ADA Stolen in Yoroi Hack

Don’t change more than one word at a time , while guessing


Sorry, that’s not technically possible. Unlike a password, with a seed phrase there is no username to check against.

1 Like

Hello all,

Thanks for all of your input. However, I’d just like to follow up and say that I did not “lose” my ADA by typing in the incorrect seed or recovery phrase or any password. I can still see all of the transactions that were done within the wallet which had 4,632 ADA stolen. What I find strange is that my balance in this specific Yoroi wallet is 0.058819 and, as you can see below in the transaction details attached, there was a “Byron - Internal” transaction of +0.058819 ADA.

The trx ID: b60a8f6821c49f2b1637c42121a5a2edf51dd6c8858a567ee45d1dc162f29797

I just want to be clear…All of my passwords, seed phrases and recovery phrases are kept in cold storage. I do not have anything linking my digital life (computer, cloud, etc.) to my Yoroi wallet. I was not trying to “restore” my wallet. I had simply just checked-in on my wallet to see my balance. My passwords and sensitive information have been locked inside a safe in my house (no one other than me can get in). Can anyone explain how this could have happened? I really appreciate all of your help, Cardano Community.

Thanks a lot,
Big Toe

It’s hard to say, but since you can see the outgoing transaction that means that someone was able to get hold of your seed/private key or of your password and sent the funds from your smartphone.

Hi all

I unfortunately have possibly the same issue. I have my shelley yoroi wallet on mobile and on one of my laptops through the official chrome extension. I keep my passwords in a notebook that only I have access to. I used the desktop application to delegate to a pool, it shows two txs: An intrawallet transaction from one known address in my wallet to a (/change) internal address at 7.36AM and another tx about an hour out of that. The first one was expected as it was delegation costs connected to staking certificates. But the later at 8.42AM I had no recollection of doing, and it would be impossible that I could’ve done it given the random Byron address.

This was my first digital wallet delegation. Immediately after doing that, it was telling me how much to expect for rewards etc, so at first I was excited thought the deduction was normal but a lot later remembered that I should actually be able to use my ADA freely. To be sure I asked around whether it was normal to not see 0 Available Funds and 0 Total Delegated under the Dashboard tab in Yoroi Mobile - I was told it takes 3-4 epochs until it will be updated. Now I just found out that that money was deliberately sent to some byron address I dont know.

I only delegated, did not send it to anyone. Did someone get a hold of my seedphrase ? and if they did, did they also get a hold of my spending password to make the tx? This was such a shock to me - in all my life I’ve never had money stolen, see where it went, and realizing there’s nothing no one can do about it. Is there not a way to trace the address ? Is there not a security check based on an unfamiliar location before making a transaction?

I have accepted that the money is gone but I believe in the cardano idea so much I am just trying to share my unfortunate experience as a warning of embracing this new tech.


Hi @hududed,

I am so sorry to hear that. Next time maybe you could buy hardware wallet (Ledger/Trezor) if you have such big investment. Thanks for sharing.

You could read this article also

Hi. On September 07, 2020, your funds were transferred to address [addr1q9302en6yl2…hwkfcyqc3spak97v], and likewise approximately 20mins later the 9ADA “test” transaction was transferred to another address [addr1qxpavq4lpyp…hwkfcyqc3szwma8j].

Did you recover your Shelley private keys and recover your funds?
Did you discover the issue? (I find it improbable that you mistyped your recovery phrase).

The most strange think has happened, I have a friend that recently acquired a Ledger Nano X, and moved all his ada there, not even a month passed when I received (he delegates at my pool) a notification that the stake was decreased in 26K and a second one that the stake has decreased 16K, after finding out it we his stake I called him to ask him why he left or if he had sold, he had no idea, he had his Yoroi on his iPhone and his Nano X was back in at his house inside a safe, he the noticed 5 withdrawals totaling 43,400, I asked him to try and send me 1 ada and the wallet requested the Nano x to proceed.
Now, he says that he never showed the 24 words to anyone and that those words where inside the sale also, he has alarms a monitoring system, I send and email to Ledger but no answer yet, I just wanted to know if anyone has an idea of what could had happened?

