Nation-States hunting for SEEDs?

[Forsyth Jones]

If you have a separate machine only for your financial needs and operations and you use it properly, it won't get infected with malware and crypto address hijackers. You wouldn't be interacting with anything that can cause that. Worst case scenario, such malware infects your day-to-day computer and unless the malware can spread all over your network and connected devices (unlikely), the most important machine stays safe.   

What I see being little disclosed, but the risk is imminent, is when thousands download Windows activators/crackers. These are downloaded from random, unverifiable websites, such as KMSpico (activator software). There have been mentions that they may be full of malware designed to steal cryptocurrencies and banking data...

Imagine how many people have activated their Windows/office using cracked software and are using wallets on these activated Windows systems, and are at risk right now?

I don't remember any claim or news LUKS is broken, unless when the password is weak or encryption/decryption key generated in not secure manner. But it's worth to mention that,
1. LUKS2 is more modern and secure than LUKS1.
2. The encryption/decryption key usually stored on either RAM or CPU, which makes it vulnerable to advanced attack/hack.

When I installed Kubuntu, I enabled encryption at the Linux boot process during startup, I believe it's LUKS1 or 2.

[Pmalek]

What I see being little disclosed, but the risk is imminent, is when thousands download Windows activators/crackers. These are downloaded from random, unverifiable websites, such as KMSpico (activator software).

That's another example of unwanted and suspicious software that should have no place on a computer you use in connection with anything related to money. Linux is free and open-source. Everyone can get it. Those who insist on sticking with Windows can get a digital license for cheap. Many are provided with the laptops you purchase. There are free and open-source alternatives to most popular licensed and paid software. Cracks, keygens, and torrents are a no-go on machines meant to protect your livelihood. 

[Synchronice]

Heads up, crypto users.

Things are getting serious.

Ledger’s CTO has raised alarms about “zero-click” spyware attacks ^{reportedly backed by nation-states} with the aim of stealing SEED phrases stored on mobile devices. In such cases hackers can compromise your device without you clicking anything and very often through apps like WhatsApp or Signal.

It goes without saying: if your seed phrase is exposed, your wallet will be emptied.

Stay alert and vigilant.

It's ironic, isn't it? When Ledger's CTO warns us about the danger related to stealing our crypto wallet's seed phrases when it's the Ledger that has been lying to its customers for so many years about how securely their seeds were placed on secure chip and how impossible it was to extract them from this chip. Anyways, it's still nice to get any valuable information, even if it sounds ironic from the teller.

When will people learn that hardware wallet is still the best way to keep your crypto safe?

Depends on the wallet. Ledger's hardware wallet is not the best option but Passport and Coldcard are definitely a superior options. Airgapped computers/laptops are also an amazing option.

Step number 1 for staying vigilant - Don't use WhatsApp. I mean come on. Its problems are well-documented.  Telegram isn't that much better unless you only use E2EE chats, but I would be surprised that Signal can make the user infected like this.

Through what I understand, people can collect data on your location and other info from the cell tower you're connected to, but it eludes me how people can craft a malware that defeats the hardware security module (HSM). Is that not impossible?

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

[NotATether]

Imagine how many people have activated their Windows/office using cracked software and are using wallets on these activated Windows systems, and are at risk right now?

Very little, because the actual cracked software usually comes from Russia, where there are a lot of hackers who specialize in this trade, but the phony .EXE malware versions of the cracks are usually created by various different hacker groups to put a drainer or place you in a botnet or something.

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

I'm not sure. I never really used Signal that much.

[Forsyth Jones]

Very little, because the actual cracked software usually comes from Russia, where there are a lot of hackers who specialize in this trade, but the phony .EXE malware versions of the cracks are usually created by various different hacker groups to put a drainer or place you in a botnet or something.

I agree, these cracked software programs are often provided in youtube video descriptions, resulting in many people getting infected. "Nothing" suspicious might happen on the victims' PC, but there's certainly a botnet or spyware running to act at an opportune moment.

Unfortunately, people in poor countries still download a lot of pirated software. I don't trust anything cracked after I started doing self-custody. I recall having a small amount of BTC stolen by the clipboard malware, which I was using on Windows 7 or 8 in 2016.

