Ledger hacked or not? 100k lost

[dkbit98]

Ledger is again trending in Twitter and for all the bad reasons.
One guy reported 100k of his erc20 tokens have been missing from his Ledger wallet, and Ledger is investigating this.
https://twitter.com/StackingUSD/status/1294254623591739392

It could be he was a victim of phishing attack, but I would not suggest anyone using eth or any other erc20 shit for now.

[1715292016]

1715292016

[1715292016]

1715292016

[1715292016]

1715292016

[bitmover]

It is possible that he used a fake MEW or something like that, that could lead to some other exploit similar to that one from last week:
https://support.ledger.com/hc/en-us/articles/360015738179

I don't know if the two incidents are related.

I am worried about my ledger now....

[dkbit98]

It is possible that he used a fake MEW or something like that, that could lead to some other exploit similar to that one from last week:
https://support.ledger.com/hc/en-us/articles/360015738179

I don't know if the two incidents are related.

I am worried about my ledger now....

I was thinking the same thing. Probably related with pervious bug that was reported.
Lucky for me, I don't hold any altcoins on Ledger wallet.

More updates for this case:
https://twitter.com/StackingUSD/status/1294274025213112322

[bitmover]

I was thinking the same thing. Probably related with pervious bug that was reported.
Lucky for me, I don't hold any altcoins on Ledger wallet.

More updates for this case:
https://twitter.com/StackingUSD/status/1294274025213112322

Everything he is saying like "I just reseted my ledger", "I said it was here" doens't mean anything.

 he could have just reseted and went into a fake MEW, or wrote his SEED in phising website...

[dkbit98]

Everything he is saying like "I just reseted my ledger", "I said it was here" doens't mean anything.

 he could have just reseted and went into a fake MEW, or wrote his SEED in phising website...

Probably, and I wouldn't be surprised.
When people can send bunch of Bitcoins to twitter hacker and youtube scam videos, then anything is possible.
However he does have his own TG group with over 4600 members, twitter with over 30k followers, and I don't think he is some naive newbie.

I am waiting for Ledger final reply.

[The Sceptical Chymist]

Everything he is saying like "I just reseted my ledger", "I said it was here" doens't mean anything.

Maybe, maybe not.  It certainly could be that he was vulnerable to a phishing attack that he's not aware of, but now I'm a bit worried and I'm curious to see what Ledger's response is.  

You guys think this is just an ETH-related thing?  I don't own any ETH or tokens, but hearing news like this is unnerving.

Edit:

What do you mean? If you say it's a vulnerability in erc-20 code, then I doubt it. Nobody can just take tokens away from someone's hardware wallet.

I don't know exactly what I mean.  I'm just wondering whether there's a real vulnerability that could affect everyone or just this member or a particular coin/token.  Never mind my question, as it's just my ignorance of how these things work speaking.

[Bttzed03]

Not Ledger's fault but good on them on trying to figure out what happened. My initial thought was he bought a tampered HW from a scammer but he says phrase was reset a week before. We can't be sure if that resetting was true though.   

~
You guys think this is just an ETH-related thing? 

What do you mean? If you say it's a vulnerability in erc-20 code, then I doubt it. Nobody can just take tokens away from someone's hardware wallet.


 

[dkbit98]

New update:
Hacker moving large amounts of coins from his wallet to OKEx exchange
No he is asking exchange to freeze the funds and going to contact police for investigation.
No reply from Ledger yet.

[bitmover]

Hacker moving large amounts of coins from his wallet to OKEx exchange
No he is asking exchange to freeze the funds and going to contact police for investigation.
No reply from Ledger yet.

This is a very stupid move from a hacker.

If the "hacker" knows a zero day bug on ledger and how to sploit it, he would certainly also know how to keep the funds anonymous using a mixer or coin join etc.. he would never send that to an exchange where he could be easily identified and reported and frozen.

Looks like he was scammed by some idiot. Phising site, or someone close etc.

[o_e_l_e_o]

Let's assume what he says is correct - he reset his Ledger and set up a new seed phrase a week ago, and his Ledger has been in his possession in a safe since and no one has had access to it.

