Ada Stolen from Yoroi wallet… help

That’s not possible. The pools do not get any access to the funds directly.

I would also really like to find out. As you already saw, there are some people to whom that happened.

And it really sounds like you did everything correctly going through the official website, writing down the seed only on paper etc.

Someone must have got access either to the seed phrase or to the storage of the iPhone app or the Edge plugin and the spending password. (The spending password is not needed if the whole seed is known. It is only used to encrypt the local storage of the secret in the app/plugin.)

And their method must also scale somehow. It seems pretty unlikely that they target individual people and put a lot of effort into hacking their individual devices.

You have to be really careful when dealing with cryptos. My suspicion is the Edge yoroi extension you used was bogus. Avoid 3rd party apps like browser extensions even if it looks official if you can download the actual app instead. Try also using other browser or even operating system like Linux for more security. Perhaps you can post a link to the edge yoroi extension so people can investigate further?

While I share the “better be extra careful” sentiment, Yoroi is one of the two “official” clients and its desktop variants are only available as browser plugins, not as “actual apps“.

The link to the Edge plugin is directly on: https://yoroi-wallet.com/

Only alternative on desktop would be Daedalus taking 30 GB of disk space and a full day for first startup. …

2 Likes

But that is what makes it hackable. If you click on the download link for Edge you will find the Edge Add-ons is still on Beta stage and I won’t trust anything with beta particularly with crypto. The problem I think is not with Yoroi but with Edge and perhaps Yoroi should implement a dedicated app.
As you suggested Daedalus is the probably the way to go.

EDIT: If you click on the Firefox download, Mozilla adds a proper warning. This just confirms the vulnerability of extensions.

Hi @faretheewell I assumed using something from official Yoroi website would be secure as they should be trying to protect us. Unfortunately I’m not a computer expert and try my best to keep my laptop secure but after this I realise it may not be as secure as I thought although it’s a brand new laptop and has all the antivirus and everything set up.

I’ve read other posts and some people have had ada stolen from Yoroi wallet and not stored seed online or on phones etc. Surely something should be done by Yoroi or cardano to ensure our Ada is safe. It seems as though after taking decision to stake I decided to move it to Yoroi and within days it was stolen.

By any chance @faretheewell @HeptaSean I have the crypto exchange apps on my phone is it possible that my apple iPhone could be infected with something and my crypto stolen from exchanges?

Although I will be moving whatever I have staked from exchanges to my ledger possibly just selling everything and not investing in crypto as people literally stealing other peoples hard earned money with no consequences.

It’s very unfortunate this happened :confused: Unfortunately, there are so many different attack vectors with all devices and wallet types, be it software, cold, and hardware… some just tend to be more secure.

Sometimes it’s really hard to figure out what happened.

Crypto is still in its infancy stage and the responsibility at this moment is mainly on the wallet owner to be very well informed about security risks and to try to mitigate those using best practices. At this stage, it is very easy to lose everything if not super careful. I know this is not of any help to you now… :confused:

1 Like

I have had this same thing happen to me from my yoroi wallet on 12/23.

I’m sorry to hear it. It’s so heartbreaking to suddenly see you wallet empty. I guess storing on the ledger is the best way and moving to an exchange only to convert or sell it. I don’t think I would be staking anymore myself. It just seems too much hassle and too much money lost for investment that is meant to make you money.

Just have to be even more careful now.

If you mean Ledger, the hardware wallet: Yes, that seems to be the best solution.

…, but what does that have to do with staking?

You can, of course, stake while using a hardware wallet. The Ledger only changes where your secrets are kept. You sign that you want to stake with pool X using the Ledger (instead of the secret kept in Yoroi, Daedalus, …). That’s all.

In both cases, the Ada never leave your wallet, the pool operators never get access to them.

1 Like

If you had a weak spending password they could have just bruteforced your wallet if they got ahold of it. I think this is the most likely answer most of the time.

