Nation-States hunting for SEEDs?

[Hispo]

Thanks for the heads-up, this is information which is specially relevant in a country like mine where WhatsApp is widely used for communication and Bitcoin and USDT is becoming so relevant to circumvent inflation and sanctions.

At this point of the game with so many scammers and now organized organizations going after people's private seeds, it would be folkish not to buy and safely store one's Satoshis on a hardware wallet with open source.

This makes me wonder who secure Trezor is as provider, because we all know Ledger has already fallen in disgrace.

[Cryptomultiplier]

I don't think that's your standard clipboard hijacker. His clipboard wasn't hijacked in the normal fashion. He copied the correct address from his Trezor and pasted it into his Binance account. The correct address was also confirmed on the hardware wallet. Only after the transaction was sent from Binance do we see that it got sent to a different address.

This is something else and maybe a combination of a few things. Fake Trezor software or firmware, fake Binance exchange, a malicious browser, script, or extension that replaces crypto addresses in the background, or something like that. He did something very wrong to catch that nasty thing.

Yeah, it could be a combination of several factors. It's more likely that he downloaded cracked software or a game, and that same installer may have downloaded several other malware programs through malicious ddls to increase its success. This means that if you identify a clipboard hijacker on your machine, it should be considered a red flag, as it's very likely that its malicious code may be downloading several members of the same family of highly undetectable malware.

For Bitcoin, yes, one can keep it offline or an airgapped device, etc, but what about people storing altcoins and especially the stable coins in Unstoppable or Trust Wallet (I don't recommend this wallet), etc ? Does this mean that we are at risk if we keep our coins in the Unstoppable wallet ?
Also they do not have any desktop version, so what are our options for altcoins storage

There's always the risk of your online machine being compromised by an infostealer that can scan your machine in seconds. Malwares is increasingly using encryption techniques to remain undetectable by antivirus software. So you never know if your device is infected.

A hardware wallet like Trezor is considered a "secure" device because the private keys are stored on the device's chip and transactions are signed in the device's isolated environment, invalidating any malware from acting there (to date, I haven't heard of any malware obtaining private keys from such a device). Besides supporting various altcoins, you can use it on your Android/iOS device (depending on the model, like Safe 7).

I prefer airgapped wallets like Passport, Coldcard or Krux (for Bitcoin), but for those who want to store altcoins, the best alternative is Trezor.

For more information about multicoin wallets, visit this thread: list Multicoin Open Source Wallets

Besides using an air gapped wallet, an investor can decide to protect themselves by using some strategies like evacuating hot seed phrases that has been typed on your device and stored on a cloud backup by creating a new wallet and move holdings there.
Use lockdown mode for iPhone users , disable cloud backup or iCloud sync to remain safe and lastly never leave or take screenshots or photos of your seed phrase and store on your device.

[Satofan44]

You should always carefully check every output addresses before you sign a transaction with your hardware signing device. For this very reason it's mandatory that your signing device has an own independant display that can't be manipulated by the software wallet that hands over the transaction to be signed.

I only recently found out there's a thing called "blind signing" for shitcoins like Ethereum. Instead of confirming each address on your screen, you have to tell your hardware wallet to just trust the software again. So that's how people got all their coins stolen from their hardware wallet.

Correct, but also quite wrong -- this is not the primary reason why people are losing their coins, not even close. What blind signing does is abstract away some of the details, but the primary culprit is interacting with malicious and phishing contracts. Do you really think that the average user would be able to interpret the calls when doing an interaction even if they were hidden? Absolutely not. Those that can drain everything that you have because most of these shitcoins have token standards that do not have native ownership. Even if wallets had complete clear signing, this would still not prevent most of these cases of scamming. What is the difference between a legitimate contract and fraudulent contract that requires you to approve unlimited allowance for USDC and similar actions (say deposit/stake)? Nothing, the average user would never be able to tell even if all ABI information was displayed for every contract (it never will be).

What they do over there is generally terrible, but let's be clear about the real causes of things. The best type of attack that shows how shitcoins are stupid is the one where a single signing drains all of your balances across every chain of the same type and all of their layers from a hardware wallet, for example EVM based chains.  

