HACKED? All my Cardano gone from my Deadalus Wallet — Steemit

Loss of ADA is very unfortunate, i feel for your loss, i think, like other members have posted security is the most important topic for our funds.

There needs to be more work on wallets and security. I use the daedalus pc wallet which i am sad to say is incrediably slow, a 28.8k modem seems faster, sorry devs.

I do want cardano / Ada to become mainstream 3rd gen crypto to take us to the moon and back, but these types of issues keep us at the level we are, 12th in the market place and slipping fast…

Please work on getting security / speed to the top of the priorty list, the rest will fall in place.

1 Like

Try the Yoroi wallet. It has Trezor support now and will probably have ledger support by the end of the month. I would encourage anyone who has the slightest issue with Daedalus to use Yoroi.

2 Likes

We the people are the weakest link in the information security. The simplest way to secure Daedalus is using a very strong “spending password” which is not stored online. You can put it in your lockable drawer for example as I would be very surprised if a hacker could have access to your drawer through computer.:slight_smile:

Anyway, what I usually do (for offline store for my HODLing) is quite complex, but similar to this:

  1. Create a wallet in Daedalus or cardano-cli (preferable as it can have a password).
    1.1. Record its public address for off-line monitoring and for the deposits.
  2. Backup the seed recovery phrase (12 or 15 words), by writing them down (with pen or pencil) to an acid-free paper (Usually, every normal printer paper are acid-free).
  3. Make another copy of it (Do not split it half half or similar, it makes more complex, but no any security gain).
  4. Generate a recovery passphrase (only w/ cardano-cli as Daedalus’ spending password is different) for extra security to protect your wallet when somebody finds your seed recovery phrases and write it down similar to the seed recovery phrases.
    4.1. I prefer only 4 English words using some proper random function. Or words from the 2048 wordlist would do as it provides 11bit entropy/word, so 4 words are 44bits which is much better than any fancy password. And remember this is just an extra security for the existing 128 or 165bits entropy that the wallet has.
  5. Completely, destroy Daedalus or cardano-cli’s wallet data (delete wallet completely or using the apps to delete wallet)
  6. put each backups to an envelope and address it like “Cardano Family 1 seeds”
  7. put the recovery phrase the 4 extra english words to the 3rd envelope.with the “Cardano Family 1 passphrase”
  8. Seal them /w some tamper evident security labels and sign that label (you can buy online everywhere).
  9. You can store one seed’s envelope at home in a safe vault or similar.
  10. You should put the second seed in some other city’s Bank safe deposit box. For any fire or water damage in your house or city.
  11. Take the recover passhprase to the or public trustee and make a Will, they will store this for you until you die or change your mind.
  12. Tell your family (wife and children) what you did and how.
  13. Do some small deposit to that public address
  14. Send all your funds to that address.
8 Likes

It hurts, and I understand your pain, but a lack of education is the problem here.

No one hacked your Daedalus “account”, they hacked your OS. There’s no such thing as a crypto wallet that will keep you safe with this level of compromise. It’s essentially like someone filming your screen and keyboard as well as having access to all your files. Nothing at the software level (e.g. passwords and encryption) are of any use if you’ve been pwnd.

At this point, you should assume that all your passwords to everything have been compromised.
Wipe your computer, change the passwords to all your online services etc, and use a better virus scanner.

6 Likes

That won’t help if you’re compromised as badly as the OP. His keystrokes are probably being uploaded in realtime along with screenshots.

Yes, you’re right, it depends on how his OS is compromised. I assumed a simple case when they just copy over the daedalus folder, as he would have lost his funds from his bank either.
Anyway, the first rule is never be an admin/root on your Windows/Mac/Linux, always login as regular user. This would prevent any keylogger, screencapturer to work, and a strong spending password would do.

3 Likes

The ledger replaces your wallet’s private keys

Thank you all for your help and your support, I truly appreciate it

2 Likes

The ledger nano also has private keys.
If someone somehow got your private keys and buys a Ledger, load your private keys in the new Ledger he will be able to acces and send your coins to his account. Your money will be gone.

Always keep your private keys offline and safe.

1 Like

…who’s responsible for your hacked hardware wallet that was lifted on the subway?

Getting lifted/hacked sucks…narcissists, thieves, cons…put them on the dark side of the moon.

