Two days ago I made a post on this forum using a different account in the “Developer Miscellaneous” section. I made a polite post asking feedback on some technical issues I am helping a Cardano member with - who has issues moving funds from an old ICO wallet.
The user is verified and has shown me his ICO certificate.
This post is not about the questions I asked but what happened after I made that post. It was what I would consider questionable behavior. At best it was the result of an overprotective forum moderator, which I can understand since I am moderator in a crypto project myself and we all have to be vigilant of trolls and scammers. At worst, It could be interpreted as complete censorship and a sign of centralization and power abuse. I am making this post to find out which of the two it is.
What happened?:
I made a post asking for technical feedback and I mentioned developing a tool to help some users recover their wallets - nothing wrong with that I would say.
After a few minutes I got the message “You have been logged out”. I tried to login, which was not possible, I tried to request a password reset and got no email to reset my password, which means my account did no longer exist.
The only conclusion I can draw based on this is that both my post and account got very rapidly deleted for some reason. Perhaps I was not supposed to make post in the developer section, but then again, I am developer myself and a moderator can easily move post between different categories. Perhaps I hit some critical keywords that led a moderator or automated system to flag my post? Which of these it is I cannot tell.
What I do can tell is that it is very strange behavior to delete posts and user accounts without providing discourse or valid reasons to do so. I do consider it uncourteous and disrespectful especially since I am a blockchain developer myself who is asking valid technical questions in a neutral and polite post. At least I would expect a message explaining why any moderation actions would have been undertaken.
I would appreciate it sincerely if any moderators or old Cardano members could provide some feedback and perhaps tell me where I should make a post asking technical questions.
If this post and account again ends up being deleted I will draw my conclusions on what it means for the status of Cardano as project and its level of decentralization of governance.
I remember your topic, and it was me who deleted the post and your account.
As you know, there are a lot of “wallet recovery” services out there that try to scam people, and your thread was (and still is) very suspicious, as it appears you’re trying to advertise your services here without having any history in our community.
So I’d like to ask you to stop promoting your services here. If you need help developing a tool, you’re welcome to ask for assistance—just without advertising your services.
@Zyroxa. It is good to know that moderation action where taken in order to protect the community and not as I feared, some more nefarious reasons. I do understand there is no reason to assume my business is any more valid than many of the scammers around there, although a quick peek at my LinkedIn profile might have show you the differences.
I did not mean to advertise my services. At the moment I have not yet fully developed a recovery tool, I just saw the opportunity. The second part in my post about the tool was intended to ask if there would be a use for such a tool since I do know how common or uncommon it is for Daedalus wallet users to be locked out because they forgot a part of their password.
I could even make the tool a free open source contribution to the Cardano project similar to:
The only difference in the tool I am proposing would be that the tool would allow a user to feed a list of possible passwords to check against the password hash. So yes, that is brute-forcing and could potentially be abused. Hence I wanted to know if making it a Open Source contribution or keeping it in-house would be the best way to contribute to the project.
I will make a separate post regarding the specific problem encountered by my customer without mentioning my business in any way.
The Cardano community is a target I think, unfortunately. I’m sure moderating this forum is quite difficult. I was not prepared either for early reactions to my posts from the mods here but it was resolved in fair time and it’s obvious why the protective posture exists.
Hey @HeptaSean, Indeed those two addresses.
Are you the client I am trying to help or is there potentially something wrong with these addresses?
My client did show me his ICO certificates so I assumed he is the owner of these coins.
Yes, there is something wrong with those addresses. That wallet is probably lost forever and over the years a lot of people were asked for “help” recovering exactly this.
This is a warning about that scheme from a Cardano moderator Telegram group from three years ago:
The secret.key file shared does not contain the proper private keys, only the public keys, so that Daedalus does display the transaction history, but fails to spend from it.
The scheme usually includes them asking to get paid a percentage of that sum because it’s somehow urgent.
Thank you very much, now I know that I should not waste any time on this case anymore.
I should have known since he asked if anyone was willing to “buy the funds” . I told him that it is very easy to fake wallet since only when you decrypt the privatekey and move the funds, you know the wallet is for real. I assume some people were greedy and foolish enough to actually pay for the wallet.
