ADA Stolen in Yoroi Hack

Hello Cardano Community,

I am very unfamiliar and a beginner when it comes to crypto and, more specifically, Cardano - so I was hoping that you can offer some assistance and support.

It seems as though my Yoroi wallet was hacked on July 23rd at 3:59pm ET. I held my ADA in the Yoroi wallet on my iPhone 11 (I do not have any wallet held on my computer or in any other location). They stole, and sent, quite a large sum of ADA to a random address.

I emailed the Emurgo support desk, but haven’t heard back yet. I am really really not sure how someone could hack my Yoroi wallet on my phone. It is kind of shocking because I had been holding this sum of ADA for around two-and-a-half years.

Does anyone have any suggestions? I have the transaction ID, and address that my ADA was sent to. I appreciate all the help you can give.

Thanks everybody!

1 Like

Tx ID for starters would be good, around with details of what happened.

  • Did you at any time entertain any direct message from someone?
  • Think you participated in possible fake giveaways?
  • Entered your 15 word seed anywhere?
  • Access the wallet (for any reason) from alternate source than your phone?

Hi there,

Thanks for responding to my post.

The following is the Tx ID: b60a8f6821c49f2b1637c42121a5a2edf51dd6c8858a567ee45d1dc162f29797

At no time did I entertain a direct message, participated in any giveaways, entered my 15 word seed anywhere or access my wallet on any other source.

The reason why I am absolutely positive about this is because I actually had not even opened the wallet for approximately a year or so (likely over one year) - just recently, I had simply opened the Yoroi wallet on my phone to see if any changes were made to the app/wallet due to the Shelly and ADA staking announcements, etc. Additionally, I kept the 15 word seed password hand written on a piece of paper that is stored in my safe - I do not keep a digital copy of this password.

Other than that, there are not many more details about what happened. I had opened the Yoroi wallet, looked at my balance, and it was all gone. At first, I thought it had something to do with Shelly and staking, but I was obviously wrong.

Looking forward to hearing your thoughts.
Thanks so much!

2 Likes

Hi Bigtoe,

This is a horrible situation, it is pretty much impossible to ‘hack’ a wallet. The weak links are:

The owner of the wallet,

Or

The device the private keys are stored on.

Somehow the transaction was made, if not by yourself then someone. If this was without your consent or knowledge, then a crime has been committed somewhere which we recommend you report to the police.

Unfortunately transactions can not be reversed, so there is nothing EMURGO can do.

did you take a photo of secret words ?
did you get the screenshot of secret words ?
is your phone jail breaked or rooted ?
may be you are used unsecure applications
may be you are joined unsecure wifi’s ( Company Wifi’s , Free Wifi’s , Neighbor’s Wifi’s etc.)

What version of iOS are you running? (Settings > General > About > Software Version)
Do you recall if the phone was updated since the incident, either automatically or manually?

I’m asking this because an outdated iOS version is easier to hack, via the web browser engine or a malicious app.

The phone 11 was officially released on September 20, 2019, and you have not opened the wallet for a year or even longer. Might it be you left your wallet on your previous iPhone and the new owner has access to it?

Same thing happened to me yesterday!

ADA been sitting in iOS Yoroi wallet for ages… decided to stake on shelly. Accessed official website and followed prompts. Downloaded Yoroi chrome extension, restored using pas phrase and within a minute all my ada automatically sent here:

https://adascan.net/address/Ae2tdPwUPEZ8sgR3PqDBxhS2B39LQeetZk36CgFFDzTyS1A7QEXi5SQDtsR/

Is still sitting there!

I sent 9 ada to my wallet as a test and within 3 minutes that 9 ada was sent yo my shelly address on its own! I did not send!

https://explorer.cardano.org/en/address?address=addr1qx2h6u5mqhcq3cqj7nhfznl2gcwlq90xs8q2da9rmraa79kjdpa27pvx7ajvmewncgc0mcqwhdf7dcxfk8xjfxnx0sgqwtmx44

Ive been in crypto since 2013 and i a web dev and seo by trade so im no noob! These transactions were both sent out of my wallet but not by me! My pc has not been compromised and my pass phrase in a cold wallet.

98k ADA gone! Has to be some kind of glitch!

That sounds scary. @SebastienGllmt is a Yoroi expert, he might be able to help.

Yep spoke to him and this seems to be the issue…

i have to say im a little surprised to find out what happened…he believes i typed in wrong seed phrase and was allowed to continue…

Below is the process and point 1 is what i cant actually believe!

