Ledger Keepass Keylogger Bitcoin Theft

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ledger

A Reddit user reported that their bitcoin went missing from their Ledger wallet just 2 days after setting it up. After their setup, they had entered the first 23 words from the seed phrase in their password manager and nowhere else. They lost roughly $3k worth of bitcoin, and there is no indication that any of the coins were able to be recovered.

Malware often enters computers though trojan method - where the individual downloads a new program or mod that also executes malicious code. It's possible that a legitimate download source could also have been replaced with a malicious program. Once on the computer, such programs can continue to operate under remote control, and will typically include functionality to monitor keystrokes, steal passwords, and perform other actions remotely.

This created an environment which was not pristine, where the keystrokes were captured and sent to a malicious entity. Even though the last word was not entered, it is relatively trivial for the adversary to determine what it is by guessing all the possibilities. Once they have access to the wallet, they can easily drain all of the funds.

The country for this case study is not yet known.[1][2][3][4][5]

About Ledger

"I bought a ledger (from ledgers website) on NOV 25th 2020 (they were on sale then too, it was 75$). I [didn't] get around to setting it up until a few days ago." "I also use Torguard VPN."

"I did not take a picture of it on my phone or anything, literally the only thing I can think of is I put it into my keepass on my computer." "The only time the passphrase was typed it is when [I] was storing it in my lastpass." "Thats the only time that phrase was ever typed out." "I only put 23 words on there, not the last one."

"I just found out I had 3258$ worth of BTC stolen from my ledger nano x on [M]arch 23rd at 2:28 am." "I had my ledger hacked. .059 BTC (about 3k at the time)"

"Im not super happy right now." "I hate throwing away gains[. I'm] embarrassed it happened, and it really [upsets me]."

"How did it happen? Not entirely sure yet. I put a key on a password manager so [I] would have to guess it was that...how a key logger or something of the like got on my computer is a different question. I formatted the drive and reloaded the [operating system], what a pain."

"If your computer has malware keylogger or your keepass is compromised you just gave your seed phrase to the attacker. I mean ledger is super explicit about this. NEVER not once not ever. NEVER EVER EVER enter your seed phrase anywhere but directly into the ledger itself."

The 24th word "contains an 8-bit checksum[. T]here are 3 bits that are not part of the checksum." "Having 23 words with 1 word left out is akin to leaving a key in the door lock, waiting for someone to turn it!"

"I suppose thats possible, but its weird that they never tried to get into any of my other crypto accounts (or stocks, bank accounts...etc)."

"Lesson: [Don't] put your keys anywhere on your computer/phone. [Y]ou write [it] down and put it in your safe."

The country for this case study is not yet known.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ledger Keepass Keylogger Bitcoin Theft
Date Event Description
March 23rd, 2021 2:27:15 AM MDT Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $3,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The risk of malware download can be reduced by only installing executable code from trusted and official sources, and in general you want to minimize the amount of software or modifications installed. For greater security, it is likely good to run in an isolated environment with only the needed software.

A hardware wallet is such an idealized environment since it has only one function - storing the private key. However, all of this security is circumvented if the seed phrase is stored elsewhere in any digital form. Storage should be physical only - either paper or metal, and placed somewhere secure. Greater security can be obtained by splitting up the seed phrase or adding a "25th word".

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Azzuro-x comments on Over $40k of CryptoCurrency Stolen (Aug 7, 2022)
  2. Lameass_ comments on This of you who got hacked/scammed, what's your story, and how can others avoid the same mistakes? (Dec 21, 2022)
  3. Lameass_ comments on Ledger got compromised...but how? (Dec 21, 2022)
  4. Bitcoin / Transaction / bae1c87db984696ed5daa12d48a143b7b50d0b3c1d31e22f0be26fe01c7529cb — Blockchair (Dec 21, 2022)
  5. Bitcoin Explorer - Blockstream.info (Dec 21, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ledger_Keepass_Keylogger_Bitcoin_Theft&oldid=3987"