• If the Ledger device had generated a non-random seed or there was some other flaw allowing an attacker to brute force the seed without having access to the device, then we would be seeing millions of a variety of coins and tokens being stolen
• If there was a flaw with the Ethereum app or interface, then again, we would be seeing millions of different ERC20 tokens being stolen

As with the vast majority of hacks, the most likely cause here is user error - insecure seed back up, entering seed in to inappropriate place, fake/malicious wallet or app, etc.

[sunsilk]

This made me worried about my Ledger but after analyzing it and reading the thoughts of o_e_l_e_o and everyone, I'll agree that it could be the guy's fault. Does the victim don't hold bitcoin? or he's just mainly into erc20 tokens? where's the TXIDs?

I quickly read and scroll through the replies of the people interested in that tweet. Most questions were asking for the TXID but the author seems to ignore it.

[Pmalek]

According to Andreas Antonopoulos he believes that it could be an inside job rather than something else. Someone close to him who had access to the safe robbed him. His tweet came as a response to some other user's question who asked if it was possible there could have been a seed collision with a seed already used by someone else.

This is the tweet.

More bad press about Ledger. Maybe it's not their fault this time but karma is a bitch. They decided to focus on their clothing assortment and overprices crypto buying service instead of fixing security bugs and now the problems are pilling up.

[Lucius]

To me, this seems like a little more adding fuel to the fire in an attempt to further damage Ledger's reputation. The tweet that appeared after the alleged hacking raises even more suspicions that this is the case - one person was allegedly hacked, and another reportedly received the same amount on his Ledger.

I noticed that both messages end identically : "What the actual fnck @Ledger". Of course neither of those two Twitter users posted their addresses or transactions, which could only help to at least determine where the tokens ended up and whether the alleged hacker would try to sell them.

Users report hacking their HWs every week, and in the end it turns out that they are victims of phishing or that they kept the seed in unencrypted digital form. I'm 90% sure that's the case here too, the remaining 10% goes to some real unknown vulnerability or to an attempt of bad PR.

[TopTort777]

Could this be somehow connected to resent Ledger security breach, when about 10k users private data was stolen?  Could this stolen private info help “current topics hacker” to stole 100k usd?

[DaveF]

Could this be somehow connected to resent Ledger security breach, when about 10k users private data was stolen?  Could this stolen private info help “current topics hacker” to stole 100k usd?

No and yes and no.
No, there is no way that knowing that info will get you into someones PC or Ledger.
Yes, in the fact that it might make you more vulnerable to Spear Phishing or a more targeted attack.
No, in the fact that if the above did happen the user would still have to "do something wrong" somehow.

-Dave

[Bttzed03]

Without disclosing what actually happened, the guy has apologized to Ledger

I want to take a moment to apologize to the @Ledger team. @Ledger_Support was very swift & helpful, despite my attitude. I let my emotions get the best of me, reacting w/o thinking. Rationale & respect went out of the window, and for that I apologize.

Thank you, Team #Ledger.

It's definitely a user error. He probably asked Ledger's support not to disclose the findings in exchange for his apology because it's embarrassing.

He's moving on now and continue with his shills.

I reached out to a lot of exchanges & contacts today, unfortunately they were unable to assist.

I quickly contacted @TomMarchi from @Sentivate & the team was ready to assist instantly. With that being said, I'm content moving onwards and consider this matter concluded.

I guess its time to end the discussion here.

[Lucius]

It's definitely a user error. He probably asked Ledger's support not to disclose the findings in exchange for his apology because it's embarrassing.

Or it is the most common attempt to attract attention in order to promote something else, such as some shitcoins that the user normally promotes. People are not so stupid as not to see what is happening, and when someone avoids giving an answer to the simple question "What actually happened" everything can be reduced to this tweet :

Since you aren't telling people what happened and how it got resolved, this whole shitshow starts to sound like a cheap marketing campaign for the shitcoin you are promoting.

[o_e_l_e_o]

What utter nonsense. He had the equivalent of $110,000 stolen, and in the space of less than 12 hours went from threatening Ledger with "you will repay me", to "I'm content moving forward". He has also been completely silent on what actually happened.

