dc
nobody 1y ago

Early this morning I woke up and noticed on my watch only wallet in BlueWallet and Sparrow desktop that someone has initiated an unauthorized transfer of all of my UTXO's to a BTC address that is not mine. It has not confirmed yet. It is showing as a low priority transaction that is set to clear in about 3 hours.I am unable to enter a higher priority transaction to drain my wallet before this unauthorized transaction does. Because Sparrow says I have an insufficient balance.

Doesn't this unauthorized transaction always need my signing device in order to finalize the transaction?

Any ideas what I should do? Thanks

Reply to this note

Please Login to reply.

Discussion

Avatar
[ARCHIVED] Jay 1y ago

Dude, that's awful.

So is sparrow not allowing a new transaction because the previous transaction is still pending? Or because you don't have enough to pay a higher fee?

dc
nobody 1y ago

When I try to make an overriding transaction in Sparrow it tells me I don't have sufficient funds when I enter the Sat amount of the competing transaction.

Avatar
[ARCHIVED] Jay 1y ago

That's even if you choose a lower amount to send?

dc
nobody 1y ago

Yes

Avatar
[ARCHIVED] Jay 1y ago

https://github.com/sparrowwallet/sparrow/issues/530

I wonder if this operation via RBF is still available in sparrow.

dc
nobody 1y ago

The weird thing is, when I look at the transaction in Nunchuk it is showing that it was signed. How is that even possible if I need to sign it with an air gapped wallet like my Cold Card, including writing the transaction to my miniSD and signing it with the physical device?

Avatar
[ARCHIVED] Jay 1y ago

If you succeed in moving your coins, definitely send them to a new wallet, not to an address generated by your current one.

Avatar
Danāš”ļø 1y ago

Check if FaceID / TouchID is working on your phone or Mac. I recently discovered BlueWallet is skipping both to unlockā€¦

dc
nobody 1y ago

I had an instance this week where Blue bypassed the FaceID.

Avatar
Oshtor 1y ago

FaceID is not safe, bluewallet says itself. You're luck this hacker was stupid enough to put 25sats/vb fee

dc
nobody 1y ago

Here is the TXID:

87be9389913a86ed6e1e43e57755ac545a07b51dde940a6dd6e7d654cd39bb03

Avatar
John (Clams) 1y ago

I see this transaction has been replaced, you all sorted?

Avatar
Moon 1y ago

I think you could boot up your keys in Blockstream green wallet and RBF it

Avatar
Arthur Amendt 1y ago

Did the replace by fee work? I See the transaction is confirmed now.

https://mempool.space/tx/ba928440f7a4b4a004199ca60001831cccd8ce0363ae0eef99dd50ab23d171fa

dc
nobody 1y ago

Yes it worked. Thanks all you insomniac and time zone forward fuckers

Avatar
BUB 1y ago

Did you send to a new securely generated seed? You could be in the same situation when the attacker wakes up and tries again.

dc
nobody 1y ago

Please refer to my questions on the original post. Iā€™m really hoping I donā€™t have to brick my two new cold cards and abandon all of their addresses. The whole reason I switched was because Ledger was fucking around with Ledger Recover. Another $50CAD in tuition for fees to fix this. Jesus Christ my heart canā€™t take this. Is this a protectable asset or not? WTF is Grayscale and Microstrategy doing to avoid this bullshit? Maybe not interacting on social media including Nostr.

Avatar
[ARCHIVED] Jay 1y ago

Don't worry about your coldcards. You can reset them and generate new seeds on them. Just make sure you don't need the old keys before you do that.

dc
nobody 1y ago

Cool thanks. But holy fuck what a wake call. Seeing an unauthorized TX for your entire stack is heart stopping shit. After hyping everyone I know on this asset, Iā€™m going to look like a real schmoe if I get wrecked. Iā€™d feel a lot better if I had some remote idea of how someone signed a transaction on my behalf when I have absolute physical control over all of the hardware and backups. And it is interesting that the unauthorized TX passed the 10 minute ETA for confirmation and still didnā€™t finalize.

Iā€™m pissed that I have to throw away my steel backups. They werenā€™t cheap. Next copy is getting scrawled on the wall of my cave lol

Avatar
[ARCHIVED] Jay 1y ago

I totally feel you dude. I saw the amount and was praying you could make it in time. I have no idea how this guy signed this transaction.

dc
nobody 1y ago

Good thing I have a SIM pin on my phone too now.

Avatar
BUB 1y ago

Have your cold cards been plugged in to your computer?

When you say phrases like "abandon all of their addresses" it doesn't give confidence that you understand how things work. Addresses are infinite. Your focus should be on seeds, and how careless you've been with them.

Read the econoalchemist guide for creating a coldcard wallet.

You should abandon every seed you have created at this point. Generate a new seed properly from that guide with a fresh FW on your cold card.

dc
nobody 1y ago

Absolutely immaculate on the storage of seeds.

dc
nobody 1y ago

Thx for the clarification on addresses. New seeds are now in place.

dc
nobody 1y ago

Very adept usage of the explorer cabron

dc
nobody 1y ago

OK so I did a replace by fee TX for the whole balance to an alternate wallet. It is confirming on the chain as we speak. The unauthorized TX hung indefinitely while this new rescue TX is clicking along. I will keep you all posted. A couple questions for discussion and education of the community:

1) are my two cloned cold cards and the addresses associated with them now garbage?

2) what was the attack vector? The only operations I have performed in the last 7 days was to set up watch only wallets on a couple of mobile apps.

3) can the process of setting up watch only wallets on other apps compromise your keys to the point where transactions will show as ā€œsignedā€ as my hung, unauthorized TX did in BlueWallet and Nunchuk?