He ordered the hw wallet directly from ledger? There is a possibility that someone hack the ledger before to receive it (copied the 24 seed word).

1 Like

You are right @Alexd1985 . Be careful with unoriginal Ledger hardware, it’s probably tempered by bad people. Buy from the official store or official Ledger website. I have read several articles about this stuff.

Hi bigtoe94

My friend and I designed a process that aims to inhibit unauthorized cryptocurrency transfers by hackers (crackers) who take people’s cryptocurrencies.
The project manages to inhibit even if a hacker (cracker) has access to the security words.
We are trying to contact some people who lead cryptocurrency projects.
We are waiting for some answers.
Our intention is that this type of event does not occur with people who have invested in cryptocurrencies.

Looks like you got your Ada back, at least the address you wrote shows 0 Ada balance and an outgoing transaction of the 98k. I guess this was a lot of work, trying all the 2048 words for each word, but probably worth it for this money.

On the other hand, you could have asked a programmer, if you didn’t program it yourself. I wrote a small tool to test how good the checksum algorithm for the Yoroi wallet is, which tries all words for the last word and then checks if it is a valid passphrase:

Turns out the algorithm is worse than I expected. For example you can use 64 different words for the last word as my program demonstrates, and the checksum is still valid.

As mentioned on my github page, the program can be enhanced to accept a passphrase from command line, and try to recover one unknown word, and with an additional constraint that one address on the blockchain for it is known. I can do this, if someone has a similar problem. You can then run it locally on your PC (a clean OS installation or Linux Live system, and no internet connection, would be a good idea) and get your Ada back.


I think that is expected for a 15 words seed phrase. For a 24 words seed phrase that would be 8 words.

Right, the checksum is only “number of words” / 3 * 4 / 4 (integer rounded after each division), so 5 bits for 15 words. This allows 32 different words. Since the word list is 2048 words, it results it 2048/32=64 words with the same checksum.

I think this was a bad idea. A 15 words passphrase allows to encode 165 bits. If they would have used 11 bits for the checksum, then exactly one word would result in a valid checksum and it would be much less likely to use a wrong word. And the seed would be still very safe.

The 15 word passphrase corresponds to a 160bit entropy (to be divisible by 8) + 5 checksum bits to make it up to 165.

…that would make a 154bit entropy which is not divisible by 8. I’m not an expert in this field, just know from reading that the entropy is a multiple of 8. Maybe some crypto expert can explain this nicely :slight_smile:

Just fill it with zeros, if it needs to be a multiple of 8. It uses pbkdf2 to generate the seed from the passphrase:

The only known possible attack is brute-force. So even if you use only 64 bits entropy (6 words passphrase without checksum), you would need 500,000 years to crack it (assuming one million tests can be done per second). And 154 bits needs 7.2*10^32 years. 15 words are ridiculous. But I’m not a security expert, I might be wrong. But I’m sure the checksum could be better without sacrificing security. 160 bits or 152 bits makes no difference.

And on the other hand, it is fine for the Yoroi wallet to use “1111111111” as a spending password, no complain from the software. This makes it easy to malware to crack the password and get the wallet passphrase. Maybe the developers should spend a bit more time on this password check, and not just saying if length>=10, then all green.

Hi All,

Hoping you could help me too. I’ve lost my 2660 ADA last sept 30 and still trying to know what happened. It is the same day I created my Daedalus.
8-9pm I am setting up my daedalus and hours later I’ve noticed all my ADA is gone. I haven’t check in since I was waiting for daedalus to sync in my PC.
At 8:39PM all my assets including NFTs are gone and transferred to another address.

Also, the breakdown came from different address 1 external and other internal address?

But upon checking all my ADA and NFTs are still in this address:

Is it still possible to recover from an address:

Hi @mayeeeeee can you confirm Daedalus was installed following the link on the Cardano official page? If you haven’t used that link, do you still know the link so we can check?

Hi @mcrio this is the link i used.

The ADAs and NFTs on the address is still there and it’s been 14 days since the transfer. I’m still hoping to recover the transfer that I DIDN’T MADE. Thank you all.