Your seed is compromised? You're fucked.
Mess up your multisig setup? Fucked.
Get malware on your phone that pastes a bogus address? Fucked.
Buy a phony hardware device? Fucked.
Fall for a scam? Fucked.
We live on a knife's edge on Bitcoin and it's really hard to emphasize how much personal responsibility is required to self custody your life savings. Mistakes happen often and people get careless. Trusted third party custody like fedimints will be paramount for adoption.
To my understanding loss of private funds from hacking is really rare. People have mainly lost funds by messing up their backup system by making it overly complicated or not making backups at all.
It literally happened this morning. A guy here woke up to a pending outgoing transaction from his cold storage. Steel plates and all. He can't think of how it happened.
He very luckily was able to replace-by-fee it back to himself, but it was a huge wake up call.
Really? Can you link the OP?
Honestly though, this is like black swan level improbability. If your seeds never touch the internet and you never have one open near a window or say it aloud, it's as secure as you can physically defend it. Most seed phrases kept offline will likely never be compromised.
I'm guessing someone gained unauthorized access to the physical plates themselves.
Either that, or he put his seed phrase in a hot wallet that was hacked. BlueWallet has been doing weird things on people's phones this week like having two icons on the home screen and bypassing Apple faceid.
I wonder how he cloned the hardware wallets as well. Might have transfered something through a internet connected device which was compromised? But yeah my guess is he either entered the seed to a "read only" wallet like you said, or someone read the plates at his house. Maybe even his kids or someone close to the family.
It was an imposter mobile version of Sparrow. All I did was try to set it up as a watch-only by sharing my wallet descriptor and somehow that was enough for someone to broadcast a transaction. But the transaction couldn’t fully fly because it was not signed by my actual device for some reason. At one point I got down to ten minutes to confirmation showing for the unauthorized TX, but the ten minutes came and went and the unauthorized TX didn’t get added to a block. If I had been using a software wallet instead of a fully air gapped security model, it would have been a different story. Talk about a lesson in online security. On the bright side, I inadvertently got to learn how RBF works in Sparrow, and now get to double down on security by severely minimizing my attack surface by staying away from mobile apps and, by the end of the week, even having sparrow on a segregated server on StartOS. I am hoping all of these lessons will one day allow me to assist others in their journey and help them confidently start their Bitcoin journey with confidence. I have a fairly technical background and was able to navigate this with a couple of Google searches, but I really wonder about mass adoption of safe self custody being within reach for people that haven’t put in the work. It’s just funny that I was just reaching the threshold for what I am willing to protect with a single seed when this all went down. I had already begun a second stack elsewhere with plans to keep my assets that exist in a single place sub 15M sats. After this incident I am thinking about backing that off to no more than 7M in a single location. This whole thing still has the hair standing on the back of my neck. I wish there were some way to trace the unauthorized address to a physical person.
Thanks for the follow-up. I've never seen that scam before personally. Another tip: Always verify your downloads with PGP. If you already have Sparrow on desktop (the only legit Sparrow wallet) then you know the trusted place where to get Craig Raw's PGP keys. All wallet releases are listed there. If it's not there, it's a scam.
Wallet descriptors are used to import/export wallets by telling the new wallet how to spend from the old wallet, so that's exactly what a scammer would need to spend your UTXO's. The scam is telling the user you are setting up a "read only" wallet.
I got lazy with this
No worries, I'm glad you figured it out and didn't even lose any funds in the end. That's as close as it can get!
Yeah aside from some minor fees and $30 for a new set of plates, it worked out so much better than it could have. It was very interesting that despite the estimated TX confirmation time approaching and passing, the unauthorized transaction would not get added to a block. I am assuming that must be due to the air gapped nature of my signing device.
Despite being on solid ground now with a new seed for the Cold Cards, I’ve still looked at the balances like 47 times today lol. And finally got smart and divvied up assets across a couple other devices. I was due to do that this week anyway, but of course this incident occurred when everything was in one spot. Never again will I have my ass hanging out like this again.
I believe you got very lucky the tx wasn't added to a block. I don't think you could have even replaced an invalid transaction. The confirmation times are just estimates. You got really close to losing the funds. If the scammer would have set a higher fee rate, your funds would most probably be gone.
