For the love of God: Use a Hardware wallet.

in LeoFinance3 years ago


Hack pirate flag.png

0xC75E34E3ee9a343041B3322E1bD97b4940Ed721d

https://bscscan.com/address/0xC75E34E3ee9a343041B3322E1bD97b4940Ed721d

RIP @belemo

  • 25 hours ago @belemo's BSC wallet was hacked
  • All liquidity removed.
  • Everything swapped for BNB.
  • And transferred to 0x158ccd4e081cb0701b724780042fef5bb963347e

0x158ccd4e081cb0701b724780042fef5bb963347e

This wallet now contains @belemo's funds (about 15.5 BNB; aka $10000)
Not exactly a small chunk of change, especially for a citizen of Nigeria.

These funds haven't been moved yet and it took the attacker around 10 minutes to do it, signaling to me that this person did it by hand and didn't fully know what they where doing. Clearly this is not a bot or an algorithm.

Also over the next 30 minutes funds were transferred to the hacker's wallet from 3 other wallets, which implies that 3 other people got hacked shortly after @belemo by the same entity. Of course technically those wallets might have been @belemo's wallets (created by the same seed phrase) so I have no idea if there were actually 3 other people who got hacked. It just appears that way on-chain.

strong bad deleted.jpg

#feelsbadman

Judging by Belemo's post on this revelation, he's still clearly in some kind of combination of shock, denial, anger, and despair. Pretty much par for the course when something like this happens. Losses like this are pretty gut-wrenching. Like anyone in this space, a call for help is issued, but alas, no one can help because we don't have the private keys to the hacker's account. Such is crypto; taking the good with the bad. Being your own bank isn't easy. We are responsible for our own funds.

How did this happen?

Even though @belemo claims not to have "clicked any weird links", simply saying that ran a chill down my spine. You mean to say you had all this money just sitting on Metamask? Probably on a Windows machine on the Chrome browser? Yikes... noooooooooooo... why?

Buying my Trezor for $50 was probably the best crypto investment I've ever made. The ability for Trezor and Ledger to connect directly to Metamask is a thing of beauty. All the functionality and connectivity of Metamask with all the security of a proprietary hardware wallet.

Speaking of Hardware wallets, guess what I saw today?

image.png

Ah nothing to see here, just @ausbitbank being a baller.

It's also important to note that even without a Ledger (I guess I have to buy one now) Hive is still way more secure than EVM chains. This is because Hive has 4 layers of security (Owner, Active, Posting, Memo) AND account recovery. Try getting that on another platform (that @dan didn't make).

I'm never worried about my funds being stolen on Hive, because even if my active key gets compromised I still have my owner key tucked away and can change it at any time. And then even if my owner key gets stolen I can still get my account back using the recovery mechanism.

Most of my money is time-locked so a hacker would only be able to steal a very small fraction of my wealth. Meanwhile on BSC or BTC or ETH or anywhere else if someone gets your credentials you are 100% fucked, as has been showcased today.

Circling back.

I didn't click any weird links.

Ah... didn't you though?

https://peakd.com/hive-167922/@belemo/a-shitcoin-experiment

When your last post is literally titled A Shitcoin Experiment this doesn't lend a whole lot of confidence. Not that it matters, right? What's done is done and the chance a mistake like this is made again is... small. Get a hardware wallet. $50 for x1000 security.

Of course it's possible to still get funds stolen if someone gets ahold of your 12 word seed phrase, but the likelihood of that happening in this case is basically zero because the hacker's wallet itself implies that 4 different people all got hacked at basically the same time. In fact this wallet had been inactive for 255 days before it got hacked. Not quite sure how that happens but it's right there on the chain.

https://bscscan.com/address/0x158ccd4e081cb0701b724780042fef5bb963347e#comments

image.png

The only way to get the money back now is to flag the account and hope it gets transferred to an exchange where the money will be frozen and returned to the rightful owners. I give that a pretty slim chance, but you never know. It does seem to happen once and a while. Unfortunately I don't know of any easy way to inform all the exchanges of the world that a certain account should be blacklisted. Seems like more of a rich-man's game.

Nigeria though.

From what I can tell Nigeria is one of the most hostile countries in the world when it comes to their citizens holding crypto. They imprison people on false pretenses and force you to open your phone at gunpoint, calling you a criminal if you have crypto and then extorting you for money in order to leave (because that's not criminal apparently). This all comes in the wake of their new CBDC, which apparently doesn't want any competition.

