Help needed: my BTC and ETH disappeared from Ledger Nano S wallet (1 BTC + 0.3 E

[Essentialy]

Hello, respected community.

I’m reaching out for help and any kind of assistance regarding a serious incident — approximately 1 BTC and 0.3 ETH have disappeared from my Ledger Nano S wallet.

On March 18, 2022, I installed the then-latest version of Ledger Live on my MacBook 12", and initialized a brand-new Ledger Nano S, generating a fresh seed phrase which I wrote by hand on paper and stored securely in a private safe.

- I created Bitcoin and Ethereum accounts and deposited funds via these transactions:
-
    - `0x37dff9fc7843cee99a3ce1e8883cba2da05273893c8a981afd1a73d438eadcc7`
    - `0x61f3753f2e221ffaf7e2ab857e8b015cf1879e1a57c744954e637cdb82976ff5`
    - `60191d1b713f7df8cafee6fa0e4541610ed4c5af184e66f20457bb9c5f25a403`
    - `75f1508c62e10a6a8aa66146c1c34b0ac06dbd1f6316e8644336706042bbd186`
    - `1321b429c6aa21960fc9fde1043981f5cae9bec7afdbc74f35847c7bff14277a`
    - `edfaedd512f6f50aa1578d0f7efbdc1d38cb3969b658d788528d1a375a10a899`

After the deposits, I disconnected the Ledger device and stored both the Nano S and the seed phrase in a safe. Since then, I had not used the device or opened Ledger Live at all.

On January 5, 2024, I updated Ledger Live and the firmware, and discovered that both accounts were empty. Two unauthorized outgoing transactions were found:

- BTC: `c4c997a768306d0eebc496511e70e3d219f4cdc2559ad6179dd10597bad4a372`
- ETH: `0x15322ef5cb28c0554fcb3b0c15fa41364d1eb2d4ad88efb569d43a95d2bd3c3d`

I immediately contacted Ledger support. Their response suggested that the seed phrase must have been compromised, which I find impossible, as both device and seed were physically secure and never exposed.

Out of curiosity, I reset the device and generated new seed phrases. All were unique, confirming that the device itself is working correctly.

I am hoping that someone in the community might:

- Help analyze the destination addresses and transactions.
- Suggest possible attack vectors.
- Provide insight into similar cases or Ledger-related compromises.
- Raise awareness if this was part of a larger, yet-undiscovered breach.

Any thoughts, clues, or suggestions will be greatly appreciated.

Thank you in advance.

[Porfirii]

First of all, welcome to the forum, Essentialy, and secondly, I feel really sorry for what you've suffered. Using a HW is way more than most people do to store their coins safely, and it must be really hard to realise that although following the right steps, some money you counted on simply disappeared.

I'm afraid that I can't help much as my technical knowledge is less than basic, but from other cases I read in the past the most probable answer is that your pc was already infected when you created the seed. Otherwise, it could be because someone got access to your keys, but if you wrote it and immediately stored in a safe, and you're sire that no one has had access to that safe, a very improbable, yet not impossible theory, could be that your phone or webcam were compromised (quite an incredible theory, but I've read about it more than once in the past).

I hope you get more help from other users with better knowledge and you get your coins back, or at least know where they ended.

[rdluffy]

...
I'm afraid that I can't help much as my technical knowledge is less than basic, but from other cases I read in the past the most probable answer is that your pc was already infected when you created the seed.
...

Even if the PC is infected, a seed generated by a hardwallet cannot be exposed, since it was generated on the device itself, offline


To the OP
I saw that you started your wallets in 2022, and it was only in 2023 that this balance was moved, which following logic, must not have been a hack at the time of creating your wallet but something later, since a hack would make the transfer at the same time as it had access to your wallet

The most likely hypothesis is that your seed was exposed.
There's no chance that someone had access to your seed in the safe?
Could someone have managed to access it?

Where did you buy your Ledger?

[Findingnemo]

Did you opt for the Ledger recovery service? They were sending the extracted seeds and share it to third party which was exposed around the time period that your transaction happened.

   Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities
If you didn't, then you must have exposed your private keys or seed at some point, Are you sure that you haven't entered the seed anywhere? Like a digital backup, drive,...

Finally, why after 2 years?

[Essentialy]

Did you opt for the Ledger recovery service? They were sending the extracted seeds and share it to third party which was exposed around the time period that your transaction happened.

   Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities
If you didn't, then you must have exposed your private keys or seed at some point, Are you sure that you haven't entered the seed anywhere? Like a digital backup, drive,...

Finally, why after 2 years?

