Daedalus Wallet-1600 ADA disappeared-was I hacked?

So I just noticed that about 5 days ago (1/10/25), 90% of the ADA in my Daedalus wallet was unknowingly and not authorized by me was sent to 7 unknown addresses. I usually open Daedalus a couple times a week to sync with the blockchain and check on my staking rewards.

I was pretty surprised last night to notice my balance went from 2K ADA to 250 remaining ADA (dammit).

I have no idea how or why this happened. Was I hacked somehow? Did someone discover my keys and compromise my account? Has anyone else experienced anything like this?

Other than re-installing Daedalus about 18 months ago on a new laptop, I had done zero except for synching with the main blockchain. In late Dec/early January, I did initiate a change in my staking delegate, and at that time I had to use my Admin password to change staking pools…I’m not sure if that’s possibly when I was compromised, but it was all done over my secure home WiFi.

I also know I recently had to update Daedalus, so maybe there’s some bug or other explanation for my missing ADA…fuck-I don’t even know how to report this shit so I can write it off as stolen on my taxes.

When I go to the address tracker-it says then destination addresses aren’t valid (see attached photo of what comes up when I click on one of the 7 destination addresses). Is it possible there was some error or incorrect transaction or my info was compromised when changing staking pools from within the Daedalus application?

Anyway-here is one of the problems with a blockchain system-other than a general support forum-there’s nobody to call to reverse a fraudulent transaction when it occur and assist with locating and shutting down hacker thieves…

Here’s an image of what I get when in click on the destination addresses-anyone have a similar experience or have ant suggestions? This is a big hit for me…

Thanks
John
IMG_6808

3 Likes

Can you please post a receiving address of yours here?

3 Likes

Sure-thanks for engaging-let me copy and send-give me 10 minutes.

3 Likes

Here is the transaction confirmation and 7 destination addresses:

TransID: b9091082e4e52ce595a00dbe15a46142e038e3e269ffd0e99120938a53c7d9cc,Sent,“-1,650.189745”,

DdzFFzCqrhtA9YRafpJEuBesWsX4YwqkzKMUuSED1tpP5FNyLXb9Xtm61oUCjBdmYhAUHfnrWLTV6ZGkngBeVVpcHgCBGsnSfqNN2RTa, addr1q8u8yjydynkyew2mwvvl37e9g9t38ul8q70yyyzwzg4dkf6emtkgeymeryqxcd8qt0grd4r6e7zzae7mue4qa6zz6qhqwda6tg, addr1q8u8yjydynkyew2mwvvl37e9g9t38ul8q70yyyzwzg4dkf6emtkgeymeryqxcd8qt0grd4r6e7zzae7mue4qa6zz6qhqwda6tg, addr1q8u8yjydynkyew2mwvvl37e9g9t38ul8q70yyyzwzg4dkf6emtkgeymeryqxcd8qt0grd4r6e7zzae7mue4qa6zz6qhqwda6tg, addr1q8u8yjydynkyew2mwvvl37e9g9t38ul8q70yyyzwzg4dkf6emtkgeymeryqxcd8qt0grd4r6e7zzae7mue4qa6zz6qhqwda6tg, addr1q8u8yjydynkyew2mwvvl37e9g9t38ul8q70yyyzwzg4dkf6emtkgeymeryqxcd8qt0grd4r6e7zzae7mue4qa6zz6qhqwda6tg, addr1q8u8yjydynkyew2mwvvl37e9g9t38ul8q70yyyzwzg4dkf6emtkgeymeryqxcd8qt0grd4r6e7zzae7mue4qa6zz6qhqwda6tg",

3 Likes

Yeah it looks indeed like the “hacker” stole your funds. I would recommand to transfer your remaining funds to a new wallet asap.

He didnt withdraw your rewards.

3 Likes

That is crazy and I did remove my remaining funds…

Any idea how I can document this and show it as a loss for tax purposes?

2 Likes

uff sorry i have no idea (im not living in USA). But you probably will have to make a report to your local authorities.

2 Likes

How do you think this happens? Wouldn’t someone need both my private keys and my like admin/sending password to transfer funds out of my wallet?

I did not see this coming at all…and I’ve only entered that admin password 1 time recently to change staking pool. I hardly remember it at all-WTH?

2 Likes

Did you store your seedphrase (24 words) in a digital way? Like did you make a screenshot of it or stored the words somewhere in a file on your computer/cloud?

Nope. If the attacker was able to get your seedphrase, he can simply use that to restore your keys. And the spending password is only needed because you are encrypting your keys locally.

To prevent such a case again, i would really recommand to get a hardware wallet.

2 Likes

Yeah-thanks for responding-I appreciate your input and assistance-I don’t even know where I stored my seed phrase.

This is a good wake up call for myself and others to tighten up on that stuff-paper only for seed phrases - I have some tidying up to do.

4 Likes

Closing out on this thread….I couldn’t recall where I stored my Daedalus Wallet Seed Phrase-I found it. It was stored as an image/screenshot in my hidden (requires Face ID to access on phone) folders photo album on my phone and possibly iCloud (I need to check if this backs up to iPhotos/iCloud).

Just leaving this as note of caution to anyone who might read this and thinks their seed phrase is safe in their hidden folder of their Apple photos albums-apparently it’s not.