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

I don't know, I used Signal a few years ago and liked its concept, it was a cleaner messenger. Unfortunately, private messengers aren't very popular due to the massive advertising by big techs.

[Cricktor]

... losing their bitcoins to malware like Clipboard Hijacker because they use hardware wallets on malware-infested computers and don't check the sending addresses.

Commonly you don't need to check your sending addresses, because they're usually your own ones (only you should have the private keys to sign transactions spending coins from those sending addresses; I omit cases of multi-sig and importing partially signed transactions).

You should always carefully check every output addresses before you sign a transaction with your hardware signing device. For this very reason it's mandatory that your signing device has an own independant display that can't be manipulated by the software wallet that hands over the transaction to be signed.

Signal included into the list really socked me. Okay, Whatsapp is Meta's product and I don't trust it, I only use it for the work and I don't find Telegram attractive too but Signal in the list? I don't know.

I'm not sure. I never really used Signal that much.

Signal is open-source. Threema is open-source. Those who can read code, can inspect what those open-source apps do behind the curtain (reproducible builds would give you then confidence to know that the executable does exactly what the source code shows).

Just because billions of (possibly brain-washed and -diluted) WhatsApp addicts use the Meta app doesn't mean everybody has to, too. There are decent alternatives, like Signal and Threema. I use both.


I don't know why people use hot wallets on mobile phones that contain more than "pocket money" value. Yeah, I guess it's sooo convenient...

I have Wallet of Satoshi and Phoenix Lightning hot wallets on my mobile, no more than roughly a total of 200k Sats in both of them. If I'd need more it would be only very temporarily.

Other open-source Bitcoin Mainnet wallets I would setup only as watch-only wallets on my mobile phone, no private keys or seed inside and use a hardware signing device to sign off transactions. But frankly I rarely need this mobile use case. I have a dedicated used business laptop, Linux with full filesystem encryption, which I use for my crypto wallet stuff. My SPV wallets talk to my own Bitcoin node and Electrum server to maintain as much privacy as possible for my wallet's addresses.

It's a bit funny how people put trust in Android and iOS devices to handle their money stuff when Android and iOS fight regularly and repeatedly with security issues. OS and mobile frameworks simply became too complex and big mobile tech fights against windmills.


If I'd put my conspiracy enchanted tinfoil hat on, get my brain cooked enough... ding! ...now it's ready: the massive penetration of society with heavily desired mobile phones makes those devices almost perfect spy-on-you tools. Do governments want to exploit this? Possibly in their wet dreams. Some more ruthless governments: why wouldn't they not?
Does mobile tech comply with governments wet dreams? Can't say, hope not. Can you verify? I don't think so!

There are complex components (baseband chip, SoCs and whatnot else) which are not open at all. We all have to trust and pray that our mobile phone spy bugs don't do much nasty stuff.

Phew, can't keep that tinfoil hat on for more than a few minutes, brain wave resonance makes me dizzy...

[Pmalek]

Unfortunately, people in poor countries still download a lot of pirated software. I don't trust anything cracked after I started doing self-custody. I recall having a small amount of BTC stolen by the clipboard malware, which I was using on Windows 7 or 8 in 2016.

On an unrelated note, address poisoning is becoming more and more common. Scammers monitor addresses and have surely automated software in place to strike as soon as a potential victim transfers crypto to one of the addresses that scammers find attractive.

I moved some altcoin over Ethereum yesterday from address A to address B. Only a few minutes after, I received two incoming transactions from addresses similar to my own. The first few and last few characters were identical. If I didn't know what I was doing or how to use wallets properly, I could copy one of the 'poisonous' addresses that looks similar to mine the next time I make a similar transaction and the money is gone.   

[Cricktor]

On an unrelated note, address poisoning is becoming more and more common. ...

Well, address poisoning scams only work because a lot of people are negligent and possibly don't know how to efficiently check public addresses. I strongly believe that proper address verification should be basic crypto currency 101.

It might be convenient when a wallet offers target address suggestions, but this just aids address poisoning scams. If there were an option to turn this off, I'd do it.