No, I didn't use the optional Ledger recovery service

[Findingnemo]

No, I didn't use the optional Ledger recovery service

Then, it must be some error from your side. What about backups? Are you sure that no one had accessed it?

In 2020 there was data breach that exposed the email and other user details that used for ledger, later it was used for phishing attacks and impersonation as official support team? Do you remember any such email received?

And you still haven't answered why it took 2 years...

[Forsyth Jones]

I'm really sorry about about what happened to you, even though you followed the minimum security practices of a HW, somehow someone gained access to your funds.

Unfortunately, I don't know of any cases where victims of compromised wallets got their funds back, because in addition to bitcoin transactions being irreversible, BTC addresses cannot be linked unless they have been transferred to an account with KYC (exchanges), even more so if there is no immediate action after the theft. However, the theft occurred 3 years ago...

In that time, the funds may have been diluted among several addresses, passed through mixers to make their trace even more difficult and even exchanged for other coins, making the task of reaching the current holder of the funds an unattainable task.

If I had about 1.0 BTC and a few other coins, I wouldn't go so long without opening the wallet and checking the funds.

And regarding the possibility that allowed the wallet to be compromised, unfortunately I don't see any other alternative other than the recovery phrase having been exposed online due to some carelessness at some point or some physical access to the vault, and even though the Ledger Nano S is a hardware wallet, I wouldn't store 1 BTC in such a cheap device, I would divide the amount into open source wallets like Trezor, with passphrases enabled.

OP, did you use a passphrase? This is an additional protection for your funds, it could have protected your funds, because even if the seed had been compromised, the attacker would need the passphrase to access the hidden wallet.

I hope this doesn't discourage you, look into air-gapped devices like Coldcard, passport or even how to do cold storage with an airgapped laptop/PC. Review the computer, do a complete check, as well as format it completely.

[Meuserna]

I agree, the most likely scenario here is that somebody found the OP's seed.  Let's say it was stored in a safe.  Somebody found the combo, or somebody found the key.  Remember, OP: they don't need to steal the paper your seed is written on.  They'd just take a picture of your words.  That's all they need to steal your coins later.

Even if the PC is infected, a seed generated by a hardwallet cannot be exposed, since it was generated on the device itself, offline

Ledger hardware uses closed source code, so there's no way to prove that is true.  Sadly.  It is possible that seeds on Ledger hardware can be accessed over the internet.  The code is closed source, so we just don't know.  I wish people would stop making assumptions about the safety of devices that run closed source code.

Closed source code is like a meal where the cook won't tell you what's in it.

Closed source code cannot be trusted, because closed source code cannot be verified.  Anyone who says otherwise is someone you should not trust, if you value the security of your Bitcoin.

To the OP
I saw that you started your wallets in 2022, and it was only in 2023 that this balance was moved, which following logic, must not have been a hack at the time of creating your wallet but something later, since a hack would make the transfer at the same time as it had access to your wallet

Probably, but not necessarily.  There's always the chance that somebody who hacked Ledger's code would sit on keys they acquire in order to not let Ledger know their code has been hacked.  I don't think this is likely in this case though, but it's a possibility.

I strongly suspect that when the code for Ledger gets hacked, we won't know about it for months, if not longer, because the hackers would want to steal as many keys as possible before Ledger realizes there's a problem, since patching the code would cut off the hacker's access to stealing people's keys.

Closed source code cannot be trusted, because closed source code cannot be verified.  Anyone who says otherwise is someone you should not trust, if you value the security of your Bitcoin.

[BitMaxz]

If your backup never been exposed, there's another reason why those funds suddenly transferred to another wallet.


These two unauthorized transactions was made June 7, 2023

Code:

- BTC: `c4c997a768306d0eebc496511e70e3d219f4cdc2559ad6179dd10597bad4a372`
- ETH: `0x15322ef5cb28c0554fcb3b0c15fa41364d1eb2d4ad88efb569d43a95d2bd3c3d`

I would like to ask if you had some activity using Ledger Nano at that time, around June 2023?
Have you accessed some Web3 sites and used Ledger Nano at that time?

Because what I could only see if you connected your Ledger Nano S to the Web3 site and approved it around that June 2023, there's a possibility of a suspicious attack that you didn't notice while connected on a Web3 site.

Honestly, I don't trust the Ledger Nano wallet. It was discussed before that the Ledger wallet doesn't have an open-source code, so we do not know how this wallet works or if Ledger is syncing or has a cloud backup of our wallet. Then your wallet is compromised.

Many people here already warn many users not to use closed-source hardware wallets because of those possibilities. For me, I will switch to another hardware wallet with open-source code like Trezor.

