Ledger hacked or not? 100k lost

[joniboini]

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.

There's no evidence but it is definitely weird. If I lose that much I'd be stressed out like hell unless I'm a whale with 10 millions cash to burn everyday. At least this means Ledger is still safe to use, and not really surprising at all since most 'hacking' method that have been published require access to the HW itself. 

[1714704410]

1714704410

[1714704410]

1714704410

[1714704410]

1714704410

[sunsilk]

I'll agree that it could be the guy's fault.

 must say fault resulted from his carelessness and  inattentiveness. Even if he was caught up on the hook of the fishing  site Ledger had displayed him the receiving address  to check before signing transaction. Likely he didn't do that  and paid the price.

It's a case-closed. It's his fault and the analysis of o_e_l_e_o is correct, it's either of those factors which led the complainant's negligence of losing his funds.

The guy took the attention of many crypto folks especially, Ledger's and whatever his agenda is, it brought me a short-time fear for my own self-keeping. I commend Ledger's response and how they're willing to help the guy although it's after-sales.

I wonder if Ledger will go after him with the buzz and after damaging their reputation with what he's done.

[Lucius]

This example proves that no matter what someone has $100k in crypto (although that fact is also questioned in this story), this does not mean that he has enough intelligence to follow the simplest instructions such as downloading software from the official site, or not entering his seed anywhere except in the hardware wallet.

I'm not surprised that this genius may want to hide his shame, but it's pretty frivolous that Ledger didn't reveal what actually happened, but indirectly tells us what may have happened - another illogical move on their part.

[NeuroticFish]

This is one of three things:

And a fourth:
He fabricated this in a hope to get some money off Ledger to shut up.


I've done a 300$ worth of ERC-20 tokens transaction with Ledger and MEW less than one week ago and all went just fine. And all the expected funds are still in place.
So I'd go for the 3+1 list of possible causes for those posts.

[o_e_l_e_o]

This example proves that no matter what someone has $100k in crypto (although that fact is also questioned in this story), this does not mean that he has enough intelligence to follow the simplest instructions such as downloading software from the official site, or not entering his seed anywhere except in the hardware wallet.

The kind of person who owns $100k worth of some random ERC20 token is almost certainly someone who took a wild punt on some ICO and happened to hit the jackpot when it pumps and dumps. For everyone one person who gets rich on a shitcoin, there are a thousand more who lose all their money. I would say that people throwing their money in to random altcoins and hoping to get rich quick are far less likely to be clued up on good security practices and the technical side of owning crypto than someone who owns $100k worth of bitcoin.

Reading through his tweets, he also admits to be an "advisor to the project", so I wouldn't be surprised at all if his 17 million tokens were airdropped to him for nothing.

[DaveF]

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.
Just my crypto conspiracy theory and I could be totally wrong

Interesting thought however. If they were airdropped to him, or given to him as an advisor on the project (depending on where they live) they might still be responsible for the taxes. If your boss gives you an oz of gold instead of a paycheck and you drop that gold and never see it again, your boss still paid you and you still owe taxes on it.

Back to the main point, still looks like it was his fault and the fact as many have said, that he never said what happened just looks funky.

-Dave

[bob123]

Could this be somehow connected to resent Ledger security breach, when about 10k users private data was stolen?  Could this stolen private info help “current topics hacker” to stole 100k usd?

No.
Ledger does not have any information about you which could help to bruteforce your mnemonic code or access your seed in any other way.


I'd say this person either was extremely stupid and negligent (which is pretty likely) or it is just a plain lie.
The fact not a single address or txid has been posted, makes me believe that it is the latter.

Usually, when people make dumb things, they start with pretty useless information and then release more and more useful information to actually figure out where they messed up. Not in this case.

[o_e_l_e_o]

The fact not a single address or txid has been posted, makes me believe that it is the latter.

Although he didn't release the TXID, there was a transaction for 17,000,000 of this token made a few hours before his tweet - https://etherscan.io/tx/0x479ee89c7cb976348f41cd66ba7232a95dadbf6026d12ca91d420b06918f7a01. These 17 million tokens were then moved again a few minutes later to a Uniswap contract.

Usually, when people make dumb things, they start with pretty useless information and then release more and more useful information to actually figure out where they messed up. Not in this case.

He has since made a couple more tweets, again saying that this wasn't the fault of his Ledger device but being completely vague as to what actually happened:

Do not interpret this as an endorsement as everyone is responsible for their own funds, but I believe the issue lies MUCH deeper than a hardware issue or P-key leak. I will shed light on this as soon as I can. To be best of my knowledge, @Ledger is #safu.

What is he hinting at here? Much deeper than a hardware issue? Either the code of the shitcoin he is shilling is filled with bugs, or he is still trying to cover up his own stupid mistakes.

[Masterswarm]

While this guy's Ledger was not hacked, to be cautious, people should be running multi-sig setups with both a Ledger and Trezor.

[mpufatzis]

Is it possible a fake MEW to compromise Ledger (without entering somehow the seed)?
Ledger is supposed to sign transactions even to infected PCs....

It is possible that he used a fake MEW or something like that, that could lead to some other exploit similar to that one from last week:
https://support.ledger.com/hc/en-us/articles/360015738179

I don't know if the two incidents are related.

I am worried about my ledger now....

[o_e_l_e_o]

Is it possible a fake MEW to compromise Ledger (without entering somehow the seed)?

We can never say never, as there could be a vulnerability we don't know about, but there is currently no known way for a fake MEW to compromise a Ledger device.

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

In terms of the recently discovered Ledger exploit - if there was a similar exploit for Ethereum and ERC20 tokens, then theoretically someone trying to transfer Ethereum or a token to an address could be tricked in to also transferring some other token to that address. There is, however, currently no known exploit which could achieve this.

[bitmover]

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

I agree. This is , as far as I understand,  exactly the case in this recent exploit:

This path restriction was not enforced for the Bitcoin app and most of its derivatives, allowing a Bitcoin derivative (eg. Litecoin) to derive public keys or sign Bitcoin transactions.

https://donjon.ledger.com/lsb/014/

As the user is already spending some altcoin, it is easy to be fooled and click the button for a bitcoin transaction while using a fake mew.

I will pay much more attention now when spending altcoins (I don't have much anyway)

[o_e_l_e_o]

I will pay much more attention now when spending altcoins (I don't have much anyway)

I have suggested for a long time now that people should make more use of multiple different passphrases, and this seems to be another good reason to do so. If each of the different coins you store on your Ledger device were stored behind a different passphrase, then it would be impossible for this vulnerability to affect you.

However, I appreciate this wouldn't be easy for ERC20 tokens, since they are stored on standard Ethereum addresses and you need some Ethereum on said address to be able to spend/transfer them, so you would be forced to hold a few dollars worth of Ethereum in multiple different addresses, one for each token. In this case, there really is no substitute for paying close attention to what your hardware wallet is displaying on the screen and double and triple checking it matches the transaction you wish to make.