My ledger got hacked

[Kittygalore]

From all of these suggested possibilities, I do admit I saved the seed in my google drive. To access my gmail account though, requires 2FA. Google did not notify me for a remote login etc. I used the same seed since 2017 on the same ledger device.

If they did get access of your computer then they've probably spoofed your email to somehow circumvent the 2FA, it's not a new thing, a lot of hackers use that to try and bypass 2FA and if they're able to do that then you wouldn't notice that they've logged in. Plus, you have a physical device so it's much more difficult to access your wallet in that manner. Can you show us the transactions?

[matjas]

Saving seed online defeats the purpose of having a ledger in the first place. Thats is worse than saving your private key on your email because with seed, you dont need anything else to access your wallet.
I am worried for having seed written on two pieces of paper at home in case of fire or something, dont even imagine how paranoid i would be if i saved it online.

[mocacinno]

I was thinking about this during the night... And i did manage to think up some more scenario's:

You saved your seed in your google drive. IF you have your drive open on your device AND the device contains malware, said malware should be able to access your drive from your actual device, not needing the 2FA (since you'll provide the 2FA token yourself when you use drive on the infected device).

A second one would be if you used the wifi in the airport and didn't use a vpn, there are still attack vectors if you do this... https://www.cloudwards.net/dangers-of-public-wifi/ (not mine, just one of the first google hits i got when searching for the dangers of using public wifi). Some of these attack vectors might be able to steal your google credentials, install malware,...

Bottom line is: it's allmost impossible somebody randomly guessed your 24 words in the correct order. The odds are so close to 0, that in reality you could say they're ~0.
I know, i know, when you see 24 words, you'll always think: "hey, it should be easy to brute force such a seed". But it's not... Ledger used to have a really interesting article about this, but they removed it when they cleaned up their site, but it's still in the google cache: https://webcache.googleusercontent.com/search?q=cache:xR-zGi4JaQ0J:https://ledger.readthedocs.io/en/stable/background/master_seed.html+&cd=1&hl=nl&ct=clnk&gl=nl

So, there are only 2 types of attack vectors left: either somebody got to your seed, or somebody compromised your ledger device... And in all fairness, it was probably the seed you saved in your google drive... Am i 100% sure: no, but the odds are stacked against you.

It's like if i rented a super new and hard to brake anonymous safe deposit box in the public basement of a bank, but i stored the key, the combination to the lock and the directions to the safe deposit box together under a rock in my front yard: if i get robbed, there's a small chance the robber found a way to break into a super hard to brake deposit box by crafting a new key and using a stethoscope to find my combination, but the odds are far bigger he just saw a strange rock in my front yard, picked it up and found a key, combination and directions to my safe...

Saving a hardware wallet's seedphrase in a cloud storage is reducing your hardware wallet's security to the level of any run of the mill online wallet.

Now, the above bolded part might seem like i'm victim blaming, but believe me: i'm not... I just tought it needed to be bolded out to make sure newbies with the same idear as you had see this part straight away. I'm very sorry for your loss (like it has been said before: transactions are irreversible). Even if you made mistakes, nobody has the right to take your funds from you... It's not because i leave the doors to my house open that somebody has the right to steal my stuff... But if i want to know why my stuff has been stolen: it's because i left the front door open...

[Kakmakr]

I think the obvious question to ask OP, is if he travels with his "Seed"?

You cannot transfer tokens out of the physical ledger (hardware wallet) ...without having the PIN and having access to the physical device. (I have to confirm the transfer of tokens on the Ledger Nano, with a key press and the PIN) 

So, the only way for people to get access to your coins, would be if you kept your Ledger Seed in your luggage and when they searched your luggage, one of those people took a photo of the Seed and then imported that to another software wallet and took the tokens on that wallet. 

I hope you do not travel with your Seed? 

[Lucius]

@psycoclan1, now that we're pretty sure how your digital assets were stolen, it would be a good idea to edit the title - it's not your device that has been hacked, but someone has come into possession of your backup in one way or another. Unfortunately, this only proves that the weakest link in the security chain is still a person, and storing such sensitive data online is so wrong that it is not clear to me how anyone can do it at all.

You didn't write if someone stole $100 or $10 000 from you, but you can report the case to the police or hire a professional who can try to track the transaction and possibly find the perpetrator.

[raidarksword]

What a unfortunate way of losing your funds and it's sad  that to happen in any person in the crypto world to be hacked. With so many hack incidents lately it's always to keep our seed safe from intrusion and that's the only way of preventing these to happen in the future. Connecting to public wifi is also risky and maybe that's the reason your assets were hacked.

[hannahB4]

I am so sorry for this, I thought this happens to a newbie but when I saw it 4 years down the line I know it was not a joke. I recently got to know that using public wifi is bad and can easily access ones' IP address and all.

