Ledger hacked!!!

[Saint-loup]

[...]
So inside their app, I get spam and scam links and providers of unknown identity for lending, staking, swapping, and anything that can be dangerous and malicious and risk every time that I open it, to be... blown up because I press a link inside their safe environment!
Sorry my crypto fellows (guys and girls), but I refuse to do this and accept it as it was only my fault. Who can guarantee to me that they didn't know it? Who can say for certain that they just don't care to ensure that their control room of our funds is safe from traps? If they can't, which is obvious that they can't, then why the hell say that they are secure for people to use their products? If an experienced user of crypto can fall into this link, how many "simple" persons will do the same thing? Who is responsible for this product? Me? You?
And just make it simpler. If I were The Ledger and you guys used my app to move your funds and do whatever you wish with them, it would be ok if inside my app you have even the slightest possibility of losing your money? Who has the responsibility of checking the app since it's not open source? It will be enough to just say to you that I don't have any responsibility if you press anything inside the app and lose your money? This means that I know that my app has links and scams and fishing etc like I'm the Telegram or Whatsapp!
Anyway, Im in talks with some lawyers since I strongly believe that there is a case here of mismanagement of a software product, insufficient security and control as well as the awareness that dangerous material is being trafficked within the software resulting in the loss of money of customers/users. Let's see, I will keep you updated.

I agree with you it's a new technology, very technical and complicated to understand, not user-friendly at all and full of scams and hacks, unfortunately. So companies selling products should have the duty to inform and educate their customers about the dangers, or at least to put apparent warnings and block unsafe features of their products. Most risky features should only be available in advanced mode IMO, after an explicit reminder of the most common threats and unsafe behaviors. They are not selling material intended for engineers or even professionals but for the average Joe and Jane actually.

[Stalker22]

Sorry, my question kinda noob since I don't use any hardware wallet like Ledger. I just want to learn some of this matter. In this hack, is the private key compromised or it I just condoras accidentally sign/allow the hacker to transfer the tokens? Will the hacker also have access to different networks such as BNB, POL and other Ethereum sidechains?

I press a link from the Ledger Live app, the link takes me to a scam site and in order to confirm the syncing, I had to put my pass. Then I checked my account and everything was out. All the chains, all the assets (3 at that time) live in front of my eyes. 99.9% bot. Ledger didn't force me to use my hardware wallet, which is by their definition one of their big "security guns/ advantage". Now obviously is not!

I dont want to rub salt in your wound, but Ledger has not been "the most secure hardware wallet" for a very very long time.  Despite their ads.
I thought this was already common knowledge. At least since all the details about their "recovery" service became public.

[GekkeBelg]

Sorry, my question kinda noob since I don't use any hardware wallet like Ledger. I just want to learn some of this matter. In this hack, is the private key compromised or it I just condoras accidentally sign/allow the hacker to transfer the tokens? Will the hacker also have access to different networks such as BNB, POL and other Ethereum sidechains?

I press a link from the Ledger Live app, the link takes me to a scam site and in order to confirm the syncing, I had to put my pass. Then I checked my account and everything was out. All the chains, all the assets (3 at that time) live in front of my eyes. 99.9% bot. Ledger didn't force me to use my hardware wallet, which is by their definition one of their big "security guns/ advantage". Now obviously is not!

Your pass/seed phrase or your password?
And no single confirmation on your Ledger device needed?

[condoras]

Your pass/seed phrase or your password?
And no single confirmation on your Ledger device needed?

My passphrase. Not a single one or a mandatory connection with the hardware device.

[tabas]

They have always the reminder on their website about these phishing attacks and it's placed on the top of their website.

Beware of phishing attacks, Ledger will never ask for the 24 words of your recovery phrase. Never share them.

Never share the 24 words of your recovery phrase with anyone under any circumstances.

#StopTheScammers

Ongoing phishing campaigns

Terribly sorry for the loss OP. I agree that on their end they should do something about those sketchy NFTs and projects that are being sent to their users like putting a warning or a note on the transaction and adding some red ink on it for the users to be warned and reminded to not interact with them.

[GekkeBelg]

Your pass/seed phrase or your password?
And no single confirmation on your Ledger device needed?

My passphrase. Not a single one or a mandatory connection with the hardware device.

Okay, that is quite scary. Although alarmbells should always go off when you actively start entering your passphrase. That should never be neccesary to enter for claiming an NFT I would think. It's probably 70% your fault and 30% Ledger.

[JollyGood]

It was extremely sad when reading this thread.

I know others have stated this was a common tactic but I am not too familiar with Ledger now (but did know about it when it was first available), that is why this is new to me. Then somewhat later when they started their Ledger Recover business they made the news again therefore I took an interest and moved on. Now to read about malicious links albeit on the blockchain rather than Ledger itself, them not having a filter system has proven to be disastrous for victims.

The bottom line is you lost all of your assets and that is extremely sad news. I do not know what to say about any potential legal action you are taking against Ledger regarding your losses but it could take a very long time before even getting to a point of a hearing in court. I am sorry for your loss.