Security just doesn’t stop with your device. It could be a problem with websites getting hijacked. It is possible in your case that the Edge Add-on was hijacked to have a fake Yoroi look-alike add-on itself. You download it and your antivirus and security setup won’t notice anything malicious. That is why I proposed earlier for Yotoi to have a proper download site for desktop where authenticity can be tested by functions like MD5sum or even something stronger, before installation.

I like things to be secure, not just with crypto, so I use Linux and run regular rootkits, test that all unused ports are closed, etc… I also have a dedicated browser (Firefox) where I set the settings to delete all cache and cookies on close and that’s what I use for sensitive web browsing.

Regarding staking, staking doesn’t have anything to do with your problem. It was checking your stakes with another device that you encountered the problem. Staking is fundamentally safe.

1 Like

There is this screenshot malware floating around n hacking wallets

I keep ada in a Ledger - don’t trust these plugins at all , from ledger I am staking on Yoroi

3 Likes

I had my all ADA in an exchange and trying to stake all using yoroi for the 1st time and seeing this issue makes me think a thousand time to do this

1 Like

Yes, keeping it at the exchange might be safer than software wallets in certain aspects. Can’t deny that.

That is, until the exchange gets hacked or otherwise implodes, which might or might not be a realistic scenario.

Judging from the posts in this forum, problems with ADA stolen from software wallets seem to happen much more often than problems with exchanges. Up to now.

Is the MetaMask chrome extension in the same risk category as any other plug in?

You have only one ADA wallet you stake with on the ledger?

I’m in the same situation. Near 1k ADA staked in Yoroi and stolen in 22 of December. The method is very simple…Gmail hack, then take advantage of Yoroi extension for Chrome because it has no additional security.

Then, following the transactions, you see they resend this ADAs between some wallets to mask their steps… and in the end a wallet with 300k ADAs

If you see this wallet transactions, with more than 100k ADAs moved each 30min, you sea a clear machine washer working, with automatic trades and a lot of death wallets with 0 ADAs at the end of every wire you follow… and then back to the same wallet finished in 6fws.

Don’t know if there is any way to report this accounts to the Cardano Devs.

3 Likes

Sorry to hear that, but thanks for letting us know about these vulnerabilities in the chrome browser.

2 Likes

I’m sad you lost your ADA.

I will try to give some advice and hope it will save someone wallet in the future.
Running programs in the webbrowser is very dangerous imo.
I always thought so since the old days with FLASH that from the day it was born until it died was riddled with endless security vulnerabilities. Then we have JAVA and such and now app after app that run in the browser exposed to all kinds of extensions that have full permissions to do anything.

I don’t know any way to stay safe except not using them at all at the moment.
I recommend having a dedicated computer with a minimal install of programs to keep attack vectors as few as possible for your coins.
Only power on that computer to load a cold wallet to transfer small amounts out to wallets on your less secure daily use devices for use.

I also keep a bunch of honeypot wallets with a minimal amount of currency on my devices, if that currency ever moves I know the device is compromised.

1 Like

The Chrome in which I use Yoroi, I use for nothing else than Yoroi. Means I installed only Yoroi in there and never use this Chrome for any Websites, just for Yoroi. Is this still a vulnerable setup? For someone to access my funds would mean they needed access to all the data on my computer, right?

You are also writing: You used a freshly installed laptop with Antivirus and everything… Is it possible that some software of your “fresh install” is malicious? For example drivers, AntiVirus, …?

Someone also wrote that it might be better to keep funds on the exchange… Aside from better staking options if not on an exchange (meaning you can chose a stake pool e.g. with a mission) I think the risk is quite high and keeping it on the exchange is the worse option, because:

  1. The exchange could get hacked. I think this happened already also with popular exchanges.
  2. With less popular exchanges I heard stories that the owner of the exchange at some point decided to take everything for himself and submerged. A friend of mine told me he lost a lot of crypto because of that.
  3. When using the exchange App, don’t you have the same vulnerability there as when using a direct wallet app?
1 Like