[psycoclan1]

Hi guys, thank you all for your replies. I spent a lot of time today to update my security protocols. 1 of my main protocols was not to connect to public wifi and routers I dont personally own, or know they are safe. At airports I always use my mobile hotspot. Except yesterday. Yesterday, my mobile was running out of battery and while I was charging it, I decided to connect to public wifi to do some work. Unfortunately, previous weeks were too stressful for me, and I didnt even think about my protocol. I cannot prove it's the wifi but today I realised this :

My laptop must have a malware, I tried to move all of my other funds from the ledger to exchanges until I sort my computer and my ledger out. I tried to copy an 0x hex address from the exchange, and when I pasted it, it was a different address!!!!

This is the transaction where my ledger funds were transferred to another address :

https://blockstream.info/tx/9744253a268a18c61b2d33addc0dcbcfae7e8471985868adcd001e396299d609


Whoever this person is, has made 0.5btc in less than 3 days.

[Wakate]

This might have happened through your connection to public WiFi which is never advisable for me. There more sophisticated tools hackers do use on public WiFi that do make connected devices to be vulnerable to them and becoming easier to manipulate. If you know that you have significant data on your system, it's better you keep it off from public WiFi than to lost your information.

I was almost a victim of hack the very time I connected my phone to public wifi. I was enjoying the free data I was using but suddenly my phone started hanging and I knew something is fishy somewhere. Within few seconds I noticed that my phone started operating itself without my consent which enlighten me of how dangerous connecting to public WiFi could be.

[swiftxi]

Dont use google chrome, for anything. Even they announced about a week ago that it has been easy to exploit its software for the past months !

[crypto-recovery]

These clipboard hijackers are nasty -- you can read about them here: https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/

Any time you paste a crypto address, you need to check that the first few and last few characters of the address that you paste matches the address that you copied. 

(Ideally you'd check every last character of the address.  It's theoretically possible, but computationally expensive, for this malware to create a public address ahead of time for each of the addresses that they are watching that matches on the first few and last few characters).

BTW, it really is worth reporting this to the police.  You never know when a criminal will be caught, and they could sitting on a private key that generated the address where your funds are.  It's certainly possible -- though unlikely -- that you could get your money back.  It has happened before (at least in the case of crypto scams -- there are a couple of examples at the end of this article: https://cryptoassetrecovery.com/2021/07/15/best-practices-recover-funds-from-crypto-scams/)

[BuyingBitcoin]

Never leave your password on your laptop or online server. I keep my passwords on two portable flash disks in case one fails. Which is the safest possible option. Clean your PC of malware and avoid fake websites that looks like the original website that steals your Metamask.

[awsdepot]

Hi guys,

unfortunately, my ledger hardware got hacked last night and 100% of the funds were transferred into another address. I have no idea how this happened. I have never shared my seed words to any websites. I used the same wallet for over 4 years with no problem. The only thing I can think of is that I connected my laptop yesterday afternoon in a public wifi hotspot at stansted airport, in London. I flew from there later that day, and as soon as i landed, i checked the balance and it was 0!!! Any idea how did this happen, as Im running out of hope!

Public Wifi has nothing to do in your case unless your machine was itself infected in the first place. because the ledger has its own security mechanism.
since your saved your seed in the cloud. that seems the culprit.

also, never use any app which facilitates your SMS from your phone to your machine like YourPhoneCompanion in android and messages/imessages in mac. and also don't install 2FA apps in your machine like Authy. use them on your phone only and do not connect your phone with your machine all the time. do so while your internet connection is off.

and nope, guessing your seed is impossible. don't even think about it.
It may be someone in your close proximity who might be snooping on you. that's what I can think of in my expert opinion.

[Lucius]

My laptop must have a malware, I tried to move all of my other funds from the ledger to exchanges until I sort my computer and my ledger out. I tried to copy an 0x hex address from the exchange, and when I pasted it, it was a different address!!!!

If I understood you correctly, only BTC was stolen with the help of clipboard malware - which means that you had to make a transaction in which the malware replaced the address, and that the seed was not compromised.

This is the transaction where my ledger funds were transferred to another address :
https://blockstream.info/tx/9744253a268a18c61b2d33addc0dcbcfae7e8471985868adcd001e396299d609

Coins are still at that address, but by checking it I didn't find that it can be connected to some crypto service. What you can do right now is write an email explaining your situation and sending it to as many crypto-exchanges as possible, because a hacker might make a mistake and send stolen funds to one of those exchanges - and they can then freeze coins. What you definitely need to do is sign messages from all the addresses from which the BTC was stolen as proof that you are indeed the real owner.

I won’t lie to you that your chances are great, but you have the choice to come to terms with the loss, or to try to do something.

[psycoclan1]

If I understood you correctly, only BTC was stolen with the help of clipboard malware - which means that you had to make a transaction in which the malware replaced the address, and that the seed was not compromised.

This is the transaction where my ledger funds were transferred to another address :
https://blockstream.info/tx/9744253a268a18c61b2d33addc0dcbcfae7e8471985868adcd001e396299d609

Coins are still at that address, but by checking it I didn't find that it can be connected to some crypto service. What you can do right now is write an email explaining your situation and sending it to as many crypto-exchanges as possible, because a hacker might make a mistake and send stolen funds to one of those exchanges - and they can then freeze coins. What you definitely need to do is sign messages from all the addresses from which the BTC was stolen as proof that you are indeed the real owner.