On a positive note. I am working on a python recovery tool that can “brute-force” attempt wallet passwords against a password hash for Daedalus wallet. Is it true that newer wallet did use a password to encrypt the master seed with (so salt+password)? If so I can make this a small open source contribution to the project. I do not think it will be incredibly fast, so hacking a 10 character long password without knowledge is not gone work, but perhaps for users who made some typos or forget a small part of the password, it will enable them to recovery their funds.
Would that be useful?
Don’t know how many users there are left who have exactly this problem and would find that useful. Nearly all incarnations of secret.key questions I have seen pop up are this exact wallet.
As far as I know, Daedalus has moved away from the secret.key a long time ago and most users should just have the seed phrase to recover their wallet in any wallet app they like. All wallet apps scream at them to keep the seed phrases safe and secure.
Maybe, a tool that can also brute force modern Daedalus and maybe even Yoroi, Eternl, … spending passwords would have some value.
Perhaps as a update on the pattern of this scammer, he is still “pretending to be Japanese”, he is now using a proton email account and using the name Shoto Tanake. I traced him back to using the following IP, I assume a VPN or proxy: 49.109.141.87
WHOIS: Whois IP 49.109.141.87
It traces back to Tokyo Japan, but again, probably just a VPN: 49.109.141.87 IP Address Details - IPinfo.io
Actually based on this information this IP is not a VPN:
Is there somewhere technical information on these different wallets files, e.g. test wallets?
Perhaps I can make one tool that auto-detects the encryption type used (basically only the hashing algorithm), then loads the wallet to attempt passwords (by hashing them and comparing to the wallets password hash).
Based on the hashing algorithm used and the parameters used it will be slow or fast.
Most wallet apps treat the encryption of the root key with the spending password as an internal affair and do not extensively document it.
The preferred way to backup your wallets is the seed phrase and how keys are derived from seed phrases is documented well enough (although it takes a while to put all the pieces – BIP39, BIP32-Ed25519, … – together).
As Daedalus is open source and uses cardano-wallet for wallet management which is also open source, you could dive into https://github.com/cardano-foundation/cardano-wallet/ and search for the places where encryption and decryption of root keys is done. Needs some fondness for Haskell, though.
What I always wanted to have as a replacement for PySeedRecover (which you already found judging from your likes):
Progressive Web App instead of Python script, so that people only need to go to a website (but things are still done on the user’s device and never transmitted to a server) and are not bothered with installing Python, getting to know the command line, installing my strange script, …
Interactive construction of what they know about the seed phrase: Input exactly as they have maybe with typos, maybe only first four characters (some metal seed phrase devices only have four characters, because that’s enough for uniqueness). Then give some kind of selection of which words are closest to this by edit distance and which they want to check in which position. Result of this step can already give a number of how many seed phrases it would have to check.
Configure which derivations should be checked: Cardano’s standard, Ledger (which does a different root key derivation), Trezor legacy (which has a bug in root key derivation for 24 words or more), Exodus (which does something completely strange), …
Check against a database of all public key hashes that have ever been seen on Cardano (maybe also on the testnets?). To get this database would be the only server communication.
Generate a comprehensive report: “We found a seed phrase ‘XXX YYY ZZZ …’ that has been used with a standard Cardano wallet (or Trezor), with Ledger, with Exodus. You can see the current contents here: ”
Thank you for your suggestions.
Unfortunately I am only well versed in Python and to some extend in Rust.
I am certain I can drastically improve the speed of your recovery script. Perhaps when I have time I can see if I can implement your recovery script in Rust. Implementing it in Rust not only would drastically improve the speed but it also result in an executable, removing the need for Python and or any dependencies.
Do you know of any such databases? I implemented something similar for Bitcoin, it works quite well. Perhaps I can do something similar for Cardano.
No, don’t know any ready to use. Which is why I opted to just query Koios when I last touched it.
But it should not be that complicated and the result not that large to just go through, e.g., https://api.koios.rest/#get-/account_list and save them in some fast hash set/map data structure. Maybe even as bytes without the header byte to be as close as possible to what you get from the derivation from the seed phrase and have the most compact data. That would then just have to be updated from time to time with the stake key hashes that have newly appeared.
. I told him that it is very easy to fake wallet since only when you decrypt the privatekey and move the funds, you know the wallet is for real. I assume some people were greedy and foolish enough to actually pay for the wallet.