I thought I would never get hacked...

[logfiles]

Do you have in mind any keyboard that is relatively safe? Perhaps offline, or without cloud backup etc.

Choose a good wallet software if you are to use a mobile app.

Wallets like electrum for example have an inbuilt or virtual keyboard. That way, when you are typing your seed, you do it through the virtual keyboard and not those third-party keyboards on your mobile device.

Also, even importing a wallet, do it offline.

[apogio]

Do you have in mind any keyboard that is relatively safe? Perhaps offline, or without cloud backup etc.

Choose a good wallet software if you are to use a mobile app.

Wallets like electrum for example have an inbuilt or virtual keyboard. That way, when you are typing your seed, you do it through the virtual keyboard and not those third-party keyboards on your mobile device.

Also, even importing a wallet, do it offline.

Thank you very much! I will! At least I learnt something from my mistake.

[BitMaxz]

Thank you very much! I will! At least I learnt something from my mistake.

If you have two devices I suggest like others said make a cold/offline wallet with Electrum but this time never connect that device to the internet and make a watch-only wallet in another device where you can monitor your funds and make unsigned transactions and only use the Electrum cold/offline wallet when scanning and signing a transaction. It is way more safer than using Electrum as a hot wallet.

[NotATether]

You say you use Bluewallet, is it the android or iOS version (if applicable)? And where did you install it from, in the case of Android?

There are many 0-day vulnerabilities targeting older mobile OSes and it is possible that you were hacked with one of those.

[m2017]

I have been hacked yesterday. I had 2 UTXOs in a single-sig, hot wallet. My seed phrase was 12 words long. I had originally created the wallet using Bluewallet.

Here is the transaction: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37

I don't know you the thief is, but I really wish that they lose all of their belongings.

Even though I had a single-sig wallet. Even though I had not used my own node to connect to. Even though I have done many mistakes, stealing is not acceptable...

PS: I think there may be something wrong with windice.io. I had sent some sats multiple times to play some roulette. Maybe they are doing something suspicious. Anyway, I will blame myself only...

Please, tell me that there is nothing wrong with 12 words seed phrases. Tell me it was malware and it would have happened even if I used 24 words... I need to hear this.

Everyone is sure that hacking will not affect them and this problem will surely bypass them, creating trouble for others. Anyone but me - this idea is familiar to everyone. It is easy to deceive yourself and end up with losses.

What was the reason for your choice of Bluewallet and not Electrum? Of course, this will not change anything, and most likely it would not have changed even before hacking, because the malicious program would certainly have stolen from the electrum wallet as well. In your situation, only hardware wallet could save the contents or the multi-sig.

Just the mistakes made and poorly built protection are used by attackers. There is only one solution: to minimize errors and try to be as safe as possible.

Blaming yourself will not change anything, but finding your mistakes and finding out where you made a mistake, with their subsequent elimination, will be more beneficial for you.

More likely, having 24 words would make it harder for a malware, but would not save your wallet from being stolen. Surely it would be possible to say if you figure out the attack vector.

[goldkingcoiner]

I have been hacked yesterday. I had 2 UTXOs in a single-sig, hot wallet. My seed phrase was 12 words long. I had originally created the wallet using Bluewallet.

Here is the transaction: https://mempool.space/tx/dc8460f585ec591a3a8ee264f2604e868dfada4efdcc30eb4d21f97692289d37

I don't know you the thief is, but I really wish that they lose all of their belongings.

Even though I had a single-sig wallet. Even though I had not used my own node to connect to. Even though I have done many mistakes, stealing is not acceptable...

PS: I think there may be something wrong with windice.io. I had sent some sats multiple times to play some roulette. Maybe they are doing something suspicious. Anyway, I will blame myself only...

Please, tell me that there is nothing wrong with 12 words seed phrases. Tell me it was malware and it would have happened even if I used 24 words... I need to hear this.

Sorry about your loss. I hope you will soon find peace of mind.

From what I have read, I cannot tell you where you were not careful enough or how you could have stopped this from happening but I doubt it had nothing to do with 12 word or 24 word seed phrases. Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase. I think what happened is that you might have a virus on your device or you stored your seed phrase in an unsafe way and somebody might stolen it without you noticing.

Best thing to do now is to get familiar with wallet security practices. OPSEC!

[apogio]

Sorry about your loss. I hope you will soon find peace of mind.

From what I have read, I cannot tell you where you were not careful enough or how you could have stopped this from happening but I doubt it had nothing to do with 12 word or 24 word seed phrases. Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase. I think what happened is that you might have a virus on your device or you stored your seed phrase in an unsafe way and somebody might stolen it without you noticing.

Best thing to do now is to get familiar with wallet security practices. OPSEC!