I won’t lie to you that your chances are great, but you have the choice to come to terms with the loss, or to try to do something.

No, I didn't make any transactions at the time while I was waiting at the airport. I don't make transactions when I am at public places and I didn't need to make any transaction at that time. I found out that my copy-paste function has been compromised yesterday, when I tried to send the funds away from the hardware wallet. I double checked the address I copied and paste and they didn't match! So I stopped, I downloaded kaspersky, paid for it, set it up properly, reboot the pc, the malware gone!

I still don't know how the hack happened. but I am sure it happened at the Stansted airport.

I thought the same, to write emails to as many exchanges as possible and hope that they will freeze the funds. I am also going to meet the airport manager if possible to explain the situation. If their wifi is not safe for public use, then they should take immediate action.

[o_e_l_e_o]

-snip-

Even if OP did not make any additional mistakes beyond storing his seed phrase on the cloud, or was using a perfectly clean computer on his own private WiFi, his seed phrase could still easily have been stolen from the cloud. We have no idea how many servers around the world OP's seed phrase was copied to, how secure those servers were (physically or digitally), which Google employees or third party employees could access them, how robust their encryption algorithms are, and so on. Google don't exactly have the best security practices, previously being caught storing passwords in plaintext for 14 years. This is why cloud storage is always a risk - you have absolutely no idea who else can access it.

Ideally you'd check every last character of the address.

There is no real reason not to do this. It takes a few seconds at most, and guarantees your security. Checking only the first ~3 and last ~3 characters still leaves you open to a small risk of theft from clipboard malware, and this risk will only increase over time as hardware becomes more powerful and vanity address generation becomes quicker.

No, I didn't make any transactions at the time while I was waiting at the airport.

There is absolutely nothing stopping your laptop from having multiple different pieces of malware on it, one which will change your clipboard and another which will steal your seed phrase. Indeed, the fact that you have one piece of malware on your laptop increases the risk of you having others, since you clearly do not have the best security practices or behaviors. I would be formatting that laptop and starting from scratch.

[Lucius]

No, I didn't make any transactions at the time while I was waiting at the airport.

In that case, it's not clipboard malware, though it's weird that the hacker didn't touch anything but Bitcoin - unless the rest of the coins you had are not worth the effort. The only logical thing is that your seed is compromised.

I am also going to meet the airport manager if possible to explain the situation. If their wifi is not safe for public use, then they should take immediate action.

Are you sure you have connected to the official wi-fi from the airport? Such public places are ideal for what is called an evil twin attack, and if you were connected to such a fake network and logged in to your e-mail or any other service, all your data fell into the hands of hackers.

[dkbit98]

Nobody knows my credentials (as far as I know). It was just me and noone else around.

Google knows your credentials, and what's the point of hardware wallet if you are going to keep seed words online...
Your ledger was probably not hacked, but you made some mistake, and it's possible that you had some clipboard malware on your computer.

Is there any possibility that anyone could guess the 24 words correctly randomly?

Don't be silly please  

[psycoclan1]

Are you sure you have connected to the official wi-fi from the airport? Such public places are ideal for what is called an evil twin attack, and if you were connected to such a fake network and logged in to your e-mail or any other service, all your data fell into the hands of hackers.

First thing I checked was the portal, where I put my credentials. So I went back to my browser history and this was the URL : portal.live.virginwifi.com

I couldn't access it, shows error 500, i guess because Im not connected to the AP. The details I used to connect where random. Something like test/test etc. I didnt use my real info.

The ssid I connected was : _stanstedairport_WiFi. I have already contacted the airport and I gave them the SSID, in case it was a fake SSID

[Saidasun]

Export the history of your browser and take a look at each individual website that you visited and check any downloads that you recently downloaded which should be stored on your browser. The only way that someone could take that Bitcoin would be if your computer was hacked by a virus. The Trezor requires confirmation on the device to send a transaction which requires physical access. They would not be able to withdraw funds without that physical access unless you disabled that before it got hacked. Are you sure you did not make a mistake instead?

Are you sure you have connected to the official wi-fi from the airport? Such public places are ideal for what is called an evil twin attack, and if you were connected to such a fake network and logged in to your e-mail or any other service, all your data fell into the hands of hackers.

First thing I checked was the portal, where I put my credentials. So I went back to my browser history and this was the URL : portal.live.virginwifi.com

I couldn't access it, shows error 500, i guess because Im not connected to the AP. The details I used to connect where random. Something like test/test etc. I didnt use my real info.

The ssid I connected was : _stanstedairport_WiFi. I have already contacted the airport and I gave them the SSID, in case it was a fake SSID

You should never use public wifi for sending Bitcoin transactions but the question is how did they get physical access to your device to confirm the sending of Bitcoin?