Would love to know why this happened.
Discussion
Turns out he downloaded a scam wallet (sparrow mobile) while trying to set up a "watch only" wallet. It asked for the wallet descriptor which is essentially everything a new wallet needs to spend UTXO's from the old wallet. So it was not a "watch only" wallet at all.
A fairly advanced scam which relies on:
1) The user not knowing there is no Sparrow mobile wallet
2) The user not knowing what wallet descriptors are
Always verify your downloads. In this case the user could have noticed the scam by not finding the mobile release on Craig Raw's trusted release listings while trying to verify with PGP.
Great insight, and yet another reason to not trust, but always verify.
Scammers are crafty.
He claimed the seedphrase was never hot but a spendable wallet descritor has to be derived from the BIP39 seed phrase. So he lied, he need to have entered it somewhere.
What’s a wallet descriptor? What’s in it?
Wallet descriptors help with importing/exporting wallets. They basically tell the new wallet where the funds are and how to spend them. It's not trivial to figure out the addresses and derivation paths used by the old wallet when "migrating" to a new wallet, so descriptors help with that process.
The crafty part of the scam here was getting the victim to "reveal" the seed indirectly by asking for the wallet descriptor (machine readable instructions for the new wallet to spend the victim's funds).
Here's a bitcoin stackexchange thread about descriptors:
https://bitcoin.stackexchange.com/questions/99540/what-are-output-descriptors
They're trying this with desktop stores as well. A few days ago, a fake sparrow wallet app was discovered on #flathub. I think other fake crypto apps have been found on snapcraft as well in the past.
#flatpak #snaps #linux #gnulinux #foss #wallet