[satscraper]

These two unauthorized transactions was made June 7, 2023

Code:

- BTC: `c4c997a768306d0eebc496511e70e3d219f4cdc2559ad6179dd10597bad4a372`
- ETH: `0x15322ef5cb28c0554fcb3b0c15fa41364d1eb2d4ad88efb569d43a95d2bd3c3d`

.

Correct, and it means that update of both firmware and Ledger Live that happened on January 5, 2024 doesn't bear upon the situation. I believe the issue might have more to do with the social factors than technical ones. It's possible that someone in his close circle knew about the contents of his private safe and seized the occasion.

Another possibility is that he could be the victim of the supply chain attack. However ^{for us to better understand} the OP should clarify how exactly their device was acquired.

[Cricktor]

On March 18, 2022, I installed the then-latest version of Ledger Live on my MacBook 12", and initialized a brand-new Ledger Nano S, generating a fresh seed phrase which I wrote by hand on paper and stored securely in a private safe.

I don't recall that you answered the question of a previous poster from where you got your Ledger Nano S. The origin of your Ledger Nano S is important!

As you posted in the Russian language section. Not sure if I remember correctly whether there were valid reports of some manipulated Ledger Nanos on the Russian market. Could've been fake news to discredit a region, too. I don't know for sure.


As I don't use Ledger hardware wallets, I'm not entirely familiar with the process of initialisation for a new wallet. I heard the a genuine version of Ledger Live can check if a connected Ledger Nano S is genuine. Not sure if the Ledger Nano displays it or if Ledger Live does.

The important bit is that you have to be sure that your Ledger Live is genuine and not a tampered version of it.


My specific question in this context is: did you or someone of your family ever make a digital picture of your mnemonic recovery words paper?

Who has access to this private safe? Only you or is there someone else? Could someone gained access to your safe, friends, family members, evil maid, someone who knew you were invested in crypto?
 

Out of curiosity, I reset the device and generated new seed phrases. All were unique, confirming that the device itself is working correctly.

Let's assume your Ledger Nano S is somehow rigged and produces seed phrases in some manipulated predictable manner. How would you be able to detect this? It would look to you as if the device is working as expected while every generated seed isn't really random at all. I would argue, that you can't prove the device is working as it should. You can only assume it.

- I created Bitcoin and Ethereum accounts and deposited funds via these transactions:
-
...

Can you elaborate in more detail with what you've interacted and how for the ETH part of your transactions? It's about if and how your wallet may've interacted with whatever site, smart contract(s) and what wallet access permissions you may've granted.

Was all your ETH transactions done with Ledger Live or was some other software involved?

[BobbysTransactions]

Closed source code cannot be trusted, because closed source code cannot be verified.  Anyone who says otherwise is someone you should not trust, if you value the security of your Bitcoin.

But you're happy to trust the "closed source" hardware no matter what?

[Lucius]

~snip~
On January 5, 2024, I updated Ledger Live and the firmware, and discovered that both accounts were empty.

This is a little strange to me, because if you said it correctly, you did the update first (LL and firmware), and only then did you realize that you have nothing on your accounts? If that were true, then you either downloaded a fake LL or fake firmware (although it seems unlikely). However, can you confirm that the funds were in the account before you did it?

I am hoping that someone in the community might:

- Help analyze the destination addresses and transactions.
- Suggest possible attack vectors.
- Provide insight into similar cases or Ledger-related compromises.
- Raise awareness if this was part of a larger, yet-undiscovered breach.

Any thoughts, clues, or suggestions will be greatly appreciated.

Thank you in advance.

In the last few months, several similar stories have appeared in which users claim that they did nothing wrong, but that they were hacked. This is just one of them.

The cryptocurrency community is grappling with a sobering security breach involving a Ledger Nano S wallet. A user known as “Anchor Drops” on X reported losing 10 Bitcoin (BTC) valued at around $1 million and $1.5 million in NFTs. Despite claims of keeping the seed phrase offline and untouched for months, the wallet’s contents were drained.

Anchor Drops asserted no suspicious transactions were signed knowingly, sparking intense debate about the security breach’s origin. Ledger, the wallet’s manufacturer, addressed the situation, reiterating the strength of their Secure Element chip, which isolates sensitive data to prevent tampering. However, they hinted that a phishing attack or seed phrase exposure could be responsible.

Moreover, Blockchain analysis later uncovered a phishing attack dating back to February 22, 2022, tagged “Fake_Phishing5443.” According to cybersecurity experts, this transaction provided malicious actors with access permissions to the wallet. Although dormant for nearly three years, the attackers exploited this vulnerability to seize the assets.