This is one of three things:

• He did something so monumentally stupid that he is embarrassed by the whole thing, such as type his seed phrase in to a website
• He fabricated the whole thing for tax evasion or money laundering purposes
• He fabricated the whole thing to advertise a shitcoin

Regardless, almost certainly nothing to do with Ledger and no security vulnerability of the hardware device.

[HCP]

Just... wow!

I'm guessing the fact that he retweeted the Ledger "Phising" warning, and then publicly apologised to Ledger is the biggest indicator of what happened:



100% he either entered his 24 word recovery phrase into either a fake version of Ledger Live or a phishing website etc when he reset his seed a week ago.

Sucks his lost so much, but I'd have way more respect for him if he explained what actually happened instead of these somewhat "vague" tweets which are the twitter equivalent of "nevermind, I fixed it" posts on forums

[dkbit98]

100% he either entered his 24 word recovery phrase into either a fake version of Ledger Live or a phishing website etc when he reset his seed a week ago.

Sucks his lost so much, but I'd have way more respect for him if he explained what actually happened instead of these somewhat "vague" tweets which are the twitter equivalent of "nevermind, I fixed it" posts on forums

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.
Just my crypto conspiracy theory and I could be totally wrong

[joniboini]

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.

There's no evidence but it is definitely weird. If I lose that much I'd be stressed out like hell unless I'm a whale with 10 millions cash to burn everyday. At least this means Ledger is still safe to use, and not really surprising at all since most 'hacking' method that have been published require access to the HW itself. 

[sunsilk]

I'll agree that it could be the guy's fault.

 must say fault resulted from his carelessness and  inattentiveness. Even if he was caught up on the hook of the fishing  site Ledger had displayed him the receiving address  to check before signing transaction. Likely he didn't do that  and paid the price.

It's a case-closed. It's his fault and the analysis of o_e_l_e_o is correct, it's either of those factors which led the complainant's negligence of losing his funds.

The guy took the attention of many crypto folks especially, Ledger's and whatever his agenda is, it brought me a short-time fear for my own self-keeping. I commend Ledger's response and how they're willing to help the guy although it's after-sales.

I wonder if Ledger will go after him with the buzz and after damaging their reputation with what he's done.

[Lucius]

This example proves that no matter what someone has $100k in crypto (although that fact is also questioned in this story), this does not mean that he has enough intelligence to follow the simplest instructions such as downloading software from the official site, or not entering his seed anywhere except in the hardware wallet.

I'm not surprised that this genius may want to hide his shame, but it's pretty frivolous that Ledger didn't reveal what actually happened, but indirectly tells us what may have happened - another illogical move on their part.

[NeuroticFish]

This is one of three things:

And a fourth:
He fabricated this in a hope to get some money off Ledger to shut up.


I've done a 300$ worth of ERC-20 tokens transaction with Ledger and MEW less than one week ago and all went just fine. And all the expected funds are still in place.
So I'd go for the 3+1 list of possible causes for those posts.

[o_e_l_e_o]

This example proves that no matter what someone has $100k in crypto (although that fact is also questioned in this story), this does not mean that he has enough intelligence to follow the simplest instructions such as downloading software from the official site, or not entering his seed anywhere except in the hardware wallet.

The kind of person who owns $100k worth of some random ERC20 token is almost certainly someone who took a wild punt on some ICO and happened to hit the jackpot when it pumps and dumps. For everyone one person who gets rich on a shitcoin, there are a thousand more who lose all their money. I would say that people throwing their money in to random altcoins and hoping to get rich quick are far less likely to be clued up on good security practices and the technical side of owning crypto than someone who owns $100k worth of bitcoin.

Reading through his tweets, he also admits to be an "advisor to the project", so I wouldn't be surprised at all if his 17 million tokens were airdropped to him for nothing.

[DaveF]

He is a sucker if he really did that and got scammed by fake phishing ledger, but I still have some doubts and think that one of o_e_l_e_o theories may be close to truth, and he wanted to avoid paying taxes (with gains he made during this bull market), so he staged the whole show in public.
Just my crypto conspiracy theory and I could be totally wrong

Interesting thought however. If they were airdropped to him, or given to him as an advisor on the project (depending on where they live) they might still be responsible for the taxes. If your boss gives you an oz of gold instead of a paycheck and you drop that gold and never see it again, your boss still paid you and you still owe taxes on it.

