BlenderWallet phishing attempt?

[LoyceV]

Blender Wallet claims to be hacked:

June 22, 2021 – Non-custodial crypto wallet Blender Wallet has been hacked. The hackers withdrew the amount of 100 BTC in total.

As a non-custodial service, Blender Wallet doesn’t store data about users on servers. The Blender Wallet team has immediately disabled registration and access to the wallets to  protect users’ funds and make sure that newly generated seed phases won’t get in hacker’s hands.The executives promise to cover the losses from Blender Mixer’s reserves. Every user who has lost the money due to the hack will get the exact amount of money on their balance. Further information on compensation will be available at https://blenderwallet.io and @BlenderWalletio_English Telegram channel.

“Over the course of investigation, we promise to figure out how hackers managed to hack a non-custodial solution, as we don’t store any data granting access to users’ balances on our servers. We initiated an internal investigation. The details of how hackers got access to users’ funds are still unclear,” commented the officials. "The whole crypto community, be it a regulated exchange or a mixer, should deploy all the forces against cybercrime, as it's users who get affected in the first place. And as a service we must do whatever we can to protect funds that we've been entrusted with."

Sure. Now check https://blenderwallet.io/en/:

The procedure for receiving a refund:

    Send your seed phrase and password (if you used one) to the blenderwallet@tuta.io or to the jabber blenderwallet@jabb.im

This should ring all possible alarm bells! What if their non-custodial wallet wasn't hacked, but their accounts are? It sounds like a perfect phishing scenario to ask users for their seed phrase and steal there funds! Even if the hacking story is true, there are better ways to prove ownership than sending the seed phrase.

I've left BlenderWallet negative feedback as a warning for now. Better safe than sorry.
This is also a big red flag:

All applications will be processed on a first come, first served basis.

It's like: quick, don't think, send your seed phrase!

[1714003095]

1714003095

[1714003095]

1714003095

[1714003095]

1714003095

[JeromeTash]

I read their message the other day and something is off about the hack claim.

Maybe they would help by shading some light on how the "attack" happened in the first place. I mean, it already happened, so I don't see why they should leave out such details on their website and instead jump onto the refunding procedure.

[vv181]

Some people on the Blenderio telegram claimed they have received the refund:
https://t.me/c/1441579769/1171
https://t.me/c/1441579769/1172

At first, the team reported that Blender Wallet is on maintenances https://t.me/c/1441579769/1129, but then they announce the service got hacked.

I suppose it might be bad crisis management. Not to mention they are being reliable for people's money, and how awful the situation might be for the team. So I think the questionable announcements are reasonable. Although they indeed should perform better, as JeromeTash said, I do think they better to clarify the incident first. But maybe the team just wants a quick way to assure user funds safe.

But yea, with such kind of announcement its kinda seems like a phishing scenario, mentioning the probability their account might be hacked as you said it.

Blenderio telegram link:
https://t.me/joinchat/VezC-VERtYs8sdB7

[khaled0111]

Even if the hacking story is true, there are better ways to prove ownership than sending the seed phrase.

It would be better to ask the affected customers to sign a message with their hacked wallets to be eligible for a refund. This is the best way to prove ownership of a wallet without exposing its seed.
But there is a more serious problem, imo: they claim they don't save their customers personal information (no kyc) and since the hacker manged to move the victims funds then he certainly has their wallets seeds too. Now, if someone contacts them asking for a refund how are they going to know if he is the real owner and not the hacker!
Maybe this why they stated that the refunds will be made on a first come first served basis!

[LoyceV]

Some people on the Blenderio telegram claimed they have received the refund:

Some Newbies on Bitcointalk claimed the same. The accounts were only created to post this, which is what many scammers do to promote their scam.

Not to mention they are being reliable for people's money

Not according to their Terms.

So I think the questionable announcements are reasonable.

Let's agree to disagree on this.

But maybe the team just wants a quick way to assure user funds safe.

Intead of rushing to refund people and promising to pay 100 BTC out of pocket, it would make much more sense to get to the bottom of this first. How do they even know 100 BTC was stolen?

But there is a more serious problem, imo: they claim they don't save their customers personal information (no kyc) and since the hacker manged to move the victims funds then he certainly has their wallets seeds too. Now, if someone contacts them asking for a refund how are they going to know if he is the real owner and not the hacker!

You make a very good point. None of this makes any sense!

[SFR10]

Some Newbies on Bitcointalk claimed the same. The accounts were only created to post this, which is what many scammers do to promote their scam.

Judging by its timing ^{["after what I said"]}, it does look like what you mentioned.

How do they even know 100 BTC was stolen?

They probably made that up and it's a perfect case wherein none of the affected users ^{[if there are any]} are going to disclose such information and they'd probably do the same as well ^{[nature of their service]}.
None of their recent announcements makes much sense and I see the following things as possibilities:

• A marketing strategy to create some buzz and increase their reputation.
• It was never a "non-custodial service".
• Somehow it really got hacked.

Personally, I'm leaning towards the first two being the case, but I could be wrong.

[LoyceV]

User blenderio also responded yesterday. The user's previous post was from September last year, but the Trust summary doesn't show the "this user just woke up"-warning so they must still have been active once in a while.