Damn-I hope all the dirty photos and videos of me and my girl are not at risk also :tired_face:. I’d be less upset at those being leaked than I am for being hacked for 1650 ADA…

5 Likes

By the way, these are not seven wallet addresses.
The hacker has sent 1,650.189745 ADA to the wallet address:
DdzFFzCqrhtA9YRafpJEuBesWsX4YwqkzKMUuSED1tpP5FNyLXb9Xtm61oUCjBdmYhAUHfnrWLTV6ZGkngBeVVpcHgCBGsnSfqNN2RTa

The other 6 wallet addresses belonging to your account. These are not 6 wallet addresses. It’s 6 times the same wallet address:
addr1q8u8yjydynkyew2mwvvl37e9g9t38ul8q70yyyzwzg4dkf6emtkgeymeryqxcd8qt0grd4r6e7zzae7mue4qa6zz6qhqwda6tg

I think the hacker has sent your funds directly to an exchange address, because many of them are still using the old Byron legacy addresses, which are starting with DdzFF…

You should get in contact with your local authorities as soon as possible.

@Zyroxa
Can’t Xerberus help in such a case like this with their tool Siren?

Pete has done a video in the past of Siren:

2 Likes

Im not familiar with that tool you just mentioned but i doubt that anyone is gonna spend alot of time for “only” 1600 ADA to recover.

4 Likes

I would recommend to use it. If they have success, then they take a small amount as bounty.

1 Like

Hi @john_little,

Have you tried to report your issue to Siren?

Kind regards,
Cüneyt

1 Like

https://adastat.net/transactions/b9091082e4e52ce595a00dbe15a46142e038e3e269ffd0e99120938a53c7d9cc#outputs
As already said by others, only the Ddz… address is interesting here. That is where your 1650 ADA went. The others are just flowing back to your own wallet. (Interesting data point that it generated so many 1 ADA outputs. I don’t know any wallet app that does that.)

DdzFFzCqrhtA9YRafpJEuBesWsX4YwqkzKMUuSED1tpP5FNyLXb9Xtm61oUCjBdmYhAUHfnrWLTV6ZGkngBeVVpcHgCBGsnSfqNN2RTa is a typical deposit address of a centralised exchange (CEX). Transactions from a lot of different sources come in and are exactly forwarded a short time later. Exchanges do that so that they can identify which of their customers deposited something there. They sometimes reuse these for different customers, but this one has so much overlap and so little time between that it’s highly likely that all of these transactions (at least in the same time span this January) are other victims of the same thing.

Your 1650 ADA were moved out of that deposit address by 010e20b5c366640104dc7ded8b90105b6b6e33de8419114144a682f2ccf523d8. That’s another indication that it is a CEX: This transaction takes ADA from a lot of different (likely deposit) addresses and puts them all together into DdzFFzCqrhsuQV5ohP1EBh9d4UjmmWDb2Vui2s2SACSBDeEW74kHhp3zj9hvLFDb9mK7hRr7fbctu1UYatPaF1omXiXPwf12bn7DQvbT, likely the main address (or one of the main addresses) of the CEX with over 179 000 transaction on it.

In this case, just googling that address leads us to: https://www.htx.com/support/24922606430831
That is Huobi’s wallet by their own information.
So, you, your lawyer, or law enforcement could maybe contact them to (maybe) find out more about who took them.

What they would need is the transaction ID and maybe the deposit address:
“Hey, 1650 ADA were stolen from me in the transaction b9091082e4e52ce595a00dbe15a46142e038e3e269ffd0e99120938a53c7d9cc on the Cardano network and put into the address DdzFFzCqrhtA9YRafpJEuBesWsX4YwqkzKMUuSED1tpP5FNyLXb9Xtm61oUCjBdmYhAUHfnrWLTV6ZGkngBeVVpcHgCBGsnSfqNN2RTa. That address looks like it is one of your deposit addresses.

Can you help me identify the perpetrator? What kind of official documents would you need for that? Can you freeze the assets in the meantime?”

Or something along those lines.

What Siren does is only the same thing automatically that we have done here by hand. It just tracks where assets went. You can look at some of the reports at https://app.xerberus.io/fraud/reports to see how that looks like. That helps if there are a lot of intermediate addresses/wallets involved, but in this case it is not really needed.

They can provide such reports to maybe get law enforcement or the CEXes to do something, but other than that they can’t do wonders. It will be largely the same as with all the investigations we have done in this forum over the years. As soon as it hits a CEX, they can’t do much more.

2 Likes

Yes, it is very much possible that a cloud backup could have leaked your seed phrase.

Another possibility would still be malware on your computer that could have taken the encrypted keys from Daedalus and either key-grabbed or brute-forced your spending password to decrypt it.

There have been over time numerous reports of Daedalus wallets getting emptied, where the victims swore that they have never compromised their seed phrase, never used it in another wallet app etc. pp. From afar, we can never tell if they maybe just forgot, if they did store a screenshot somewhere, … But malware is always a possibility for any wallet app that stores the keys on the computer.

1 Like

Hi John,
the same thing happened to me but it was removed from my YOROI wallet, 1k was sent to the same address you described “DdzFFzCqrhtA9YRafpJEuBesWsX4YwqkzKMUuSED1tpP5FNyLXb9Xtm61oUCjBdmYhAUHfnrWLTV6ZGkngBeVVpcHgCBGsnSfqNN2RTa”.

1 Like

This transaction?
https://adastat.net/transactions/40c10f34443057c2f5ce181334fd4de500baaa1a96914016909cccbdbba9c739#outputs

For a hack or scam that is a bit strange because it left most of the ADA in your wallet and “just” took 1000 ADA. Usually, they empty wallets (almost) completely once they have access.

Otherwise, the same as above applies:

1 Like

Not yet-maybe at some point…

1 Like