Hardware wallets are air gapped yet they’re not invulnerable. Wrt a local software wallet, don’t comingle recovery and wallet in the same system, this is 101. Better, don’t have any, any digitized recovery anywhere. Get it physical and secure it. Hot wallets: Only when there’s no other option eg. fiat on/off ramp, pair exchange, otherwise it’s better for many reasons for you to possess your keys, not a third party. Remember the Keys Rule, He Who Has The Keys, Rules. Because theft probability is a function of risk management, for all intents and purposes, we can manage our loss risk down to nearly zero.

It’s not Daedalus, it’s us. We have this outstanding opportunity - perhaps our last - to become sovereign individuals, to become self reliant.

1 Like

Ledger is a separate device. You type your pin and recovery words directly into it so there is no risk of data being scraped by a hacker from your OS. Perhaps there are ways to hack it and if a thief steals your recovery words and the wallet itself then he can access your funds. It’s still much safer than anything working on Windows though :slight_smile:

Well I can only look at it from theoretical point of view, provide some concepts of how the security can be increased (as I’ve done a few times on the forum), however I’m not competent enough to provide coded solutions.

As I’ve mentioned above, Ledger is a separate device. You don’t risk your data being hacked with a Windows breach.

The thief doesn’t need your hardware device if he has the recovery phrase. It’s the same case as with Daedalus. He who holds the recovery phrase is the owner of the wallet. Simple as that. Solutions will likely come for multi-sig recovery at some point, most likely on second layer networks, but that is going to take time… It’s not a Cardano-only issue.

3 Likes

I would like to see implementation of offline transactions to enable fully airgapped wallets.

4 Likes

I checked your steemit page. It seems like you lost your steem coin last month. You should pay more attention to your security. Make a paper wallet and keep it safe, or use Trezor hardware wallet. Remember, for crytocurrency, not your key, not your coin. Nobody can recover your loss, It’s your full responsibility to keep your crypto asset safe. I hope you lose any more asset, and I feel sorry for your loss. Cheer up!

4 Likes

I have yet to hear of a case where someone had their money stolen via physically loosing their recovery phrase while OS hacks are a daily occurrence. That’s a huge difference.

Judging by forum interactions people are still oblivious as to why crypto has almost no adoption. I guess they also believe coal miners should learn to code and construction workers could make a career as astrophysicists.

As it is crypto is clearly not for everyone unless it’s made more user friendly and more secure. And if it’s not for everyone it’s better to invest in something that is tailored for wider population. Like postage stamps.

2 Likes

You’re right, it simply isn’t ready for mass adoption. But consider that back in the day there wasn’t even the concept of a recovery phrase or anything like that. The reason everything uses base58 now is because back then it was expected that people write down their private keys and public addresses on paper so we didn’t want 1 and l (etc) to be mixed up.

In fact, IIRC when I first used Bitcoin if you didn’t specify a change address you just ended sending your entire wallet balance to whoever mined the next block. People actually used to contact miners on bitcointalk to ask who mined the last block and could they please have their 500BTC back because they didn’t actually mean that to be a transaction fee. And you could only do any of that if you were actually able to compile the code first anyway.

Things are much easier now, and will continue to get easier and easier.

At the same time, the generation being born today will be as comfortable with private/public keypairs as we are with wifi passwords. What they won’t be comfortable with is any kind of central authority having control over their financial life.

5 Likes

If you want to be even safer than a hardware wallet, do this:

  1. Get a new hard disk or format an existing one. Do a clean OS install, then install daedalus.
  2. Physically disconnect from the internet. Do not connect to internet again until after step 5 is complete.
  3. Generate a new wallet.
  4. Write down the seed words. Do not send them to a printer. Do not save them to a USB stick (in case you accidentally plug it in to an internet connected computer one day). Make multiple handwritten copies of the seed word words and keep them in different secure locations in case one location burns down or something.
  5. Copy your public address to a new blank USB stick.
  6. Format the computer (wipe everything). Do not physically connect the internet again on this computer until this step is complete.
  7. Plug usb stick into your regular malware infested computer and copy the public address to somewhere convenient.
  8. Buy ADA
  9. Send coins to your public address.
  10. hodl. Check price again in 3 - 5 years.
5 Likes

What do you think about local password safes? Are they secure enough for saving the pass phrase?

In reading about losing coins and being hacked I think a mistake people make is discussing how many coins you have! The hackers phish for info. Then try and send fake links via email. If the hacker sends out 100k emails using bots, it only takes a 1/2 dozen or so responses for the hacker to get lucky! DONT EVER REVEAL THE SIZE OF YOUR INVESTMENT! DON’T CLICK ON LINKS IF YOU DON’T KNOW THE SOURCE!

2 Likes

Now this link is here for evrrybody to click and get scamed thanks can someone remove it.