Ada Stolen from Yoroi wallet… help

You have only one ADA wallet you stake with on the ledger?

I’m in the same situation. Near 1k ADA staked in Yoroi and stolen in 22 of December. The method is very simple…Gmail hack, then take advantage of Yoroi extension for Chrome because it has no additional security.

Then, following the transactions, you see they resend this ADAs between some wallets to mask their steps… and in the end a wallet with 300k ADAs

If you see this wallet transactions, with more than 100k ADAs moved each 30min, you sea a clear machine washer working, with automatic trades and a lot of death wallets with 0 ADAs at the end of every wire you follow… and then back to the same wallet finished in 6fws.

Don’t know if there is any way to report this accounts to the Cardano Devs.

3 Likes

Sorry to hear that, but thanks for letting us know about these vulnerabilities in the chrome browser.

2 Likes

I’m sad you lost your ADA.

I will try to give some advice and hope it will save someone wallet in the future.
Running programs in the webbrowser is very dangerous imo.
I always thought so since the old days with FLASH that from the day it was born until it died was riddled with endless security vulnerabilities. Then we have JAVA and such and now app after app that run in the browser exposed to all kinds of extensions that have full permissions to do anything.

I don’t know any way to stay safe except not using them at all at the moment.
I recommend having a dedicated computer with a minimal install of programs to keep attack vectors as few as possible for your coins.
Only power on that computer to load a cold wallet to transfer small amounts out to wallets on your less secure daily use devices for use.

I also keep a bunch of honeypot wallets with a minimal amount of currency on my devices, if that currency ever moves I know the device is compromised.

1 Like

The Chrome in which I use Yoroi, I use for nothing else than Yoroi. Means I installed only Yoroi in there and never use this Chrome for any Websites, just for Yoroi. Is this still a vulnerable setup? For someone to access my funds would mean they needed access to all the data on my computer, right?

You are also writing: You used a freshly installed laptop with Antivirus and everything… Is it possible that some software of your “fresh install” is malicious? For example drivers, AntiVirus, …?

Someone also wrote that it might be better to keep funds on the exchange… Aside from better staking options if not on an exchange (meaning you can chose a stake pool e.g. with a mission) I think the risk is quite high and keeping it on the exchange is the worse option, because:

  1. The exchange could get hacked. I think this happened already also with popular exchanges.
  2. With less popular exchanges I heard stories that the owner of the exchange at some point decided to take everything for himself and submerged. A friend of mine told me he lost a lot of crypto because of that.
  3. When using the exchange App, don’t you have the same vulnerability there as when using a direct wallet app?
1 Like

It could be vulnerable. Maybe you didn’t actually download from the official site but from a cloned site that looked identical but used a different extension. If do, I expect the rogue wallet would have stolen your assets as soon as it could.

Fundamentally, I think a software wallet is only as safe as your computer. Maybe you had dormant malware on it. That said, if you have an asset for which there is no hardware wallet like ledger nano x, then you should not use the computer with the wallet for any other purpose whatsoever.

I suspect institutional investors are not likely to invest in coins or tokens that don’t support hardware wallets. Too bad for coins like Ergo which are otherwise interesting because of all innovartions.

Could you see that your Ada was there for some time before it got stolen?

1 Like

Umm, there was one thing I missed. You used a chromebook, right? I’m not familiar with that kind of computer. I think you’re not meant to to develop local software for it. All applications are online, right? As a windows c/c++ programmer, I can think of ways to steal assets like a keyboard logger. But if you can only download sandboxed stuff like chrome extensions then I really have no idea.

@TimStrikes2021 I would be very careful how you decide to stake all your Ada in Yoroi. As you can see there is extremely high risk involved unless you are using a Ledger hard wallet or similar. I do not know the con of having one but you could research it.
I would not trust any extensions anymore after having made the mistake myself.

I’m not a tech person and even after having used a brand new laptop and installing antivirus which I pay for, it seems extensions can be fake, passwords compromised somehow etc as all the guys have mentioned here.

Please don’t risk your Ada as I did and do everything you can to protect it especially if it is a substantial sum.

I’m upset for the lose… but it’s my fault. I bought a Ledger some weeks ago and decided to wait until January to migrate my ADAs and other cryptos into it. Also use the same mail to many other things than crypto… or in the same PC that I download doubtfull contents with keygens or cracks.

Sometimes you win, sometimes you learn.

I haven’t used any software wallet so I have a question. The yoroi wallet is a browser extension, right? It requires a password? Browsers typically offer to save the password in a vault so that you don’t have to remember it when you log in to facebook or similar. Does this apply to the extension as well?

If yes, this is scary. On windows, I wrote a piece of code that could retrieve these passwords. It took some time until it worked and it required admin privilege. Such a program could send the wallet file and the password and then you’re doomed. It could send the wallet file only which requires brute forcing. Even that would be scary.

The really scary thing is that it isn’t too hard to do. A scammer could create a rogue installer or use a legitimate installer like installshield which supports custom dll’s which could be written in c++ and that dll could do all sorts of things since installers typically require admin privilege. Of course, the installer could install a completely legitimate program found elsewhere.

Someone will say something like this: ”I made a setup for xxx so that you don’t have to do messy stuff”.

It does and also steals cryptocurrency. It may wait so that you have forgotten what you downloaded. Or worse. I remember a malware that came as a setup program. It claimed to make a game faster somehow. Unfortunately it ”failed” and did a rollback. What actually happened was that the malware was successfully installed and then it simulated a failed install. That made you think that you had not installed anything which, of course, you had.

Yoroi or Nami (both Cardano wallets i have use) doesn’t use a password, so it’s really scary. Others like Metamask request for the password each time you open the browser, but probably wouldn’t be a problem for any malware of key login.

Luckly Metamask got support for hardware wallets like Ledger or Trezor, so you have an extra security layer.

They use a spending password if you want to build a transaction, use the private keys (and the private keys are stored encrypted, you cannot access them without the spending password).

Daedalus also does not require a password to see your transactions and balance. It’s all public, anyway.

Moreover, they all show you these public information even for hardware wallets. I do not have to connect my Ledger to just see transactions and balance.

Requiring a password for information that is public could also be considered security theater.

3 Likes

You don’t meed a passport to see the trnsactions but there should be one if you want to initate a transaction. Ideally, you should connect a hardware wallet.