making fake HW wallets(will we see this scam next)??

[ben19850]

lets say you make a fake  HW wallet

people add a passphrase for extra secuirty and keep seed safe


could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would SHOW to the new user as there newly setup seed linked wallet?)

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

[1714913803]

1714913803

[1714913803]

1714913803

[1714913803]

1714913803

[1714913803]

1714913803

[LeGaulois]

If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

[bitmover]

lets say you make a fake  HW wallet

people add a passphrase for extra secuirty and keep seed safe


could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

This is why you should only buy a hardware wallet official retailer or from the manufacturer . You shouldn't be buying one on eBay .

There are even some attacks on official devices which become compromised with a physical attack, if the attacker has access to the device.

[ben19850]

If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

If a day I receive a wallet and I notice the seed has already been generated, I would start to have some doubts about the device itself.

One way more people can easily fall for the scam is to tinker with the wallet so that the seed can be siphoned off.

In the same style as what happened to the company Ledger when some people were receiving a wallet with a flash drive with a fake app connected to the circuit board. Rarely people would open the device to check if everything is "legit", isn't? I did it once just for curiosity but I didn't do it with all my devices.

what i mean is it wouldnt matter if a new seed was generated

if it was a pre programmed BTC address the new user wouldnt know

[dkbit98]

lets say you make a fake  HW wallet

I don't understand what do you mean make a fake hardware wallet? You mean ordered or DIY made device? Explain it better.

You can add multiple passphrases to your wallet as extra protection that is working only in combination with your seed words, but keep them in different locations.
For accessing any funds on that wallet, you also need to have pin code, and you need to know correct passphrase.
You can also reset the device, and generate new random decoy wallet.

[Lucius]

what i mean is it wouldnt matter if a new seed was generated
if it was a pre programmed BTC address the new user wouldnt know

If you buy a used HW that is basically original, and someone has already intentionally or accidentally set it up (generated seed), then it is generally considered that resetting such a device to factory settings is quite enough to use it safely later by generating a new seed. However, the question is whether such a device may have been modified in some way (hardware modification), and can allow the original owner to try to hack you.

On the other hand, if someone were to make an effort to modify the HW in such a way that it always generates identical seed or perhaps to generate several sets of seed known to the hacker, in that case, no reset of the device would help.

Even when someone buys an original HW directly from the manufacturer, you don't need to make a big deposit right away - because there is always the possibility of a new vulnerability that no one knew about before - test with small amounts, wait a few days and if everything is fine continue to use HW normally.

[NeuroticFish]

could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

As I see this, the so-called pre-programmed extra address will not be part of the seed based HD wallet. So whenever one uses this... device... will have a HD wallet+1 address. This means that the scammer will probably have to make his own wallet software too to import the extra address somehow.

While some very new n00bs can be caught with this, I don't think that many can be so stupid to use both counterfeit HW and bad wallet software too, especially as legit wallet software comes free.

[Pmalek]

If I understand the OP correctly, he is asking if it would be possible to create a wallet that always displays one or more receiving addresses of the hacker independent of what seed + seed extension the victim is using. The software of such a device would have no role at all, and would work as a regular hardware wallet where you are shown a seed to write down. But no matter what seed or passphrase you use, the device ends up displaying the same receiving addresses that ultimately leads to the victim making transactions to addresses that belong to the hacker. Is that it?

I don't think this is impossible.   

[sheenshane]

I don't see that there's a scam next if someone making their own fake HW wallets.  If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use.

Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address.

All I see on this matter, it's unrealistic to happen.  No one will risk their crypto assets from an unknown source of HW wallets.

[tenant48]

lets say you make a fake  HW wallet

people add a passphrase for extra secuirty and keep seed safe


could a scammer have serval dormant pre programmed BTC address which they could tell the wallet to display(which the HW would give to the new user a there new seed linked wallet?

no need for the scammer to get seed ect... just give them a wallet that scammer has access to already

This situation is theoretically possible. To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.

[Pmalek]

If there is, that's a noob or innocent one that is new to the crypto world or considerable as a lazy one because it doesn't even have their own research regarding the no-brand wallet use.

Those are exactly the victims that scammers target. What you explained is not different from any other scheme that is created for newbies, those who are greedy, careless, and don't take the required amount of time to consider the consequences of their actions.   

Let say if they(scammer) modify the HW wallets and you bought it from the unofficial distributor store, I think the reset button is enough in the first place to secure your wallet and the hacker has nothing to do because it will generate another seed phrase and address.

It wouldn't be enough if someone managed to create what I explained in my previous post in this thread. Besides, the scammers could use the leaked Shopify/Ledger databases to send out their fake products. We have already seen something like that not so long ago.

[o_e_l_e_o]

To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.

But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe.

You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins.

[tenant48]

To make sure that your wallet is normal, you will need to generate a seed on it and then check the correct generation of addresses by entering this seed here: https://iancoleman.io/bip39/ If the addresses match, then your wallet is normal. Then reset it to factory settings and create a new seed for permanent use.

But how do you know your wallet is not generating seed phrases from a bank of several thousand or so which were pre-generated by an attacker? Just because the address did indeed come from the seed phrase you were displayed, does not mean your wallet is "normal" or safe.