You really have to wonder if the government itself would go out of its way to steal crypto from their own citizens. I mean I doubt that's what happened here but if any country was going to do it, it would be Nigeria. But that's just my conspiracy theory brain talking. Far more likely that the Metamask hot-wallet was hacked or the seed phrase was sitting in an unencrypted text file on Windows. Again, these seed phrases should never be saved on Windows of all places. Even phones these days are way more secure than the Windows Operating System.

Conclusion

Condolences to @belemo. A loss like this reminds me that it's probably only a matter of time before a thief gets away with some of my funds as well. Luckily my Hive stack is one that I have the least concern for. Our security is clearly superior to Bitcoin's in several ways, even if it is lacking systemically (trusting 20 witnesses).

I'm sure that $10k seemed like the world, but recovering from losses like this happens all the time in crypto. One day we are down 90%, the next day we are up x100. All we can do is give 100% effort every day, learn as much as we can, and never give up.

The mega-bubble is coming, and with it a honeypot so large that hackers will be working in overdrive trying to make off with the loot stored on centralized exchanges and individual wallets. All we can do to combat this is to have our money secured in many places at once with no shared centralized attack vectors. Be safe out there.

Posted Using LeoFinance Beta

Sort:  

Thanks bro. I doubt it's the government that did this.
Funny thing is that the entire shitcoin experiment was conducted inside Binance exchange, didn't use my BSC address for that one.

Anyway, it's a very expensive lesson but I have to learn from it and move on. I've ordered a ledger nano s and will be getting a better antivirus.

I'm just going to look ahead now.

Yeah I hear you. I've seen you guys mulling over the thousand ways it could of happened in Discord. Pretty wild when we actually consider how many security vulnerabilities there are within the system. As soon as you said you got hacked all I could think of was "fucking Windows" even though I didn't even know if you were on Windows or not (unsurprisingly you were). Windows is notoriously vulnerable.

A well thought out post detailing the options along with highlighting the safety of Hive. That is a very important point and one we need to promote going forward.

The layers of protection are great. I am like you, I have a little bit liquid but most of my Hive is locked up and takes time to access.

Posted Using LeoFinance Beta

I think it was due to the "experiment" in the previous post. I've watch YouTube videos where the YouTuber targets a scammer by acting like a noob and while the scammer has remote access the YouTuber turns the tables and deletes the scammer's files. Those YouTubers don't use their office or gaming computer though. They have a dummy computer with non-critical files devoted specifically for those interactions.

The lesson is probably when doing cryptocurrency experiments don't use your life savings wallet.

The lesson is probably when doing cryptocurrency experiments don't use your life savings wallet.

I think it's a really good call out.
Today, it's easy to create a new wallet, so we don't want to risk the main wallet with some unknown source/experiment.

Posted Using LeoFinance Beta

I read Belemo’s post this morning and it hurt me to know what had happened to him. It was right after I read his post about the shitcoin experiment. Ugh.

I assume there had to be some lack of security that allowed this to happen in the first place. I didn’t consider the fact that the Nigerian gov itself could possibly be the culprit. I know that is just one of the rabbit holes your brain went down and there is no proof for it, but after reading several Nigerian posts about the police pulling guns on citizens over their crypto… it doesn’t seem impossible.

Your recommendation for a Ledger should be taken very seriously.

Fingers crossed on the very slim chances that an exchange gets the funds back to this hard working man. Tough lesson to have to learn, for sure. Until then the best we can do is support our friend with reminders that this isn’t the end of the world, just a setback that will never be forgotten.

I'm just trying to move forward now. I was really sad through out yesterday and couldn't process stuff but I'm back and I'll be stronger than before

Being Nigeria, part of me is also threading on the path of believing that Nigerian Government could have being the culprit, who knows. The way crypto guys are being treated like rogues and criminal is alarming here. It's like they want no future for the youth. It's scary. Getting a hardware wallet is the best decision any crypto person can do.

So sorry for the loss boss @belemo

Ouch. I had to make sure my account was fine after hearing about this. From the comments below, I guess you should be careful what you buy as well.

Posted Using LeoFinance Beta

I feel sorry for the guy, 10k is huge for Nigeria....

This is a great reminder for anyone! Reblogging for https://coin-logic.com audience! I don't use my hardware wallet enough really to be honest. But yes, same reasons why most of mine is in Hive as well.

Shit this feels just like a friend I know personally even though I’ve never met him. Fucked up!

Posted Using LeoFinance Beta

Sorry for hearing this @belemo. Yep Hive is one of the best token, wallet tat we can entrust.
Thank you for sharing these information & ways to pretend such hacker attempts. I think it's time to try a hardware wallet that I didn't invest previously. One mistake of us can cost a huge in this crypto space.