For the record and how I usually check (I don't claim my method is the best or the only one; it simply worked for me all the time):

• check a handful of symbols at the start, around the middle and at the end of a public address
  (for Bitcoin: don't account public address prefixes like 1..., 3..., bc1q..., bc1p... for your symbol match count)

If your checking for start, ~middle and end areas match, the rest will match, too, because it's practically near impossible to have a different address that matches all three areas, especially when you have a bit of wiggle room in the middle.

My sample space is likely miniscule, but this method never failed me.

For hex string addresses like in Ethereum space, I find it harder to check.

Anyway, for your own safety, do not skip to check all output addresses thoroughly, regardless what crypto currency you use. Make it a habit to really never skip this. It's an easy middle finger to address poisoning scammers.

[Forsyth Jones]

That's another example of unwanted and suspicious software that should have no place on a computer you use in connection with anything related to money. Linux is free and open-source. Everyone can get it. Those who insist on sticking with Windows can get a digital license for cheap. Many are provided with the laptops you purchase. There are free and open-source alternatives to most popular licensed and paid software. Cracks, keygens, and torrents are a no-go on machines meant to protect your livelihood. 

It was recently discovered that a version of KMSPico contains a Clipboard Hijacker monitoring victims' clipboards to replace crypto addresses divert funds.
There are several videos on Youtube warning not to use these Windows activators, especially KMSPico, as it's suspected of being infested with malware and we already have news about people being robbed.
https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/

-snip-
I moved some altcoin over Ethereum yesterday from address A to address B. Only a few minutes after, I received two incoming transactions from addresses similar to my own. The first few and last few characters were identical. If I didn't know what I was doing or how to use wallets properly, I could copy one of the 'poisonous' addresses that looks similar to mine the next time I make a similar transaction and the money is gone.   

Have you received dust attacks with addresses similar to yours, similar to this example here?



This attack is becoming very common, as there are people who access the public address of a block explorer, copying the address from the last transaction, which is a mistake, as it could be a poisoned address.


I've seen a report with a video on reddit from a victim showing the clipboard hijacker in action, where the victim withdraws an altcoin from binance, he provides Trezor's public address, checks it on the withdrawal confirmation screen and on the Trezor display, but after confirming the withdrawal, the funds were diverted to a completely different address (it didn't appear at any time on the confirmation screens). Is it malware that injects a fake confirmation screen, where it hides the real address (of the attacker)?
https://www.reddit.com/r/TREZOR/comments/1onokoc/urgent_my_binance_withdrawal_to_trezor_wallet_was/

[Pmalek]

Have you received dust attacks with addresses similar to yours, similar to this example here?

Yes, but on the Ethereum network. The image you are showing is for bitcoin. I have never experienced the same on the Bitcoin network.

I've seen a report with a video on reddit from a victim showing the clipboard hijacker in action, where the victim withdraws an altcoin from binance, he provides Trezor's public address, checks it on the withdrawal confirmation screen and on the Trezor display, but after confirming the withdrawal, the funds were diverted to a completely different address (it didn't appear at any time on the confirmation screens). Is it malware that injects a fake confirmation screen, where it hides the real address (of the attacker)?
https://www.reddit.com/r/TREZOR/comments/1onokoc/urgent_my_binance_withdrawal_to_trezor_wallet_was/

I don't think that's your standard clipboard hijacker. His clipboard wasn't hijacked in the normal fashion. He copied the correct address from his Trezor and pasted it into his Binance account. The correct address was also confirmed on the hardware wallet. Only after the transaction was sent from Binance do we see that it got sent to a different address.

This is something else and maybe a combination of a few things. Fake Trezor software or firmware, fake Binance exchange, a malicious browser, script, or extension that replaces crypto addresses in the background, or something like that. He did something very wrong to catch that nasty thing.

[UmerIdrees]

So I do not expect anyone to still be using any online devices to hold their coins, it is highly dangerous. But I can have little amount of coins on a mobile wallet which I can afford to lose.

For Bitcoin, yes, one can keep it offline or an airgapped device, etc, but what about people storing altcoins and especially the stable coins in Unstoppable or Trust Wallet (I don't recommend this wallet), etc ? Does this mean that we are at risk if we keep our coins in the Unstoppable wallet ?
Also they do not have any desktop version, so what are our options for altcoins storage