  1. I downloaded a new Yoroi in google chrome and selected “restore wallet” and typed in the “wrong” recovery phrase (call it wallet B). most likely a typo on one of the words apparently…
  2. I saw I had a wallet created and assumed it was my wallet for the seed i entered
  3. I proceeded to the transfer page
  4. I typed in the recovery phrase 'correctly this time for my real wallet (A), and transferred it all to my new wallet (B) (which i had no idea was automatically created after allowing my incorrect seed to proceed
  5. I saw that in my wallet, all the ADA was sent out of wallet (A) and to wallet (B) which was created without any warning, alerts, msg to save seed, nothing…
  6. Without realizing all my ADA is safely in my wallet (B), I deleted Yoroi
  7. I reinstalled Yoroi and entered the recovery phrase for wallet (A) and sees all my ADA is missing, because it’s in wallet (B)

in a nutshell, when restoring wallet in point 1, Sebastien said i entered a wrong seed that actually allowed me to proceed and created a new wallet! i didnt get a warning, i didnt get a message to save new seed, no msg to save 'new wallet created because you entered seed with a typo, nothing! So I proceeded as per the points above.

Allowing a user to proceed when entering wrong seed without giving me a warning isnt right. Ive never used a system like that! otherwise i would have corrected the typo and wouldnt be in this mess! Sebastien said it sometimes happens!!!

so unless i ‘guess’ what my typo was, my 98k ada will live in this newly created wallet by the system https://adascan.net/address/Ae2tdPwUPEZ8sgR3PqDBxhS2B39LQeetZk36CgFFDzTyS1A7QEXi5SQDtsR/

Yeah, my knowledge is pretty limited, certainly a helluva long way off Seba’s, but that doesn’t surprise me too much. I don’t believe there’s technically any difference between a wallet that’s never been “created” before, and one that has, but has no transactions. So when you click on restore, and put in a phrase that’s valid but hasn’t been used before, the system doesn’t know it’s “really” a new wallet, so doesn’t go through the usual “create wallet” process.

I’d guess Seba already mentioned this but there are tools and resources that could help narrow down the typo possibilities, I don’t have details to hand but if you started a new topic asking specifically for that I’m sure you’d get plenty suggestions.

Good luck!

I repeat again here for anybody else reading here:

You can’t make a typo and get a different wallet because recovery phrases have a checksum to avoid this exact problem. You’d have to make multiple mistakes in your recovery phrase and also be unlucky that the checksum happens to match.

However, to handle cases like this, Yoroi shows you a second checksum to double-verify that you’re restoring the right wallet. In this way, Yoroi provides more protection against this problem than nearly every other wallet out there. Had Daedalus also implemented a second checksum like we do, you would have immediately realized it was the wrong wallet.

I don’t believe there’s technically any difference between a wallet that’s never been “created” before

You’re right, there is no difference at a protocol level between a wallet that exists and one that doesn’t. There is no such thing as “creating” a wallet at the protocol level. There is no way for Yoroi to know whether or not a wallet you’re restoring exists other than to show you the transaction history – which we do.

6 Likes

I obviously entered a seed phrase that was different to my actual seed phrase during the ‘wallet restore’ process, but instead if displaying an error or saying ‘incorrect seed’, I got all green ticks to proceed at which point a ‘new’ receive address was created. It did not indicate at any point that i entered wrong seed or that i needed to save new seed phrase!

This is the issue! How on earth do I get all green ticks when ‘restoring a wallet’ with a different seed?!?!

Why would I focus on checksum if the ‘restore wallet’ process gave me all green ticks when entering my seed??? In hindsight yes I wish I paid more attention to checksum, but if I had of been alerted to the fact I entered a different SEED I wouldnt be in this mess! But your process told me the seed was correct and gave me the green ticks! Using checksum as an excuse for the ‘restore wallet’ process doesnt cut it.

It would be nice if the devs at least acknowledged the situation instead of blindly justifying the process. Obviously there is an issue here or I’d still have my 98k ada!

Now its stuck in a wallet using the very ‘incorrect seed phrase’ It accepted and I was not alerted to!

This ‘restore wallet’ process should be more bullet proof than that imo… this can obviously be improved otherwise I wouldnt be in this mess.

I guess my only hope at this point is to try and guess the incorrect seed i entered and it allowed me to proceed with! Doing this by the way I have been able to enter and set up 4 other wallets simply by ‘guessing’ and entering a random seed phrase!

(trying to upload screen shots but im restricted).

I feel sorry for you but you are wrong. How the system is supposed to know what you are restoring? Now check your right recovery seeds with the BIP39 word list. Look for words that differ a little. Try to make only one word change at a time and give shots. Good luck.

Because I chose restore wallet. Thats my point! How on earth can this happen when restoring a wallet using my seed phrase.

but from the scratch, that is the point

Yes i chose restore wallet, put in my seed phrase wrong, but it told me it was correct with the green ticks. But what it actually did was create a different wallet and sent my ada there. How can this be right? I restore wallet, enter seed phrase and it worked. Ive restored many wallets over the years and never does it work if you enter wrong seed…

Because there is a high probability you will open some wallet. AND it will be an empty one.

Ive been trying to guess what seed i put in for last 24 hours… i have managed to guess 3 other wallets seeds that it allowed me to proceed with… while all the other times it would say error with seed… it should say error every single time you enter wrong seed no?

No, there is still a possibility you can enter a random wallet. But I can assure you it will be an empty one