Two days ago I made a post on this forum using a different account in the “Developer Miscellaneous” section. I made a polite post asking feedback on some technical issues I am helping a Cardano member with - who has issues moving funds from an old ICO wallet.
The user is verified and has shown me his ICO certificate.
This post is not about the questions I asked but what happened after I made that post. It was what I would consider questionable behavior. At best it was the result of an overprotective forum moderator, which I can understand since I am moderator in a crypto project myself and we all have to be vigilant of trolls and scammers. At worst, It could be interpreted as complete censorship and a sign of centralization and power abuse. I am making this post to find out which of the two it is.
What happened?:
I made a post asking for technical feedback and I mentioned developing a tool to help some users recover their wallets - nothing wrong with that I would say.
After a few minutes I got the message “You have been logged out”. I tried to login, which was not possible, I tried to request a password reset and got no email to reset my password, which means my account did no longer exist.
The only conclusion I can draw based on this is that both my post and account got very rapidly deleted for some reason. Perhaps I was not supposed to make post in the developer section, but then again, I am developer myself and a moderator can easily move post between different categories. Perhaps I hit some critical keywords that led a moderator or automated system to flag my post? Which of these it is I cannot tell.
What I do can tell is that it is very strange behavior to delete posts and user accounts without providing discourse or valid reasons to do so. I do consider it uncourteous and disrespectful especially since I am a blockchain developer myself who is asking valid technical questions in a neutral and polite post. At least I would expect a message explaining why any moderation actions would have been undertaken.
I would appreciate it sincerely if any moderators or old Cardano members could provide some feedback and perhaps tell me where I should make a post asking technical questions.
If this post and account again ends up being deleted I will draw my conclusions on what it means for the status of Cardano as project and its level of decentralization of governance.
I remember your topic, and it was me who deleted the post and your account.
As you know, there are a lot of “wallet recovery” services out there that try to scam people, and your thread was (and still is) very suspicious, as it appears you’re trying to advertise your services here without having any history in our community.
So I’d like to ask you to stop promoting your services here. If you need help developing a tool, you’re welcome to ask for assistance—just without advertising your services.
@Zyroxa. It is good to know that moderation action where taken in order to protect the community and not as I feared, some more nefarious reasons. I do understand there is no reason to assume my business is any more valid than many of the scammers around there, although a quick peek at my LinkedIn profile might have show you the differences.
I did not mean to advertise my services. At the moment I have not yet fully developed a recovery tool, I just saw the opportunity. The second part in my post about the tool was intended to ask if there would be a use for such a tool since I do know how common or uncommon it is for Daedalus wallet users to be locked out because they forgot a part of their password.
I could even make the tool a free open source contribution to the Cardano project similar to:
The only difference in the tool I am proposing would be that the tool would allow a user to feed a list of possible passwords to check against the password hash. So yes, that is brute-forcing and could potentially be abused. Hence I wanted to know if making it a Open Source contribution or keeping it in-house would be the best way to contribute to the project.
I will make a separate post regarding the specific problem encountered by my customer without mentioning my business in any way.
The Cardano community is a target I think, unfortunately. I’m sure moderating this forum is quite difficult. I was not prepared either for early reactions to my posts from the mods here but it was resolved in fair time and it’s obvious why the protective posture exists.
Hey @HeptaSean, Indeed those two addresses.
Are you the client I am trying to help or is there potentially something wrong with these addresses?
My client did show me his ICO certificates so I assumed he is the owner of these coins.
Yes, there is something wrong with those addresses. That wallet is probably lost forever and over the years a lot of people were asked for “help” recovering exactly this.
This is a warning about that scheme from a Cardano moderator Telegram group from three years ago:
The secret.key file shared does not contain the proper private keys, only the public keys, so that Daedalus does display the transaction history, but fails to spend from it.
The scheme usually includes them asking to get paid a percentage of that sum because it’s somehow urgent.
Thank you very much, now I know that I should not waste any time on this case anymore.
I should have known since he asked if anyone was willing to “buy the funds” . I told him that it is very easy to fake wallet since only when you decrypt the privatekey and move the funds, you know the wallet is for real. I assume some people were greedy and foolish enough to actually pay for the wallet.
On a positive note. I am working on a python recovery tool that can “brute-force” attempt wallet passwords against a password hash for Daedalus wallet. Is it true that newer wallet did use a password to encrypt the master seed with (so salt+password)? If so I can make this a small open source contribution to the project. I do not think it will be incredibly fast, so hacking a 10 character long password without knowledge is not gone work, but perhaps for users who made some typos or forget a small part of the password, it will enable them to recovery their funds.
Would that be useful?
Don’t know how many users there are left who have exactly this problem and would find that useful. Nearly all incarnations of secret.key questions I have seen pop up are this exact wallet.
As far as I know, Daedalus has moved away from the secret.key a long time ago and most users should just have the seed phrase to recover their wallet in any wallet app they like. All wallet apps scream at them to keep the seed phrases safe and secure.
Maybe, a tool that can also brute force modern Daedalus and maybe even Yoroi, Eternl, … spending passwords would have some value.
Perhaps as a update on the pattern of this scammer, he is still “pretending to be Japanese”, he is now using a proton email account and using the name Shoto Tanake. I traced him back to using the following IP, I assume a VPN or proxy: 49.109.141.87
WHOIS: Whois IP 49.109.141.87
It traces back to Tokyo Japan, but again, probably just a VPN: 49.109.141.87 IP Address Details - IPinfo.io
Actually based on this information this IP is not a VPN:
Is there somewhere technical information on these different wallets files, e.g. test wallets?
Perhaps I can make one tool that auto-detects the encryption type used (basically only the hashing algorithm), then loads the wallet to attempt passwords (by hashing them and comparing to the wallets password hash).
Based on the hashing algorithm used and the parameters used it will be slow or fast.
Most wallet apps treat the encryption of the root key with the spending password as an internal affair and do not extensively document it.
The preferred way to backup your wallets is the seed phrase and how keys are derived from seed phrases is documented well enough (although it takes a while to put all the pieces – BIP39, BIP32-Ed25519, … – together).
As Daedalus is open source and uses cardano-wallet for wallet management which is also open source, you could dive into https://github.com/cardano-foundation/cardano-wallet/ and search for the places where encryption and decryption of root keys is done. Needs some fondness for Haskell, though.
. I told him that it is very easy to fake wallet since only when you decrypt the privatekey and move the funds, you know the wallet is for real. I assume some people were greedy and foolish enough to actually pay for the wallet.