I had a friend buy some Bitcoin and kept stressing the importance of security to him. Hardware wallets weren’t really popular yet at the time, so I suggested he install the Bitpie app on a dedicated phone and set a very strong wallet password. Unfortunately, he later forgot the password, and those two Bitcoins have been stuck there ever since, unable to be moved.

I have never heard of Bitpie or know anyone that has used it. By the sound of it, it looks like a custodial service. Is it? Did your friend not generate a seed phrase or received private keys to the addresses where he sent his bitcoin? Wallet passwords are meant to encrypt files locally, so that if an unauthorized third-party got hold of them, they couldn't abuse them. But you should always be able to recover your wallet elsewhere using a recovery phrase or individual private keys.

Custodial services suck, but in terms of user failures in this case there is nothing different between a custodial or non custodial wallet. A proper failure to to store key information (which differs between wallet types) and then forgetting it will lead to a loss of coin or coin being stuck in both cases.

Bad, but this is nothing compared to the number of systems activated by these or similar tools. It is in the hundreds of millions of devices. Of course some malicious actors will jump on the opportunity, still the data shows that it represents a small amount of devices that actually have a malicious activator. The amount stolen would be much higher otherwise. Anyway there is no reason to use Windows at all, and if someone does need it they can install it in a virtual machine without a network adapter. That way it is not going to be a problem even if you put a malware-infested copy of Windows on it. The exception would be malware that targets the VM but average users commonly don't stumble upon that.

But the simple fact that it's an activator, which can be hosted by any site, without any provenance, closed source code, and so on, is all unfavorable signs that you shouldn't install it on a PC with an unactivated Windows, because what are the chances of not having something very unpleasant there?

The simple fact that it's not open source and that there's no official team behind it already makes me want to stay away from this kind of thing. It's true that just not using Windows eliminates these problems, but if there's no other way, for example, having a pc for work to run things that only work on Windows-compatible software, the best thing is not to tempt fate and acquire a license.

Correct, but wrong. Pretty much all cracking is closed source on average, this includes everything from software to video games for Windows. If you download it from suspicious sources, then you may get in trouble. If you download it from legitimate sources and authors, you will be fine. The percentage of users that get malware this way is very tiny compared to the users that successfully use things. Yes, it would be better if things were open source -- but this is the realistic state of things. Activators should not be singled out, people who use activators are likely using other software or games that are cracked too. Anyway, if I recall correctly there was once an open source activator for Windows 10 but I don't know if it that is still a thing.

Besides, nowadays computers already come with pre-activated OEM Windows licenses...

If you buy a pre-built computer or a laptop maybe, but that is for the amateurs.  

[Youngrebel]

This is just like saving your bank essentials in your phone and when your phone is stolen or hackers get access to your phone your account is tampered with.
This is not a period of saving passwords and seed phrases on our devices. We just have to look for other means that are more stringent ways to keep.our BTC and other assets safe so we donot labour in vai .at any point.

[Pmalek]

Custodial services suck, but in terms of user failures in this case there is nothing different between a custodial or non custodial wallet. A proper failure to to store key information (which differs between wallet types) and then forgetting it will lead to a loss of coin or coin being stuck in both cases.

There is one major distinction between custodial and non custodial services. If you forget or don't make backups of your private key information and the software where those keys are stored malfunctions, you are done. You lose access to your coins and you will never get them back. Custodial services are controlled by someone else, and you can lose access to them. If you do, there will be a way back in, by proving to the custodian that you are who you say you are. That can be as simple as resetting a password over e-mail, entering a code sent to you via SMS, or doing (another round of) KYC to verify yourself. After that, the custodian can give you access to your bitcoin again.

[SilverCryptoBullet]

There is one major distinction between custodial and non custodial services.

Custodial vs. Non Custodial Wallets - "Not your keys, not your coin" Explained.

If you forget or don't make backups of your private key information and the software where those keys are stored malfunctions, you are done. You lose access to your coins and you will never get them back.

With high risk of losing your coins if you only create a single wallet for storage, without backup, when people know that risk, they must learn and practice both wallet backups and wallet recoveries.

