Ledger Nano XRP And More Theft Thugluvdoc

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Ledger Wallet

Reddit user Thugluvdoc purchased a new Ledger device from a "Ledger Official" store on Amazon, which included malware prompting him to enter the seed phrase on his computer, where it could be sent to the hacker. He didn't realize the proper process of setting up a Ledger wallet. All of his funds disappeared from his Ledger wallet except for some staked coins. It appears he was able to recover the staked coins by paying a developer to build a bot to transfer them faster than the attacker.

About Thugluvdoc

Thugluvdoc is an investor in Cosmos[1], Avalanche[1], Solana[2], Ripple[3], Tron[3], and other cryptocurrencies.

Thugluvdoc has a habit of religiously checking all of his wallets every 3 to 4 days[4].

About Ledger

"I bought the Ledger from the “Ledger official” store on Amazon. It has a link to the ledger website so I thought it was legit. I guess I made that mistake by going thru the Amazon ledger store."

"All coins unstaked are gone. Only the staked coins (cosmos and avalanche) are left. Cosmos has been undelegated by the hacker, and I have a few weeks before I can pull them. Hopefully faster than them. Avalanche auto unstakes at the end of February. Seeing if there is any way to secure my ledger or get a script to move coins out beforehand"

"I don't know how, but I believe I was hacked. Is there any way to retrieve XRP that was sent to an unknown wallet? I have a transaction from last Wednesday, and I never sent my ripple ANYWHERE. I have the wallet address it was sent to below. If anyone can help, please let me know.

This is the wallet where my stolen XRP was sent to: rPca9fVC5747DB3r8hDB6r8nkRxA3PsMYr

Cosmos is unable to do anything about the unstaking and transfer. So I have to race against the thief to hope I transfer it off somewhere quickly

I am still hoping for better luck with avalanche"

"it’s stored in the box in my suitcase. This ledger I bought must’ve been compromised."

"It’s been in my box in my suitcase since I bought this. I upgraded from my old ledger I held my coins on for 5 years, and this new one I was drained of my cosmos, tron, ripple, and monero"

"None, nobody. My cleaning lady I guess. I don't want to underestimate anyone, but that is doubtful"

"I did not go to any website. I restored it on my actual laptop. I check all of my wallets religiously every 3-4 days. I just checked today, and all of my XRP, TRON, and Monero was removed. My atom is being undelegated and i assume they want to move that off. Can I stop this in any way? Reset my keys? Or something?

"I did type it in to restore my old wallet" "How did I transfer my coins from my old to new ledger then? Not sure" "No part of the restore process requires you to type your seed into the computer"

I did reach out to xrp ledger for help since atom wasn't staking rewards. I am so crushed rn"

"I don't know how my ledger could've been hacked. I got a new one a few months back because I have more coins than I did 4 years ago. Now everything is drained (XRP, TRON, MONERO) but they are undelegating my Cosmos as we speak."

"Seeming like a malware. No clue how they could’ve accessed my monero wallet on my laptop"

"That’s the wallet they deposited my 6900 xrp"

"Also if anyone knows how I can make sure my AVAX is sent to another wallet immediately upon the staking period ending, I’d really appreciate the help and you will receive payment in crypto as a thank you once it is done."

"paid someone to write me a bot. Costed me $7500 but well worth it. Recovered my cosmos I’ll never recover the XRP, tron, or monero. Hoping I still hold my Avax which unstakes soon"

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Thugluvdoc entered his seed phrase in his computer[5].

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ledger Nano XRP And More Theft Thugluvdoc
Date Event Description
January 9th, 2022 10:19:07 AM MST Unrelated Display Issue Thugluvdoc posts on the Solana subreddit about an unrelated issue where his staked Solana is not showing up in his wallet balance[2].
January 12th, 2022 12:34:22 PM MST XRP Stolen 6,907.995481 XRP is stolen from Thugluvdoc's wallet[6].
January 17th, 2022 8:48:42 AM MST Reddit Post The issue is posted on Reddit[7].
January 17th, 2022 8:58:53 AM MST Ledger Wallet Reddit Post Thugluvdoc posts on the Ledger Wallet subreddit to state his XRP and Tron have been taken, and his Cosmos has been unstaked[3].
January 17th, 2022 9:42:31 AM MST CryptoCurrency SubReddit Attempt Thugluvdoc attempts to post on the Cryptocurrency subreddit. However, his post is automatically removed "for not having a high enough character count"[8].
January 17th, 2022 9:52:35 AM MST Further Information Reported Thugluvdoc reports additional information including that they restored their wallet on their laptop. They regularly check their wallets and recently discovered that their XRP, TRON, and Monero holdings were removed. They suspect someone is trying to move their Atom holdings as well. The user is seeking help to stop this and is considering resetting their keys or taking other actions. They already reached out to "XRP Ledger" for assistance[4].
January 17th, 2022 10:18:37 AM MST Request For Help To Stop Avalanche Drain Thugluvdoc posts on the Avalanche subreddit to request help stopping his Avalanche funds from also being drained[9].
January 17th, 2022 11:04:38 AM MST Thugluvdoc Revealed Seed Phrase It comes to light that Thugluvdoc entered his seed phrase into the computer when setting up the wallet, which is not part of the process of setting up a Ledger wallet[5].
January 17th, 2022 1:44:09 PM MST Cosmos Unstaked Thugluvdoc states that his Cosmos in his wallet has been unstaked, his Avalanche will be unstaked soon, and all his other coins are already gone[1].
February 6th, 2022 7:40:38 AM MST Looking For Tax Advice Thugluvdoc posts on the Tax subreddit seeking advice on whether or not his cryptocurrency loss is tax deductible. Unfortunately, it is not[10].