Thanks for the kind words
I am much better. As I said it wasnt the amount I lost. It was the fact that I wasn't careful enough.

You say you use Bluewallet, is it the android or iOS version (if applicable)? And where did you install it from, in the case of Android?

There are many 0-day vulnerabilities targeting older mobile OSes and it is possible that you were hacked with one of those.

It is android version 12 and I downloaded the app from the playstore.

What was the reason for your choice of Bluewallet and not Electrum? Of course, this will not change anything, and most likely it would not have changed even before hacking, because the malicious program would certainly have stolen from the electrum wallet as well. In your situation, only hardware wallet could save the contents or the multi-sig.

Hello. I own a multisig vault, created with offline hardware wallets. I also own cold storage where I also use passphrase. But, like everyone else I also had a hot wallet with some small amount in it. And I lost it. I wanna see what I did wrong and get better. The other two wallets are perfectly safe, technically speaking, as long as I also keep the backups safe.

I chose BW instead of Electrum for no obvious reason. Possibly the simplicity and the minimalistic approach. I have only used it for my hoy wallet though. Not for my other wallets.

[hosseinimr93]

More likely, having 24 words would make it harder for a malware,

If a malware infects your device and makes your wallet compromised, your fund will be stolen and it doesn't matter whether your seed phrase includes 12 words or 24 words.

Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase.

A 12 word seed phrase provides 128 bits of entropy and as already said, it's secure enough.

[apogio]

So today I will factory reset my phone. One question though. I have my xpubs for my multisig vault in my phones storage. Even though nobody can steal my money, if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?

[LoyceV]

if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?

That depends on your personal preference for privacy. But even if you move the funds, if they know your current public keys they can follow the money trail.

[apogio]

if my phone is compromised they could spy on my wallet. Do you suggest I should create a brand new multisig vault and send my funds there?

That depends on your personal preference for privacy. But even if you move the funds, if they know your current public keys they can follow the money trail.

Yes, except if I coinjoin them.

[Lucius]

F*CK! I am so stupid... Anyway, what has been done, has been done. I will only use desktop wallets.

If you think that you will be safer that way, it seems that you have not realized how risky it is to store sensitive information, regardless of whether it is a smartphone or a desktop computer. When it comes to a desktop computer, you can also very easily expose your seed if you enter it in another wallet and you have a keylogger on that device.

Devices on which you store private keys should be isolated from all possible risks arising from your daily activities, which means that you need a hardware wallet or an airgapped device. Even then, you should always be on your guard, because being your own bank means you need to be on the lookout for thieves, whether they're online hackers or bad guys in the real world.

[apogio]

F*CK! I am so stupid... Anyway, what has been done, has been done. I will only use desktop wallets.

If you think that you will be safer that way, it seems that you have not realized how risky it is to store sensitive information, regardless of whether it is a smartphone or a desktop computer. When it comes to a desktop computer, you can also very easily expose your seed if you enter it in another wallet and you have a keylogger on that device.

Devices on which you store private keys should be isolated from all possible risks arising from your daily activities, which means that you need a hardware wallet or an airgapped device. Even then, you should always be on your guard, because being your own bank means you need to be on the lookout for thieves, whether they're online hackers or bad guys in the real world.

Thanks, but as I said above, I have 99% of my sats in cold storage and the systems I use don't store anything in memory. As soon as the device is turned off it erases everything it has in memory

[Cricktor]

Every app on your phone has access to your keyboard inputs.

Really? Even when they're at the background? That would be a terrible flaw in Android!

It's not a flaw, it's a feature. I'm not an Android programmer but I read a lot about potential security stuff around digital devices. Any Android app can "subscribe" to be notified by system messages (don't pinpoint me on the correct jargon) if e.g. the clipboard changes and likely what is typed on the keyboard. Though I'm not sure if keyboard entries aren't some sort of private for the app that requested the keyboard entry. I wouldn't bet on it (a real Android dev surely knows better).

To boost security an app can and should ask for a private keyboard entry which should always be used for sensitive data. But the keyboard app has to follow this request properly, ie. don't do fancy online stuff and whatnot with that sensitive entry, particularly don't memorize or store the entry in some dictionary or blow it into the digital cloud. Decent keyboard apps should do this, but hell no you have no guarantee a keyboard app actually does it, unless you see and understand the source code or program it yourself.

The keyboard app in Android is a really sensitive and security important spot. There's a reason why e.g. Electrum on Android uses it's own keyboard entry method to enter recovery words. I praise Electrum for this. Unfortunately such security awareness is rare on other Android wallet apps.


I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.

