[ ADVISORY ] PoolToolio.com - ADA Wallet Stealer

CORRECT URL: https://pooltool.io
MALICIOUS URL: https://pooltoolio.com

I reached out to PapaCarp at PoolTool.io to let them know, and I’m sure the seasoned Cardano veterans know about that URL- but in case you weren’t aware.

It’s not affiliated in any way with the real PoolTool site, it will import your wallet and you will lose your money and very, very fast.

That’s all! I do have a couple questions though…

Never, ever give out your recovery phrase. That’s what they say! And they say it a lot and like everywhere, everywhere, everywhere. You never think you will do it, because you know better. You read posts about folks who have accidentally given it out and you think it won’t ever happen to you. At least I did, and then last night I gave it out.

Complacent for just a moment, and not paying attention, I accidentally typed in https://pooltoolio.com and saw the familiar PoolTool.io loading screen…I didn’t think twice. For whatever reason I rationalized to myself, “Oh, PoolTool.io is doing something new”…I gave it up quicker than a snitch for a fix.

As soon as I hit submit, and I saw the message that the site is undergoing maintenance, I realized what I had done.

I spent about 60 seconds trying to find info on Yoroi Wallet and changing the recovery phrase with no luck. I read along the way somewhere that a compromised wallet could be still used to follow me to my new wallet, new addresses and all other important info that could be used maliciously to keep coming at me. So instead of creating a new wallet and sending everything there, I sent it all to my Coinbase account, then created a new wallet in Yoroi and sent the ADA to the new Yoroi wallet from Coinbase. I don’t know if that helped or not, I am not in expert in any shape on Cardano, ADA, Yoroi, etc. It’s difficult enough to write this and admit I gave it up!

I used the wallet I just compromised as a drop to store my main ADA assets. Could you imagine if this was a wallet with addresses attached to a pool, etc? Could you change the necessary configurations for the pool fast enough?

Q: What exactly would happen if a wallet with addresses associated with a pool or pool funds or deposits, etc., was compromised?
Q: What would you have to change and change lightning fast - or would you have to at all change anything after moving the ADA somewhere else?


I just had all my ADA stolen from my wallet today