How to back up a seed phrase?

Custodial services are controlled by someone else, and you can lose access to them. If you do, there will be a way back in, by proving to the custodian that you are who you say you are. That can be as simple as resetting a password over e-mail, entering a code sent to you via SMS, or doing (another round of) KYC to verify yourself. After that, the custodian can give you access to your bitcoin again.

Lazy people can feel it is safe as they can recover their account from password to 2FA, but there is bigger risk than non-custodial wallets. Centralized exchanges can close their service as scam, their exchanges can be seized like TradeOrge exchange or their exchanges can be hacked and bankrupted after that.

Reminder: do not keep your money in online accounts.

[Satofan44]

Custodial services suck, but in terms of user failures in this case there is nothing different between a custodial or non custodial wallet. A proper failure to to store key information (which differs between wallet types) and then forgetting it will lead to a loss of coin or coin being stuck in both cases.

There is one major distinction between custodial and non custodial services. If you forget or don't make backups of your private key information and the software where those keys are stored malfunctions, you are done. You lose access to your coins and you will never get them back. Custodial services are controlled by someone else, and you can lose access to them. If you do, there will be a way back in, by proving to the custodian that you are who you say you are. That can be as simple as resetting a password over e-mail, entering a code sent to you via SMS, or doing (another round of) KYC to verify yourself. After that, the custodian can give you access to your bitcoin again.

Not necessarily. There are custodial solutions that require both you and the custodian, and if you lose the key information here from your side they can do nothing for you. Furthermore, again you make a false comparison by having an unfair assumption on the side of the custodial solution where you retain key information so that you are able to "reset" something. Losing private key information is the same as losing everything for a custodial solution, in the case of one that requires an email and password -- you lose both the email account and password. Getting that back will be extremely difficult unless there is KYC involved, but that defeats the purpose. Correct comparisons would be the following 2, don't mix between them.

Non-custodial: Lost wallet password, retained private key or seed phrase backup. Recovery possible.
Custodial: Lost account or wallet password, retained email account or phone number or whatever else was used. Recovery possible.

Non-custodial: Lost wallet password, and lost private key or seed phrase. Recovery impossible.
Custodial (no KYC): Lost account or wallet password, lost email account or phone number or whatever else was used. Recovery most likely impossible.

In terms of recovery, the custodial solution only has a small benefit in the second case but I don't believe that in most of those cases recovery will be possible.

Lazy people can feel it is safe as they can recover their account from password to 2FA, but there is bigger risk than non-custodial wallets. Centralized exchanges can close their service as scam, their exchanges can be seized like TradeOrge exchange or their exchanges can be hacked and bankrupted after that.

We can talk about different tradeoffs in different perspectives, but ultimately Not Your Keys Not Your Bitcoin always prevails. No matter how you approach this topic, non custodial wallets are always the best choice by far. They are best for the user, they are best for the network. I'd only recommend custodial to people who can barely use technology at all (being able to open some apps on a smartphone does not count).

[Hispo]

This is just like saving your bank essentials in your phone and when your phone is stolen or hackers get access to your phone your account is tampered with.
This is not a period of saving passwords and seed phrases on our devices. We just have to look for other means that are more stringent ways to keep.our BTC and other assets safe so we donot labour in vai .at any point.

I think a better comparison would be having one's money under the mattress and then having one's government to knock on our door and ask for the totality of our money because they feel entitled to get access to it. So they take it without even having our permission, in the end if they have access to one's seed, then the first thing they will do is move one's Satoshis to their wallet, no doubt about it.

As Bitcoin becomes more valuable and it get more difficult to mine and stays decentralized, there will be more bad actors out there willing to make an extra effort to steal from us, there is no mystery about it and it is just common sense.

[DiMarxist]

The issue of security on the net is getting more serious every day because each day that, passes we are getting more and more vulnerable because hackers and criminals are developing new technologies to make sure that they steal the seed phrase of people by putting phishing links on platforms that people can click and hack into the wallet of individual holdings Bitcoin. Information like this should be used by  individual who are into crypto to use and be more security conscious when ever they are in the net.If nations and states can sponsor hackers to steal crypto from people then nothing safe again.

