About 12,500 ADA,were stolen from two separate wallets, while a third wallet was untouched. All three were recently connected to the browser (URL) version of Eternl, and the only potentially unsafe thing I did was clicking the “Connect Dapp Browser” button on Eternl. Can someone help me to look into the addresses my tokens got sent to (see below)? I was able to see some of the recent transactions of those addresses but nothing more. But I want to at least know if these addresses are known to be used for stealing assets.
I have other tokens in the wallets as well but they were not touched.
Thanks in advance.
For wallet #1 (15 phrases), my ada was sent to:
Block #: 9045281
For wallet #2 (24 phrases), my ada was sent to:
Block #: 9045287
Any instances people getting their ada back after being stolen?
A few days ago, my Chrome browser started crashing while I couldn’t fix it after multiple attempts, and I therefore switched to Firefox, which I tried to install the browser extension for eternl. I used the recovery phrases for the two wallets I lost my ADA on, while the wallets were never restored. I thought they were poor design for the Firefox version of the extension, but now I realized I must have added a compromised version and therefore compromised my wallets.
@Oyster_Pool-OYSTR@Zyroxa Please forgive a perhaps-naive question (I’ve only looked at hardware wallet standards & code libraries a bit; I’ve never owned or used one)…
What’s to stop a fake, malicious browser extension from using the same hardware wallet access primitives that the real extension uses, and therefore compromise the hardware wallet users in exactly the same way as the software-only wallet users?
Of course there is still a risk, if the user isnt aware of how a hardware wallet works. But with a hardware wallet you wouldnt have to enter your seedphrase anywhere, expect in your device.
Hardware wallets arent 100% secure, as there is always a user behind the device which may is uneducated or just not aware and got tricked. But you definitly have less attack surfaces than with a software wallet.
The private key is signed inside the hardware device and outside just see encryption of the transaction. So if someone control the fake extension then they must decrypt the content of transaction to take the private key.
But the risk, you must believe HW creator.
That’s not correct. The transaction is not encrypted and the private key is not inside the “encrypted” transaction.
Signing a transaction means signing the hash of the transaction body with the signing key, and the result is a witness, which can be verified (verify that the signing key signed the transaction body hash) using the verification key.
That’s actually the simple answer I was looking for. I know how these devices work but it’s easy for me to miss this part of the user experience… it provides a level of confirmation for the transaction that exists outside of the on-chain activity and computer-based UI. To get scammed or robbed you’d first have to explicitly confirm the loss of funds on the hardware device.
Although it wouldn’t be useful in my own workflow I do see how it would help a great deal with scammers or hackers. An alternative would be to use something else deliberately that creates a different user environment which is only used for the occasional crypto transaction. I am still hoping for more feedback about this platform other than the expected “It’s too hard to set up such a thing, so everybody should just buy a hardware wallet.”