[bL4nkcode]

Some people on the Blenderio telegram claimed they have received the refund:
https://t.me/c/1441579769/1171
https://t.me/c/1441579769/1172

At first, the team reported that Blender Wallet is on maintenances https://t.me/c/1441579769/1129, but then they announce the service got hacked.

[...]

Blenderio telegram link:
https://t.me/joinchat/VezC-VERtYs8sdB7

It would be better if you upload some screenshots from that telegram group chat, since some users here didn't have telegram account to join the chat or didn't want to join in anyway.

Though its a fishy act of blenderwallet, but for the response of its users I guess, it's okay to assume that they're totally helping. Hampuz didn't comment regards on this as well knowing he still managing their campaign.

[coupable]

Though its a fishy act of blenderwallet, but for the response of its users I guess, it's okay to assume that they're totally helping. Hampuz didn't comment regards on this as well knowing he still managing their campaign.

After reading abve comments, i can't deny my doubts that i am using my signature to promote an ambigious service. I am still not sure about the statut of blenderwallet with this accusation.. And as i trust manager Hhampuz, i can tell that i am also waiting for his attitude about the actual situation of Blenderwallet.

[BlenderWallet]

As a non-custodial service, we don't store seed phrases but with the help of this information, we are able to check the history of transactions and see how many of them have been performed through Blender Wallet.

Fraudulent transactions have been identified according to several parameters, such as performing transactions bypassing Blender Wallet interface, turned off RBF, a single transaction sent from different wallets of our users as well as the time frame of the incident. Users witnessed the hack in real time and could cancel the transaction. But because of RBF being turned off, the button was inactive. Evidently, hackers didn't get access to Blender Wallet's functional. We can't say for sure whether they took it into consideration, but if the RBF feature was on, users could cancel a transaction with a single click.

[ChipMixer]

None of their recent announcements makes much sense and I see the following things as possibilities:

• A marketing strategy to create some buzz and increase their reputation.

"We were hacked and funds we promised to not to have access to have been stolen but we will return some" is horrible marketing.

None of their recent announcements makes much sense and I see the following things as possibilities:

• It was never a "non-custodial service".

It was web wallet accessing private keys (or seeds) with javascript code hosted on website. You could audit it but it (probably) was minified and made harder to do that. Even if you would audit it and it would not had any code to send your private keys elsewhere - it is javascript code hosted on website. It can change anytime. Do not use web wallets.

But it is good sign they are refunding.

[dkbit98]

As a non-custodial service, we don't store seed phrases but with the help of this information, we are able to check the history of transactions and see how many of them have been performed through Blender Wallet.

Few days ago I asked a question in your topic if Blender service should now be considered unsafe, until funds are returned to customers and flaws fixed, but I still didn't receive any answer.
I will consider that not answering anything is a sign of confirmation.

[LoyceV]

As a non-custodial service, we don't store seed phrases but with the help of this information, we are able to check the history of transactions and see how many of them have been performed through Blender Wallet.

Couldn't you do all this without asking for the user's seed phrases? You could for instance have asked for a list of addresses with signed messages to prove ownership.

[BlenderWallet]

As a non-custodial service, we don't store seed phrases but with the help of this information, we are able to check the history of transactions and see how many of them have been performed through Blender Wallet.

Few days ago I asked a question in your topic if Blender service should now be considered unsafe, until funds are returned to customers and flaws fixed, but I still didn't receive any answer.
I will consider that not answering anything is a sign of confirmation.

Yes, right now our service is unsafe, therefore we closed it till October 2021. Right now we ware totally rewriting all infrastructure.

[BlenderWallet]

As a non-custodial service, we don't store seed phrases but with the help of this information, we are able to check the history of transactions and see how many of them have been performed through Blender Wallet.

Couldn't you do all this without asking for the user's seed phrases? You could for instance have asked for a list of addresses with signed messages to prove ownership.

First of all we asked users to check their wallet balance through Electrum. If balance is positive, we asked them to send all funds to another wallet. If balance equals 0, then it is easier for customers and our support to use seed phrases for investigation and proofing, that funds were stollen (some users send funds to their own wallets and pretended, that their funds were stollen). Anyway, after attack we don't recommend to use seed phrases generated earlier on Blender Wallet.

[dkbit98]

Yes, right now our service is unsafe, therefore we closed it till October 2021. Right now we ware totally rewriting all infrastructure.

Why then on your blender wallet website we can see the statement that blender.io mixer works normally?
If both your mixer and wallet are unsafe you should clearly post warning about that on website, but I see no information about this on blender.io website.


archive: https://archive.ph/sOMYM

[BlenderWallet]

Yes, right now our service is unsafe, therefore we closed it till October 2021. Right now we ware totally rewriting all infrastructure.

Why then on your blender wallet website we can see the statement that blender.io mixer works normally?
If both your mixer and wallet are unsafe you should clearly post warning about that on website, but I see no information about this on blender.io website.

https://i.imgur.com/vN0Rp7c.jpg
archive: https://archive.ph/sOMYM

Just because MIXER and WALLET are two independent systems, that are connected only by API. Therefore blender.io mixer works properly and is absolutely safe.