Posts

For the love of God: Use a Hardware wallet.

avatar of @edicted
25
edicted
@edicted
·
·
0 views
·
5 min read

0xC75E34E3ee9a343041B3322E1bD97b4940Ed721d

https://bscscan.com/address/0xC75E34E3ee9a343041B3322E1bD97b4940Ed721d

RIP @belemo

  • 25 hours ago @belemo's BSC wallet was hacked
  • All liquidity removed.
  • Everything swapped for BNB.
  • And transferred to 0x158ccd4e081cb0701b724780042fef5bb963347e

0x158ccd4e081cb0701b724780042fef5bb963347e

This wallet now contains @belemo's funds (about 15.5 BNB; aka $10000) Not exactly a small chunk of change, especially for a citizen of Nigeria.

These funds haven't been moved yet and it took the attacker around 10 minutes to do it, signaling to me that this person did it by hand and didn't fully know what they where doing. Clearly this is not a bot or an algorithm.

Also over the next 30 minutes funds were transferred to the hacker's wallet from 3 other wallets, which implies that 3 other people got hacked shortly after @belemo by the same entity. Of course technically those wallets might have been @belemo's wallets (created by the same seed phrase) so I have no idea if there were actually 3 other people who got hacked. It just appears that way on-chain.

#feelsbadman

Judging by Belemo's post on this revelation, he's still clearly in some kind of combination of shock, denial, anger, and despair. Pretty much par for the course when something like this happens. Losses like this are pretty gut-wrenching. Like anyone in this space, a call for help is issued, but alas, no one can help because we don't have the private keys to the hacker's account. Such is crypto; taking the good with the bad. Being your own bank isn't easy. We are responsible for our own funds.

How did this happen?

Even though @belemo claims not to have "clicked any weird links", simply saying that ran a chill down my spine. You mean to say you had all this money just sitting on Metamask? Probably on a Windows machine on the Chrome browser? Yikes... noooooooooooo... why?

Buying my Trezor for $50 was probably the best crypto investment I've ever made. The ability for Trezor and Ledger to connect directly to Metamask is a thing of beauty. All the functionality and connectivity of Metamask with all the security of a proprietary hardware wallet.

Speaking of Hardware wallets, guess what I saw today?

Ah nothing to see here, just @ausbitbank being a baller.

It's also important to note that even without a Ledger (I guess I have to buy one now) Hive is still way more secure than EVM chains. This is because Hive has 4 layers of security (Owner, Active, Posting, Memo) AND account recovery. Try getting that on another platform (that @dan didn't make).

I'm never worried about my funds being stolen on Hive, because even if my active key gets compromised I still have my owner key tucked away and can change it at any time. And then even if my owner key gets stolen I can still get my account back using the recovery mechanism.

Most of my money is time-locked so a hacker would only be able to steal a very small fraction of my wealth. Meanwhile on BSC or BTC or ETH or anywhere else if someone gets your credentials you are 100% fucked, as has been showcased today.

Circling back.

I didn't click any weird links.

Ah... didn't you though?

When your last post is literally titled A Shitcoin Experiment this doesn't lend a whole lot of confidence. Not that it matters, right? What's done is done and the chance a mistake like this is made again is... small. Get a hardware wallet. $50 for x1000 security.

Of course it's possible to still get funds stolen if someone gets ahold of your 12 word seed phrase, but the likelihood of that happening in this case is basically zero because the hacker's wallet itself implies that 4 different people all got hacked at basically the same time. In fact this wallet had been inactive for 255 days before it got hacked. Not quite sure how that happens but it's right there on the chain.

https://bscscan.com/address/0x158ccd4e081cb0701b724780042fef5bb963347e#comments

The only way to get the money back now is to flag the account and hope it gets transferred to an exchange where the money will be frozen and returned to the rightful owners. I give that a pretty slim chance, but you never know. It does seem to happen once and a while. Unfortunately I don't know of any easy way to inform all the exchanges of the world that a certain account should be blacklisted. Seems like more of a rich-man's game.

Nigeria though.

From what I can tell Nigeria is one of the most hostile countries in the world when it comes to their citizens holding crypto. They imprison people on false pretenses and force you to open your phone at gunpoint, calling you a criminal if you have crypto and then extorting you for money in order to leave (because that's not criminal apparently). This all comes in the wake of their new CBDC, which apparently doesn't want any competition.

You really have to wonder if the government itself would go out of its way to steal crypto from their own citizens. I mean I doubt that's what happened here but if any country was going to do it, it would be Nigeria. But that's just my conspiracy theory brain talking. Far more likely that the Metamask hot-wallet was hacked or the seed phrase was sitting in an unencrypted text file on Windows. Again, these seed phrases should never be saved on Windows of all places. Even phones these days are way more secure than the Windows Operating System.

Conclusion

Condolences to @belemo. A loss like this reminds me that it's probably only a matter of time before a thief gets away with some of my funds as well. Luckily my Hive stack is one that I have the least concern for. Our security is clearly superior to Bitcoin's in several ways, even if it is lacking systemically (trusting 20 witnesses).

I'm sure that $10k seemed like the world, but recovering from losses like this happens all the time in crypto. One day we are down 90%, the next day we are up x100. All we can do is give 100% effort every day, learn as much as we can, and never give up.

The mega-bubble is coming, and with it a honeypot so large that hackers will be working in overdrive trying to make off with the loot stored on centralized exchanges and individual wallets. All we can do to combat this is to have our money secured in many places at once with no shared centralized attack vectors. Be safe out there.

Posted Using LeoFinance Beta