogames - one mistake and it's over.

We need to make newbies more aware of the dangers of managing your own keys, wallets should make warning in big scary letters to not tell anyone your seed and private key, articles that promote crypto should always warn about the security side of it and so on. I personally always tell people that owning crypto is not so easy, that you need to learn protect yourself from malware, phishing, fake wallets before you can start investing in it.

[Darker45]

I hope lesson will finally be learned. It is actually not necessary to constantly monitor news updates of your hardware wallet. Just say NO to browser extensions! Just say NO to whoever or whatever that asks you for your seed or your private keys!

Why would someone go through the hassle of buying and installing a hardware wallet, if he's going to use his seed phrase elsewhere anyway? The whole point of using a hardware wallet is so you don't have to trust your software.

Unfortunately, there must be a lot of crypto owners who are not aware of that.

As has been repeatedly said by a lot of people everywhere, hardware wallet = safety and security of your coins. Alas, everything ends there. After moving their funds to their hardware wallet, they proceed to do a lot of things; download a browser extension, export account to a software wallet, try to derive private keys online, and so on and so forth.

And not just that. Whenever they find a certain step confusing they go to Youtube to watch tutorials, go to Telegram to ask for assistance, search online for guidance, and so on.

In every step of the way, they are courting risk.

We want freedom. And we have it. Now, with freedom comes terrible responsibility!

Many people can't handle responsibilities, unfortunately. If crypto ever becomes mainstream, those people will rely on centralized organisations (let's call them "banks") to keep their funds safe.
How can people be so dumb with such a simple rule: "keep your keys offline!"

I don't know if they are dumb or just merely uninformed. They need proper guidance. And, most probably, many more cases such as this.

Every package of hardware wallet should contain a very emphasized warning never to input their seed anywhere. Better to make it in all caps, bold font, red color, large size, or in any possible way that would make the owner realize its extreme importance and remember it.

Most probably, a lot, or even majority, of Bitcoin owners might have not realized yet that they are the banks themselves. A lot haven't developed the corresponding behavior for this yet. Things have not fully sank in yet. The hardware wallet may be a safe storage but the owner is not a safe keeper.

[o_e_l_e_o]

wallets should make warning in big scary letters to not tell anyone your seed and private key

Most wallets do do this, although maybe not in big scary letters. Look at the following hardware wallets for example.

Trezor (https://wiki.trezor.io/User_manual:Setting_up_the_Trezor_device):

Warning: Never make a digital copy of your recovery seed and never upload it online!

Ledger (https://support.ledger.com/hc/en-us/articles/360005514233):

• Never ever share your 24-word recovery phrase, in any form, with anyone.
• Never enter your recovery phrase on any device other than your hardware wallet.
• Never take a picture of the 24-word recovery phrase.

KeepKey (https://keepkey.zendesk.com/hc/en-us/articles/360001411570-Getting-Started-Initializing-Your-KeepKey-Device):

• Never divulge your recovery sentence to anyone.
• Store your recovery sentence in a place that is secure from theft.
• Never input your recovery sentence directly into your computer or phone. Do not store your recovery sentence on your computer or phone. Do not email it or private message it to anyone and for any reason.
• Store your recovery sentence in a place that is secure from natural disasters and is in your possession only.

ColdCard (https://coldcardwallet.com/docs/quick)

Important Warning
It is critical to write down the wallet seed. Do not use this product without the seed written down and stored safely offline. Do not save the wallet seed onto a computer or mobile phone. Do not take a picture of the seed words with anything other than a chemical camera.

Most software wallets also come with a similar warning. The problem isn't that the instructions aren't there, it is that people either don't read the instructions before using a product, or read them but ignore them.

If you have to enter a seed in to any electronic device other than a permanently (and I mean permanently) airgapped computer, then you should consider it immediately compromised and sweep the funds within. Overkill? Maybe, but I've yet to have a single satoshi stolen from me.

[Lucius]

Can we blame Chrome, Mozilla, Ledger, Trezor or any wallet/browser due to the fact that some people do not understand the essence of something we call cryptocurrencies, and therefore what it actually means to keep some random words they get strictly private and confidential information? There are those who unfortunately do not understand this, and bad people take advantage of this in a very simple way.

If you were to design an eye-pleasing website, put a little effort into SEO/advertising by replying to tweets / fb / telegram, and make a promise that everyone will get 100% of their amount if they enter a seed or private key, how many people do you think would fall for that trick?

Similar fraud exists also via bank cards, but it is much easier to take advantage of the still relatively anonymity of crypto transactions. Try to come to the police station and report that someone cheated you through a Bitcoin transaction, they will look at you strangely at first, and then they will surely make fun of you.

[Saisher]

The guy should know better he is an old time Crypto users, and giving a key a seed or anything that will have access to your coins is a big no no even if it is coming from trusted site, you never know if the sites was hacked.

We can't trust Google to do it for us, just understand and do the basic do not give your private or seed to anyone or anything and you will be ok

[hugeblack]

One of the reasons why it is so easy to steal customers with such applications is the false sense of security when they own a hardware wallet.
They think that they are safe and no one can access the coins, so they don't care to know how to protect their money or even read the instructions for using these devices.

Also, the first option that appears in Google is always reliable regardless of the developer.

Perhaps hardware wallets must force customers to solve a fast quiz before purchasing or using these devices.

[Maxstl007]

I'd say people should be careful of any browser extension and addon, there are spyware and malwares among them, a friend of mine used a fake meta mask on Mozilla and he lost his ethereum in the process

[Chikito]

Fake KeepKey plugin asked to enter recovery phrase. then, He entered mnemonic seed on his PC.



When reading KeepKey manual book https://keepkey.zendesk.com/hc/en-us/articles/360001411570-Getting-Started-Initializing-Your-KeepKey-Device
User doesn't need to write mnemonic seed on PC, seed available only on device (KeepKey) and press button also on a device. User must be careful if hardware wallet suddenly to be different protocol.

[Krislaw]

I felt really bad for him for him to have lost savings of over 7 years. Eric said he has been in doing that since 2013 and lost it to a malware.
Google doesn't care about anything, read they even charge one-time registration fee of 5$. It's just sad that they are after making money. The hacker could be tracked with the credit card used but he is not going to use his, definitely a stolen card.

[Lucius]

I felt really bad for him for him to have lost savings of over 7 years. Eric said he has been in doing that since 2013 and lost it to a malware.

He has been dealing with BTC for 7 years and has failed to learn even the basics? I have no idea what happens in the minds of such people when they decide to make such a move... To be honest, he wasn’t actually even robbed in the literal sense - someone nicely asked him to type his seed, and he did just that. The only positive thing in the whole case is that he may have learned something, but it is incredible that it took him as long as 7 years for that.

I read all the answers to his tweet, but I didn't see that he posted his address or transaction, which could at least help freeze the funds in case they are found on one of the top crypto exchanges. In such case only hope is that hacker is not too smart.

[Chikito]

I read all the answers to his tweet, but I didn't see that he posted his address or transaction, which could at least help freeze the funds in case they are found on one of the top crypto exchanges. In such case only hope is that hacker is not too smart.

He use legacy and store in different address. I know this because he mentioned hacker address bc1q4y2ltx86gp8za84yn782rf08h7wdrlhfjapvjy.
https://twitter.com/ericsavics1/status/1271589772612341761

Also. he was created new address and received 0.7 BTC donated from twitter user. 1MTSr1HeENJ9mCDmsBQsNpGnUhcfq3sduY
https://twitter.com/ericsavics1/status/1271634448371441667