Back to the main point, still looks like it was his fault and the fact as many have said, that he never said what happened just looks funky.

-Dave

[bob123]

Could this be somehow connected to resent Ledger security breach, when about 10k users private data was stolen?  Could this stolen private info help “current topics hacker” to stole 100k usd?

No.
Ledger does not have any information about you which could help to bruteforce your mnemonic code or access your seed in any other way.


I'd say this person either was extremely stupid and negligent (which is pretty likely) or it is just a plain lie.
The fact not a single address or txid has been posted, makes me believe that it is the latter.

Usually, when people make dumb things, they start with pretty useless information and then release more and more useful information to actually figure out where they messed up. Not in this case.

[o_e_l_e_o]

The fact not a single address or txid has been posted, makes me believe that it is the latter.

Although he didn't release the TXID, there was a transaction for 17,000,000 of this token made a few hours before his tweet - https://etherscan.io/tx/0x479ee89c7cb976348f41cd66ba7232a95dadbf6026d12ca91d420b06918f7a01. These 17 million tokens were then moved again a few minutes later to a Uniswap contract.

Usually, when people make dumb things, they start with pretty useless information and then release more and more useful information to actually figure out where they messed up. Not in this case.

He has since made a couple more tweets, again saying that this wasn't the fault of his Ledger device but being completely vague as to what actually happened:

Do not interpret this as an endorsement as everyone is responsible for their own funds, but I believe the issue lies MUCH deeper than a hardware issue or P-key leak. I will shed light on this as soon as I can. To be best of my knowledge, @Ledger is #safu.

What is he hinting at here? Much deeper than a hardware issue? Either the code of the shitcoin he is shilling is filled with bugs, or he is still trying to cover up his own stupid mistakes.

[Masterswarm]

While this guy's Ledger was not hacked, to be cautious, people should be running multi-sig setups with both a Ledger and Trezor.

[mpufatzis]

Is it possible a fake MEW to compromise Ledger (without entering somehow the seed)?
Ledger is supposed to sign transactions even to infected PCs....

It is possible that he used a fake MEW or something like that, that could lead to some other exploit similar to that one from last week:
https://support.ledger.com/hc/en-us/articles/360015738179

I don't know if the two incidents are related.

I am worried about my ledger now....

[o_e_l_e_o]

Is it possible a fake MEW to compromise Ledger (without entering somehow the seed)?

We can never say never, as there could be a vulnerability we don't know about, but there is currently no known way for a fake MEW to compromise a Ledger device.

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

In terms of the recently discovered Ledger exploit - if there was a similar exploit for Ethereum and ERC20 tokens, then theoretically someone trying to transfer Ethereum or a token to an address could be tricked in to also transferring some other token to that address. There is, however, currently no known exploit which could achieve this.

[bitmover]

At most, a fake or malicious software wallet can push a malicious transaction to the hardware wallet. That transaction will only be signed and broadcast if the user presses the physical buttons on the Ledger device required to accept it. If the user rejects the transaction, then it cannot be signed and cannot be broadcast.

I agree. This is , as far as I understand,  exactly the case in this recent exploit:

This path restriction was not enforced for the Bitcoin app and most of its derivatives, allowing a Bitcoin derivative (eg. Litecoin) to derive public keys or sign Bitcoin transactions.

https://donjon.ledger.com/lsb/014/

As the user is already spending some altcoin, it is easy to be fooled and click the button for a bitcoin transaction while using a fake mew.

I will pay much more attention now when spending altcoins (I don't have much anyway)

[o_e_l_e_o]

I will pay much more attention now when spending altcoins (I don't have much anyway)

I have suggested for a long time now that people should make more use of multiple different passphrases, and this seems to be another good reason to do so. If each of the different coins you store on your Ledger device were stored behind a different passphrase, then it would be impossible for this vulnerability to affect you.

However, I appreciate this wouldn't be easy for ERC20 tokens, since they are stored on standard Ethereum addresses and you need some Ethereum on said address to be able to spend/transfer them, so you would be forced to hold a few dollars worth of Ethereum in multiple different addresses, one for each token. In this case, there really is no substitute for paying close attention to what your hardware wallet is displaying on the screen and double and triple checking it matches the transaction you wish to make.