4) Whoā€™s the cunt that wrecked my morning and what is your physical address? I know you are at

bc1qlfqvh9hla5sa64yfn9jsch54fqf09g52ja8t4r

Fuck you.

Avatar
paulo 1y ago

Haā€¦ so the high fees environment gave you enough time to react and recover your fundsā€¦. Food for thoughtā€¦

Avatar
BUB 1y ago

Is your seed compromised?

What was your process when migrating from ledger to cold card? Did you create a new seed?

I see you had difficulties with cloning a cold card, lots of potential places you could be screwing up.

If you didn't send this TX I would consider yourself compromised and replace all electronics.

dc
nobody 1y ago

No shared seeds. And never entered seeds into any other app to set up watch-only. Is this a defensible asset or not? Because Iā€™ve been immaculate in my digital and physical security other than talking to people on Nostr.

dc
nobody 1y ago

Yeah the cloning thing was easy to remedy. Just firmware upgrade on both cold cards and it went off without a hitch.

Do you think all of the addresses on my Cold Cards are now unusable? Itā€™s funny the gains on this cycle are being eaten by emergency TX fees and hardware purchases.

Thanks for your input. šŸ¤™šŸ½

dc
nobody 1y ago

Haha fuck you hacker.

dc
nobody 1y ago

OK so final rundown. Cold Card is the shit. No signing device and Iā€™ve been air gapped since day 1, so despite the unauthorized TX showing ā€œsignedā€, it would not progress to completion. Did a Replace With Fee to override the unauthorized TX and send sats to a temp address. Renewed my HW wallet seed to re-establish it is good. Looks like I am in the clear. Unless there is something fundamentally wrong with Cold Cardā€™s security model, or with Sparrow desktop.

Cost: my seed plates and $50 in TX fees.

Fuck you hacker.

Avatar
Johan Liebert 1y ago

Hi MJ, I am Johan Liebert a kid's rights student. About your issue, did you have a passphrase that was never in any decive conected with the network ?

dc
nobody 1y ago

Never

Avatar
Johan Liebert 1y ago

I was expecting some "nice to meet you Johan" but we can skip it I guess. So Mj lets see... was you passphrase very simple or was it complex ? If it was very simple someone could hack; if it was medium simple someone that knows you very well could guess; and finally, if it was complex you are lying about something previous.

dc
nobody 1y ago

Ask me how nervous I was moving my entire stack twice in three hours to counteract an unauthorized TX of all of my UTXOā€™s by a drainer exploit. Still donā€™t know where my security broke down but I suspect it was BlueWallet mobile. It was behaving strangely and opening without faceID etc. Deleted. Sparrow desktop only now.

Avatar
[ARCHIVED] Jay 1y ago

Watch out for Blue Wallet for a while. Read this wake-up call of a thread from someone who woke up to an unauthorized transaction out of his wallet this morning. I don't know how he was compromised, but review your self custody setup and make sure you're good. #bitcoin #hack #security #cybersecurity

It's a miracle he recovered his funds via RBF.

nostr:nevent1qqsdzs73jugthyz8qevazhvqx93ehqnslne7f2qvztcqhdzk4sh3zucpr3mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmqzyrw9tqja88ecy0zv2lzjx57amz3zhzqks39gxqeft9qv5rkctwl2zqcyqqqqqqgpq8fhd

Avatar
CitizenPleb 1y ago

Pretty wild ride. Was the Blue Wallet in watch only on the phone the vulnerability? Crazy.

Avatar
BTC_P2P 1y ago

This should not have been possible. Blue Wallet never had his keys and if he never put them online a tx should never have been able to have been signed. Something is missing.

57
nobody 1y ago

All I have to say is thank God for air gapped Cold Cards, since the lack of physical connectivity is likely what made the unauthorized transaction hang and not get added to a block. And thank God for Sparrow desktop and its RBF functionality. Iā€™m still kind of bummed that for the time being, I have zero confidence in mobile watch-only wallet functions, because I kind of liked the idea of being able to initiate transactions from desktop OR mobile depending on the situation. Like if I canā€™t get home to my PC or if my PC packs it in. But it is clear from my story and othersā€™ that the people in charge of the Apple App Store donā€™t exercise due diligence in ensuring that apps or app updates are legitimate and originating from the software author, or not just outright malicious. Iā€™m switching everything over to Start 9 on a mini PC this week and skipping any mobile interaction with digital assets for a while. Thanks Jay for your input.

Avatar
djmeistroāœļø šŸŠšŸ’Šāš”ļø 1y ago

Just read this thread and holy sh!t... Glad your corn is safe though šŸ«‚

Avatar
<old>cypherhoodlum 1y ago

You probably nuked your account already but if you didn't, it would be great for the community if you could answer some questions now that the worst has been prevented.

1. You said you never entered your seed to a internet connected device. Did you enter the seed to Blue Wallet or Nunchuck when you tried to create a "read only" wallet?

2. Is it possible a guest or even a family member has read the metal plates at your house?

3. Did you have the same seed on the ledger devices and the coldcards?

4. Did you pass any files or notes through a internet connected device when you cloned your ColdCards?

Things like this don't generally happen. Therefore it would put a lot of minds at ease to be able to narrow down the possibilities how this could have happened. Especially because it seems you did a lot of things "right".

I understand the urge to disappear from all social media right now. And it really isn't a good idea to post pictures of your living room and family members while trying to secure a considerable amount of bearer assets like bitcoin. But I would say right now it'd be prudent to try figuring out exactly where the problem was/is by giving more details.

Avatar
Hoshi 1y ago

two other explanations: seed in front of a camera or speaking sensitive information while typing.