Certainly hardware wallets are the best option when it comes to protecting our accounts from computer attackers, however I have seen the increase in recent days of fraudulent activities on decentralized platforms, in many cases they take advantage of the inexperience of other users.

That is truly a crazy sad story, maybe we'll find out what happened in order for others to avoid the same practices. I should use more my Hardware wallet, didn't migrated all cryptos on it.

Posted Using LeoFinance Beta

Jeez.

I'm sure that $10k seemed like the world, but recovering from losses like this happens all the time in crypto. One day we are down 90%, the next day we are up x100. All we can do is give 100% effort every day, learn as much as we can, and never give up.

This.

Happened to a friend of mine as well this year. There are all the stages when you are digitally violated like this. I think we almost narrowed it down to a mobile phone social engineering hack (claim to need a new sim card for someone else, get it in a phone, have the exchange send the 2fa message, scooooop)

Absolutely sucks for Bel as he has been an awesome blockchain citizen since before this was a fork. He will bounce back and I hope for some amazing luck to make up for this unfortunate setback.

Yeah I don't trust text message 2fa I feel like everyone should just be using an authentication app that can't be hacked so easily.

oh damn. Nice to know there's Hive support on Ledger!

This is huge, I didn't even know the fund was that much, might take me years to even recover. Sometimes last year I was robbed and with what was stolen from me, the impact made me really careful.
Hopefully he can get to move on from this. I just wish binance could do better with this hackers.

Posted Using LeoFinance Beta

Well i really find Hive wallet secure and i love it. But still people can get their keys stolen by phishing links :v

I use Trezor for my BSC addresses, so it takes a physical confirmation to make any transaction. And of course, even the Trezor has a pin attached to it before a transaction can be made.

Careful what you connect to.

Sh*t, 10 grand would break me financially. I'm excited that Ledgers are now dealing with Hive! Not that I keep any outside of Hive itself. That's really only useful for people who keep a separate stash of it, right?

I guess it's hard to tell because we're not exactly sure what happened... but does anyone know if a VPN might have helped in this situation?

Sorry Belemo! This sucks!

I think that would only be the case if a hacker attacked his home network directly after sniffing out his IP address.
These technicalities are beyond my skills and understanding.

Truly nothing would be as devastating as seeing all your hard earned wealth go to the pockets of a crook

Scary stuff this methinks.

Is there anything we can collectively do to expose the hacker and somehow get the attention of the exchange and even help Belemo get his funds back?

Posted Using LeoFinance Beta

Probably not. Even when wLEO got hacked the money was funneled through Binance to an account that was a known hacker. Binance did nothing. They allow known criminals to move money through their exchange. Hackers surprisingly can use the same Binance account more than once. It's pretty wild.

Binance doesn't give a fuck then. Same as it didn't give any on my failed payment using their card that was never refund. Customer service over there is shitty as hell. Sorry for Belemo. Next time he should be more careful with shady projects and probably not put that much eggs in one basket.

If you don’t understand the tech 100% it best to stay out

Ummm esto es bastante interesante!

How can it be possible? How did he get private key or seed phrase?

I don't know if the same seed phrase can access another wallet. If it is right then everyone's wallet fund is in risk.

I am reading this, coincidentally, right after reading a post about how to use ledger with HIVE. I am very new to cryptocurrency but very quickly realized it would be beneficial to have my crypto in many places at once. I don't have a lot yet, but as I accumulate more, I will definitely be considering getting a hardware wallet. Appreciate the big heads up here!

I am very sorry for what happened to @belemo, a very respectable HIVE user

Posted Using LeoFinance Beta


The rewards earned on this comment will go directly to the person sharing the post on Twitter as long as they are registered with @poshtoken. Sign up at https://hiveposh.com.

One the things I love about hive is the security level and how protect we are on this blockchain, I wish @belemo goodluck and I hope he recover quickly

Posted Using LeoFinance Beta

Oh when I read your other post I thought it was his Hive account. Still an awful loss, I hope he recovers quickly :(

Thank you for this @edicted.

Will have to check out that ledger post. Would love to see it integrate with keychain. I also picked up a dedicated notebook (200$ Lenovo 12”) to run Linux on use as a clean crypto only comp.

Es muy lamentable seguir escuchando que se cometen ilícitos en billeteras digitales, muchos por confiados no son prudentes y dejan sus keys a la vista publica otros sencillamente son estafados y asaltados por hackers profesionales casuando un daño terrible al mundo de las criptomedas que no termina de evolucionar completamente por estos piratas informaticos.