QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$60 000 USD
JULY 2020
GLOBAL
LEDGER
DESCRIPTION OF EVENTS
"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."
"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."
"I bought the device from the official Ledger website. I have already opened a case with Ledger support."
"I chose the pin for both ledger devices. I wrote down words in the paper wallet but also encrypted a few of them so even someone got it then it's not possible for them to guess."
"I am 100% sure no one had access to 24-word phrase. It was securely stored in my fire-proof-case."
"No soft copies made at all for a 24-word phrase."
"I ordered backup pack so got ledger X and ledger S. you have to Setup ledger S by entering those seeds and that’s it. That was the last time I entered seeds anywhere."
"I use MacBook Pro." "I think it’s my mistake I put screenshot of 24 seeds on google drive."
"After writing on pierce of paper; I took photo and uploaded to google drive." "The seeds were kind of encrypted and Words were swapped but it seems hacker managed to figure it out."
"iPhone X max. Not jai[l]broken. Yes it was connected to the internet! [Y]es deleted pic after uploading. No dodgy apps on my phone."
"[A] guy contacted me last year Sept on LinkedIn - I think he is a hacker and managed to convince me to to install Stockfolio app and promised to pay 0.25 BTC for review."
"I was doing lot of reviews on icobench- he contacted many including me and offered same! They contact asking for a Stockfolio review paying 0.25 Btc. They trapped you to install software for free from the website as AppStore version is $25. I was so stupid to install it from http website and give access to my laptop. I think I deleted the software immediately as it wasn’t there but it left the malware which was cleaned recently by Malwarebytes. I installed Malwarebytes after the hack!!!"
"In another recent and similar hack, where the hacker got access to a photo of the words that want on google-drive or google-photos, the hacker got access to the computer of the victim, who was logged in their google account. Therefore the hacker could get access to all the victim's google drive and google photos without actually logging on the google account of the victim."
"The victim traced the unauthorized access to their google account to a tro[j]an they installed that was included in a pirated software that they downloaded. But there was no indication of any Google login activity, of course, other than the one initiated by the victim themselves."
"I think he managed to install [OSX GMera Malware] on my laptop successfully which was successfully got my crypto keys stored on my google drive."
"OSX.GMERA collects a wide variety of information from the system and exfiltrates it. Among the data collected are files in the user’s Documents folder and on the desktop, applications in the Applications folder, and screenshots taken from the system."
"Firstly seer and mice are not valid BIP39 English mnemonic words. That would have been easy for an attacker to spot." "The 24th word is a checksum, which is easily calculated."
"Let's assume the attacker corrected the invalid mnemonic words for the closest matches. seer => deer, mice => dice. Now there's 2 incorrect words and 4 words in the wrong place. It's a big search space. But not impossible."
"[J]ust realised that all my life-saving funds worth $60k have been stolen from my Ledger wallet."
"[I]f someone can access my google drive, scan 200 GB of data, fetch the ledger screenshot, decrypt it. They deserve the funds then!"
According to the best analysis of the available information, the Reddit user pking007 purchased their Ledger legitimately and set it up correctly, however during this setup process they also took a picture of their seed phrase (with some obfuscation) on their cell phone and uploaded it to their Google Drive account as a backup. In a separate incident, it appears that they were also tricked into installing a Malware called OSX.GMERA onto their Mac OSX by a stranger on LinkedIn who offered them 0.25 BTC for reviewing a fake Stockfolio application.
Once the malware was installed on their Mac OSX, it would have given access to the Google Drive account, since pking007 would likely have accessed his Google Drive using his PC. Since it was accessed using his own PC, there wouldn't be any suspicious login showing up. From there, it was a matter of locating the seed phrase image file within the Google Drive files, which would be trivial if it was named something obvious. While pking007 made some effort to obscure the words in the seed phrase, it would have been obvious that the seed phrase had been modified because some of the words were no longer valid. Various programs are available that can try permutations and combinations of the seed words relatively quickly. Once the correct seed phrase was identified, the funds could be extracted by the thief without issue.
The LinkedIn profile which offered the malware is no longer active, however they've likely just moved to a different account. The blockchain wallet is still active and has received many funds since, potentially from many other victims. While a police report was filed, there is no record of any follow-up or fund recovery in this case. pking007 has publicly stated that the attacker deserves the funds.
HOW COULD THIS HAVE BEEN PREVENTED?
There were multiple mistakes that contributed to this case. The seed phrase should never be uploaded to any digital format - even an image. Never install applications received from a stranger. It is also a good idea not to stick all funds on the same actively used wallet. Store the majority of funds offline on a separate wallet when not in use. Adding a 25th word to the seed phrase would also have increased security in this case, assuming the 25th word wasn't also photographed and uploaded to Google Drive.
ALL of my stored cryptocurrency has been STOLEN from my Ledger Nano S! : ledgerwallet (Mar 19)
All funds stolen from Ledger Live : ledgerwallet (May 3)
OSX.GMERA | Malwarebytes Labs | Detections (May 4)
https://etherscan.io/address/0x0000000937e390bd7753b2b30a1b2d96154e9aba (May 4)
Bitcoin Explorer - Blockstream.info (May 4)
https://preview.redd.it/gcr8arujb7c51.png?width=3584&format=png&auto=webp&s=b1f0f0eda49cfb82b5136fa474c86362b67f43cd (May 4)
bips/english.txt at master · bitcoin/bips · GitHub (May 4)
https://etherscan.io/txs?a=0x0000000937e390bd7753b2b30a1b2d96154e9aba&p=3 (May 4)
https://etherscan.io/tx/0x64a5b0e4df321877507e1200c49eeeb1999174693be5f0dcf71802e258f7050e (May 4)
https://etherscan.io/tx/0x3a3e5f93e10502e7ad029fcd8c2fdc369c5d8ab0de01149aa6d885b81f2dc9d1 (May 4)
Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13)
Ledger Refuses Refunds, Tells Clients “Bank Vault Is More Secure” | Financegates (Mar 19)
Physical Addresses of 270K Ledger Owners Leaked On Hacker Forum - Slashdot (Mar 19)
Scammers Are Using Fake Devices to Steal Cryptocurrency Wallets | PCMag (Mar 6)