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

[11][12]

[5]

[1][3][6]

[9]

I bought the Ledger from the “Ledger official” store on Amazon. It has a link to the ledger website so I thought it was legit. I guess I made that mistake by going thru the Amazon ledger store. Going to see if my credit card protects me on these losses next. Thanks to everyone who had helpful comments and messages. Everyone else, that negative energy will bite you in the end. Life’s a bitch, you better hope that bitch is beautiful #lilwayne

Total Amount Lost

Thugluvdoc reports that his wallet contained Ripple, Tron, and Monero which were removed[4]. His wallet also contained Atom which was not removed[4].

The total amount lost has been estimated at $6,000 USD.

[13][6]

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

Thugluvdoc reports checking his wallet after all funds were removed[4].

Contact With "Xrp Ledger"

Thugluvdoc reports that his initial reaction was to attempt to reach out to "xrp ledger"[4]. It is unclear if "xrp ledger" is the name of a subreddit, the official Ledger wallet support, or may have been a scam account.

Assistance With Avalanche Funds

[9]

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Potential Assistance From Amanusk

[14]

"There was a similiar incident in /cc. Someone got hacked to and a guy helped him to write some kind of a script which executed a withdrawal as soon as the staking period was over. He managed to save a big portion of his assets, however not everything. Maybe you can look that post up and ask the same guy if he can help you. I think he said that it was the second time he was able to help someone with a similiar case. I bet he will help you out."

Theft Loss Is Not Taxable

[10][15]

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

It is absolutely critical to use official sources when purchasing hardware wallets. Seed phrases should never be entered on a computer when using a hardware wallet. When transferring to a new wallet, risk can be reduced by first setting up a new wallet with a smaller balance instead of transferring all funds at once.

Private keys can be obtained through seed phrases, mnemonics, private key files, mobile synchronization screens, wallet export features, wallet backups, etc... Never ever send these to anyone else who you do not intend to allow to take all of your money. Attackers will use a wide variety of tactics to convince you like pretending to be your wallet software, pretending they work for the wallet software, or asking you to screen share. Don't fall for them.

Any time untrusted software is being run is an opportunity for abuse. It is recommended to always interact with cryptocurrency in a fully controlled environment, which is an environment where you have understanding of every piece of software running there. Using a hardware wallet, spare computer with all software wiped, and/or virtual machine with only the needed software greatly reduces your attack surface. Take the time to verify downloaded files come from the correct and expected source and match available hashes if provided. Any time you encounter a new file, always check if it can contain executable code prior to using it.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 Thugluvdoc - "All coins unstaked are gone. Only the staked coins (cosmos and avalanche) are left. Cosmos has been undelegated by the hacker, and I have a few weeks before I can pull them. Hopefully faster than them." - Reddit (Jun 1, 2023)
  2. 2.0 2.1 Thugluvdoc - "Phantom wallet not showing my coins. Did I get hacked?" - Solana Reddit (Jun 1, 2023)
  3. 3.0 3.1 3.2 3.3 Thugluvdoc - HACKED and actively draining coins. HOW CAN I STOP THIS - Ledger Wallet Reddit (Jun 1, 2023)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 Thugluvdoc - "I did not go to any website. I restored it on my actual laptop. I check all of my wallets religiously every 3-4 days. I just checked today, and all of my XRP, TRON, and Monero was removed. My atom is being undelegated and i assume they want to move that off. Can I stop this in any way? Reset my keys? Or something? I did reach out to xrp ledger for help since atom wasn't staking rewards. I am so crushed rn" - Reddit (May 29, 2023)
  5. 5.0 5.1 5.2 Thugluvdoc - "I did type it in to restore my old wallet" - Reddit (Jun 1, 2023)
  6. 6.0 6.1 6.2 Theft Transaction Stealing 6,907.995481 XRP From Thugluvdoc - XrpScan (Jun 1, 2023)
  7. Thugluvdoc - My XRP was transferred off my nano ledger somehow - Ripple - Reddit (May 29, 2023)
  8. Thugluvdoc - "Nano ledger hacked, everything drained. Now they’re undelegating my Cosmos and I need to stop them from stealing it after that’s done undelegating. Help please" - Reddit (Jun 1, 2023)
  9. 9.0 9.1 9.2 Thugluvdoc - "Ledger hacked, avalanche is staked. How can I stop them from draining my avalanche once staking period is finished?" - Avax Reddit (Jun 1, 2023)
  10. 10.0 10.1 Thugluvdoc - "I had a large sum of money in cryptocurrency cyber-robbed from me. Is this tax deductible?" - Reddit (Jun 1, 2023)
  11. Attacker's XRP Address - XrpScan (Jun 1, 2023)
  12. Thugluvdoc's XRP Wallet Address - XrpScan (Jun 1, 2023)
  13. XRP price today, XRP live marketcap, chart, and info | CoinMarketCap (Aug 7, 2021)
  14. cryptoskillz - "There was a similiar incident in /cc. Someone got hacked to and a guy helped him to write some kind of a script which executed a withdrawal as soon as the staking period was over. He managed to save a big portion of his assets, however not everything. Maybe you can look that post up and ask the same guy if he can help you. I think he said that it was the second time he was able to help someone with a similiar case. I bet he will help you out." - Reddit (Jun 25, 2023)
  15. Thugluvdoc - "But do the thieves get taxed when they self report?" - Reddit (Jun 25, 2023)

Cite error: <ref> tag with name "redditold-11163" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ledger_Nano_XRP_And_More_Theft_Thugluvdoc&oldid=4651"