You need to have some way of verifying the firmware which is installed on your hardware wallet, or verifying the updates you are applying to it, and verifying that the firmware is truly generating a random seed phrase. You could also mitigate this by using a long and complex passphrase (and then verifying that the addresses you are being displayed are indeed generated from seed phrase + passphrase), so even if an attacker knew your seed phrase they still could not access your coins.

The question was asked about a pre-installed BTC address by an attacker and I answered it. If you have doubts about the work of the built-in random seed generator, then you have two options: create your own seed manually or additionally protect the seed with a passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8

[o_e_l_e_o]

The question was asked about a pre-installed BTC address by an attacker and I answered it.

Sure, your method protects against that specific attack, but it does not guarantee your wallet is "normal" as you suggested.

passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed

It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short.

[tenant48]

passphrase of at least 10 - 12 characters, this is quite enough to protect the compromised seed

It is far from ideal, though. A 24 word seed phrase provides 256 bits of security. 10 random lowercase characters provides only 47 bits. You shouldn't be relying on only a passphrase for all your security, and definitely not one so short.

When you iterate over a seed of 24 words (256 bit), you have the opportunity to find millions of other wallets, since most wallets use the bip39 standard, in this case there should be sufficient redundancy. When you iterate over the passphrase, you have the opportunity to find only one single wallet, so such protection (10 -12 characters) will be enough. Read again the article https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af?gi=a11722e479d8 there is a table with examples of password phrases and the approximate cost of attacks

[o_e_l_e_o]

-snip-

Even if we assume there are 2.1 trillion 24-word BIP39 wallets with coins in them (as in, all 21 million bitcoin ever split up across 2.1 trillion wallets with only 1000 sats in each wallet), then you are still looking at a 1 in 5.5*10⁶⁴ chance of finding a collision. To find a single 10 character lowercase letter password is a 1 in 141,167,095,653,376 chance. The differences between these two numbers really cannot be overstated. That difference is comparable to the difference between a single atom and all the atoms in the entire world.

Using a passphrase of that strength is almost certainly going to be fine if your seed phrase is secured. But in our scenario here of a seed phrase which is known to an attacker, then it is simply not good enough. You are massively reducing your security.

[tenant48]

-snip-

Even if we assume there are 2.1 trillion 24-word BIP39 wallets with coins in them (as in, all 21 million bitcoin ever split up across 2.1 trillion wallets with only 1000 sats in each wallet), then you are still looking at a 1 in 5.5*10⁶⁴ chance of finding a collision. To find a single 10 character lowercase letter password is a 1 in 141,167,095,653,376 chance. The differences between these two numbers really cannot be overstated. That difference is comparable to the difference between a single atom and all the atoms in the entire world.

Using a passphrase of that strength is almost certainly going to be fine if your seed phrase is secured. But in our scenario here of a seed phrase which is known to an attacker, then it is simply not good enough. You are massively reducing your security.

Sorry, the article was not written by me, but specialists from Trezor. It states that to brute force a passphrase of 10 characters, you will need to pay about $ 1,000,000 today. For 12 characters - $ 128,000,000. By renting servers on Amazon. Do you think this is insufficient protection? Or are you going to store hundreds of millions $ on one wallet?
For this attack, the attacker must know your seed and be prepared to invest huge amounts of money with dubious results.

[NotATether]

Sorry, the article was not written by me, but specialists from Trezor. It states that to brute force a passphrase of 10 characters, you will need to pay about $ 1,000,000 today. For 12 characters - $ 128,000,000. By renting servers on Amazon. Do you think this is insufficient protection? Or are you going to store hundreds of millions $ on one wallet?

Never mind Amazon, you can't even rent $100 of computational capacity without filing a service limit increase request, and if you're not linking a credit card you got officially from a bank office then chances are you are going to be hit with an account suspension shortly after you commence the attack. Same goes for other cloud platforms near the size of AWS. A botnet is the most likely way to get power even remotely close to $1,000,000.

[HCP]

This "scam" isn't really any different to the one where certain paper wallet generators were giving out a set of pre-generated private keys known to the scammers.

It could just as easily be perpetrated using any type of wallet... web wallet, desktop wallet, mobile app or a "scam" hardware wallet.

The key is to ensure you have some way of ensuring that the addresses being displayed do indeed belong to the seed/private keys being generated. In the case of hardware wallets, having 2 from different manufacturers is certainly one way to be able to determine if the addresses being displayed are indeed correct for a given seed.

However, as someone else mentioned earlier... it doesn't really guarantee that the seed/private keys themselves are actually being randomly generated. For that, you'd probably need to generate your own seed (offline) using dice or something similar.

[ben19850]

lets say you make a fake  HW wallet

I don't understand what do you mean make a fake hardware wallet? You mean ordered or DIY made device? Explain it better.

You can add multiple passphrases to your wallet as extra protection that is working only in combination with your seed words, but keep them in different locations.
For accessing any funds on that wallet, you also need to have pin code, and you need to know correct passphrase.
You can also reset the device, and generate new random decoy wallet.

i mean make a fake a device thats is assumed to be 100% geuine(NOT FAKE)
but the guts are programed to display a fake SEDD then a fake wallet address(a scammer control address)