[hafezaldubaili@gmail.com]

You should always carefully check every output addresses before you sign a transaction with your hardware signing device. For this very reason it's mandatory that your signing device has an own independant display that can't be manipulated by the software wallet that hands over the transaction to be signed.

I only recently found out there's a thing called "blind signing" for shitcoins like Ethereum. Instead of confirming each address on your screen, you have to tell your hardware wallet to just trust the software again. So that's how people got all their coins stolen from their hardware wallet.

Correct, but also quite wrong -- this is not the primary reason why people are losing their coins, not even close. What blind signing does is abstract away some of the details, but the primary culprit is interacting with malicious and phishing contracts. Do you really think that the average user would be able to interpret the calls when doing an interaction even if they were hidden? Absolutely not. Those that can drain everything that you have because most of these shitcoins have token standards that do not have native ownership. Even if wallets had complete clear signing, this would still not prevent most of these cases of scamming. What is the difference between a legitimate contract and fraudulent contract that requires you to approve unlimited allowance for USDC and similar actions (say deposit/stake)? Nothing, the average user would never be able to tell even if all ABI information was displayed for every contract (it never will be).

What they do over there is generally terrible, but let's be clear about the real causes of things. The best type of attack that shows how shitcoins are stupid is the one where a single signing drains all of your balances across every chain of the same type and all of their layers from a hardware wallet, for example EVM based chains.  

I had a friend buy some Bitcoin and kept stressing the importance of security to him. Hardware wallets weren’t really popular yet at the time, so I suggested he install the Bitpie app on a dedicated phone and set a very strong wallet password. Unfortunately, he later forgot the password, and those two Bitcoins have been stuck there ever since, unable to be moved.

I have never heard of Bitpie or know anyone that has used it. By the sound of it, it looks like a custodial service. Is it? Did your friend not generate a seed phrase or received private keys to the addresses where he sent his bitcoin? Wallet passwords are meant to encrypt files locally, so that if an unauthorized third-party got hold of them, they couldn't abuse them. But you should always be able to recover your wallet elsewhere using a recovery phrase or individual private keys.

Custodial services suck, but in terms of user failures in this case there is nothing different between a custodial or non custodial wallet. A proper failure to to store key information (which differs between wallet types) and then forgetting it will lead to a loss of coin or coin being stuck in both cases.

Bad, but this is nothing compared to the number of systems activated by these or similar tools. It is in the hundreds of millions of devices. Of course some malicious actors will jump on the opportunity, still the data shows that it represents a small amount of devices that actually have a malicious activator. The amount stolen would be much higher otherwise. Anyway there is no reason to use Windows at all, and if someone does need it they can install it in a virtual machine without a network adapter. That way it is not going to be a problem even if you put a malware-infested copy of Windows on it. The exception would be malware that targets the VM but average users commonly don't stumble upon that.

But the simple fact that it's an activator, which can be hosted by any site, without any provenance, closed source code, and so on, is all unfavorable signs that you shouldn't install it on a PC with an unactivated Windows, because what are the chances of not having something very unpleasant there?

The simple fact that it's not open source and that there's no official team behind it already makes me want to stay away from this kind of thing. It's true that just not using Windows eliminates these problems, but if there's no other way, for example, having a pc for work to run things that only work on Windows-compatible software, the best thing is not to tempt fate and acquire a license.

Correct, but wrong. Pretty much all cracking is closed source on average, this includes everything from software to video games for Windows. If you download it from suspicious sources, then you may get in trouble. If you download it from legitimate sources and authors, you will be fine. The percentage of users that get malware this way is very tiny compared to the users that successfully use things. Yes, it would be better if things were open source -- but this is the realistic state of things. Activators should not be singled out, people who use activators are likely using other software or games that are cracked too. Anyway, if I recall correctly there was once an open source activator for Windows 10 but I don't know if it that is still a thing.

Besides, nowadays computers already come with pre-activated OEM Windows licenses...

If you buy a pre-built computer or a laptop maybe, but that is for the amateurs.