• He handled recovery words on an online device outside of the original app (Bluewallet). Recovery words were fed into another wallet app. Don't do that on online/hot devices, period!
• He used 3rd party keyboard apps for entry of sensitive data. We agree, that's bad and should be meticulously avoided as you have no control whatsoever where your entry data diffuses to.
• He might have taken digital pictures of his recovery secrets. I don't know that, it was not talked about this. Of course, avoid this ever, too!

Recovery words are supposed to be backed up analog only, ie. paper or stamped in metal or similar analog and secure storage.
Maybe there's that went wrong, we don't know.

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet. I consider mobile phones as completely unsecure simply because a user does a hell of his internet shit on a mobile phone, install maybe questionable apps on it and just don't have much clue about security of such devices, not to mention the questionable update status of most Android devices once they get older.

[o_e_l_e_o]

Yes, except if I coinjoin them.

Well, it depends. If you coinjoin them and then store the xpubs of your new outputs insecurely again, then you will be back at square one.

Though I'm not sure if keyboard entries aren't some sort of private for the app that requested the keyboard entry.

Unless the app has its own virtual keyboard like Electrum, then they aren't. You can tell this simply by the fact that your predictive text carries over between apps and software, meaning anything you enter on the generic keyboard is not kept within whatever app you are using but is accessed by the wider firmware and even synced to the cloud to better "learn your writing style" (read: spy on you).

But the keyboard app has to follow this request properly, ie. don't do fancy online stuff and whatnot with that sensitive entry, particularly don't memorize or store the entry in some dictionary or blow it into the digital cloud.

Google were successfully sued a while back because if you turned off location gathering, Google still gathered all this data, they just didn't display it to you in your account when you accessed your location history page. I would not be in the least bit surprised if they still gathered all the sensitive data you enter via your keyboard, they just don't display it to you as an option for predictive text.

I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.

Completely agree. As I said above, this is just one possibility and the OP should not assume this is the cause without definitively proof. I was merely pointing out just how easy it is to be careless with your seed phrase, which should never have been entered on any keyboard at all.

[apogio]

I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.

• He handled recovery words on an online device outside of the original app (Bluewallet). Recovery words were fed into another wallet app. Don't do that on online/hot devices, period!
• He used 3rd party keyboard apps for entry of sensitive data. We agree, that's bad and should be meticulously avoided as you have no control whatsoever where your entry data diffuses to.
• He might have taken digital pictures of his recovery secrets. I don't know that, it was not talked about this. Of course, avoid this ever, too!

Recovery words are supposed to be backed up analog only, ie. paper or stamped in metal or similar analog and secure storage.
Maybe there's that went wrong, we don't know.

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet. I consider mobile phones as completely unsecure simply because a user does a hell of his internet shit on a mobile phone, install maybe questionable apps on it and just don't have much clue about security of such devices, not to mention the questionable update status of most Android devices once they get older.

I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

Well, it depends. If you coinjoin them and then store the xpubs of your new outputs insecurely again, then you will be back at square one.

Definetely true. I have decided to monitor my wallet on my Sparrow desktop app only. I will keep only one device to monitor my wallet. I will avoid using wallets on my mobile phone, except for Zeus wallet which is connected to my lightning node.

[Cricktor]

I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

Knowing best practices doesn't automatically mean we always obey the rules strictly. Me too, I do something stupid until I do it. Hopefully the loss isn't large then. It hurts my pride, I guess yours, too. We have to try hard to learn from such shit, stay more vigilant. It's human to make mistakes, but better don't do them twice or more. You know who's to blame then.
Easier said than done, though.

... I have decided to monitor my wallet on my Sparrow desktop app only. I will keep only one device to monitor my wallet. I will avoid using wallets on my mobile phone, except for Zeus wallet which is connected to my lightning node.

Sounds like a more safe approach. Monitoring wallets don't really need to get in touch with the recovery words, you can in most cases use only the extended public keys to setup a watch-only monitoring wallet. No risk to loose private keys this way if the monitoring device should get compromised. That's my approach if I want or need to look on my wallet(s) on a more frequently used daily driver or mobile phone.
Casual computing or gaming are another zone and I try to strictly separate this from more serious stuff.

[Lucius]

I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

I thought I would never get hacked...

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.

[apogio]

I only kept the amount of money I was "comfortable" losing.  It is definetely true that I made multiple mistakes. In fact, I used to have hot wallets before, but I have never done any of these mistakes. And now, I made them all at the same time.

I thought I would never get hacked...

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.

I don't really get your point though. The reason I lost money is because I screwed up. You are saying I have a problem. But in fact I have no problem at all. I will learn from my mistakes and everything will be alright.

[LoyceV]

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet.

I'd feel the same. But, on the other hand, you could consider it "a cheap warning": early enough to know something was wrong without high costs, and a good moment to re-evaluate your entire OPSEC.