[suchmoon]

Sorry my crypto fellows (guys and girls), but I refuse to do this and accept it as it was only my fault.

It was scammer's fault of course. But I don't think Ledger (which I dislike quite thoroughly) is the scammer here.

Not sure how these NFT links work, but assuming that Ledger could somehow control/filter/etc them, there is still a possibility that even a legitimate website can get hacked or your DNS can get compromised etc. As soon as you click out of an app, no matter how trustworthy it is, you're on big bad internet and you should be as alert as if you clicked a link in an e-mail titled "Nigerian prince needs your help".

Beyond that, entering your passphrase on any website is always a very bad idea.

Sorry to pile on and I know you already feel terrible but that's the reality.

[logfiles]

My passphrase. Not a single one or a mandatory connection with the hardware device.

Condoras, these recent wallet drainer scams, don't even need the seeds or private keys. Once you grant the website access to your wallet by entering the passphrase. That is enough for the scammer to drain your wallet. I don't know what kind of program or bot they use, but it works like magic.

There have been quite a number of article for such wallet drainer scams in the Beginners and help board. They range from malicious websites and fake tokens that can drain your wallet once you try to transfer them out by connecting to a specified website.

[FinneysTrueVision]

I've never heard of this type of scam either--but I don't quite understand how the scammers were able to drain your wallet because you visited a website.  Did you have to enter information on it such that they'd gain access to whatever was in your Ledger?

That's what I would like to know as well, as every time you are sending something from Ledger, you have to press the physical button on the device itself to confirm it. Unless OP entered seed phrase, but since he is not new in all this, he probably didn't do that.

Anyway, sorry to hear about your loss condoras, it sucks to lose the money that way.

On some blockchains you can authorize smart contracts to spend money on your behalf. Once they have gotten this authorization they can drain your wallet without a requirement that you approve subsequent transactions on your hardware wallet.

From their reply to GekkeBelg it seems they didn’t even sign a malicious transaction but just entered their seedphrase into a phishing site.

Most wallets, including Ledger Live, now have filters to prevent these situations but they are far from perfect and sometimes scam NFTs still get displayed in the interface. With self-custody, it is ultimately the responsibility of the end user to avoid making such naive mistakes like sharing their wallet’s seedphrase.

[shasan]

I'm sorry to hear about the loss of you. As far as I understand it is not your fault as the app of the ledger redirected you to the phishing site. I think their app has been hacked or some feature has been hacked that's why it has happened and you could not connect with their support team.

[crwth]

I am sorry for your loss, OP. Since the advertisement was shown through the Ledger app, I’m not sure, but they should be somewhat accountable for allowing it to happen. They are not fully responsible, but they should be some help towards getting the justice that you deserve.

I have used a tool called Pocket Universe. It protects and shows what you are blindly signing. It could prevent you from signing and allowing access to your wallet. I am still using my ledger with that, but it’s through MetaMask, so it would protect it as well.

[duke_otc]

i got a newbie question about this . if he got hacked because he linked his wallet to a fraud website does that mean if you connect the wallet to a genuine website they also can take everything if they decided to become bad or if they got hacked ?


btw sorry for your loss  

[JollyGood]

A lot of members expressed sadness at what had happened. If there had been any updates of if anything had transpired in the interim, I am sure condoras would have updated the thread. Keeping that aside, of all the threads you could have bumped you chose this one. Did you consider creating a thread to ask the question?

As far as I know, the answer to the question is "yes".

[Zwei]

i got a newbie question about this . if he got hacked because he linked his wallet to a fraud website does that mean if you connect the wallet to a genuine website they also can take everything if they decided to become bad or if they got hacked ?

just connecting your wallet alone won't cause that to happen, even if the website turns bad or gets hacked. it all depends on the permissions you approve.

you go to website A (genuine), you connect your wallet, you start a transaction, they ask for permission to move X amount of coins for X transaction, you approve it, they can only move that X amount and only do X transaction.
now you go to website B (not genuine), you connect your wallet, you start a transaction, they ask for permission for full control to spend your coins, you don't pay attention and approve it, your coins are gone and there is nothing you can do about it.

[roemer]

you would have had to manually confirm the transaction typically so this story doesn't add up unless you accidently confirmed the transfer on the actual device.
I have not heard of this type of scam yet however ive seen one that requires you to send funds to access a wallet and autosweeps it through a contract to another address instantly.

[shasan]

A lot of members expressed sadness at what had happened. If there had been any updates of if anything had transpired in the interim, I am sure condoras would have updated the thread. Keeping that aside, of all the threads you could have bumped you chose this one. Did you consider creating a thread to ask the question?

As far as I know, the answer to the question is "yes".

There is nothing except expressing sadness. OP has not uet updated anuthing about the ledger hacked as there os nothing happened I.mean op was not able tp eecover the funds from the hacker. The hacker os too smart that the exper user has fall on their trap.