My life saving-Pension got stolen 720k ADA+CNT stolen from my Ledger X -Eternl wallet

I WOULD REQUEST THE HELP AND ASSISTANCE OF THE CARDANO COMMUNITY AND SMART CONTRACT SECURITY DEVELOPERS, to help trace the specific smart contract that triggered this theft.

Also likely that other cardano investors/USERS/SAVERS got their cardano stolen as from tracing circa 5 Million plus my losses where also routed by same accounts ( If anyone involved in the THEFT, losses, i am collecting names for a class action lawsuit, SUPPORTED BY A FIRST CLASS LEGAL TEAM)

THE HUGE LIFE CHANGING SURPRISE, Go to bed, financially stable, wake up with very little, interesting experience, I HOPE none of you have ever to go through.

No security Phrase/pin number leakage or malware use as confirmed by independent security auditors of PCs and network.

Both Ledger and PC air gapped and turned off at time of theft

How it happened
obscured and deceptive code : with hidden malicious code “blind signing” that, once a user interacts with Defi platform (e.g., by granting token approvals), executes obscured delays commands to drain the user’s assets.

This was not a cloned site,

Malicious smart contract with obscured Plutus Null code to drain a Ledger X/Eternl cold wallet multiple times. The primary mechanism involves tricking the user into signing a malicious obscure transaction that grants the malicious contract permission to transfer assets from their account use of an approve () function (for tokens), which grants the malicious smart contract permission to spend the user’s funds multipole times without ledger signature and or approvals.

|857f1006b5f1a530817ac490b029d03626ca6f1969cb97b85a87cfa335d47349|Withdrawal (700,000.4 ADA)|Similar pattern: Plutus validator script with redeemer; reference script likely null, datum hash present. [[docs.gomaestro.org]
Plutus validator script : This is the smart contract that decides if a transaction is allowed. It checks conditions before letting funds move.

Redeemer : Think of this as the “instruction” given to the contract, like “withdraw funds” or “close account.” It tells the script what action to perform.

Reference script likely null : Normally, transactions can point to a pre-stored script to save space. Here, the full script was included in the transaction instead of referencing one. This means the attacker didn’t rely on an external script—they embedded it directly.

Datum hash present : A datum is extra data stored on-chain that the script uses to validate conditions (like who owns the funds or what rules apply). The hash is just a fingerprint of that data. If the datum matches what the script expects, the transaction passes.

Why this matters for the theft :
The attacker had:

• The correct redeemer (instruction to withdraw).
• The correct datum (data the script expected).
• The script logic allowed the withdrawal without requiring your signature.

So the smart contract validated the transaction as “legit,” even though it was malicious.

Stake deregistration Script purpose = Publish; validator script hash tied to stake credential

• Script purpose = Publish : In Cardano, every script has a purpose. “Publish” means the script was used for a certificate-related action, like registering or deregistering a stake key or pool. It’s not about sending ADA directly; it’s about changing staking status.
• Validator script hash tied to stake credential : The stake key (your staking identity) was controlled by a Plutus validator script instead of a normal signature. This means the smart contract had authority over your staking actions. Whoever could provide the correct redeemer and datum could deregister your stake or withdraw rewards.

Why this matters for the theft :
If your stake key was locked under a script, the attacker didn’t need your wallet signature—they only needed to satisfy the script’s logic. If the script was malicious or too permissive, they could deregister your stake and withdraw funds without your consent.

On 04/09/2025 at 12:59:43 (UTC), addr1q9nykmtau493j5xkmjfjwrtdz9uen4uahplfzjr2jc7p485qdqudrwzfgyzzmx44hyhw7xsh94qx9ac6ppd0877nv4fsjlcqs2: the wallet received 700,000 ADA under transaction hash 857f1006b5f1a53…35d47349. Prior to dispersal, the wallet also received a further 10,995.880131 ADA, bringing the total available balance to approximately 711,000 ADA.

The funds were subsequently broken up and sent out in eight separate transactions:

• 127,000.168963 ADA
• 127,500.168963 ADA
• 61,700.168963 ADA
• 130,000.168963 ADA
• 190,000.170549 ADA
• 63,794.696376 ADA
• 10,000.167730 ADA
• 1,000.169624 ADA

This equates to a combined outflow of 711,995.879131 ADA, which is consistent with the wallet’s total balance at the time (700,000 ADA plus the additional 10,995 ADA).

In summary, the original 700,000 ADA deposit was not sent on in a single transaction but was split across eight outputs totalling just under 712,000 ADA, funded by the 700,000 ADA transfer and an additional ~11,000 ADA received shortly beforehand.

To

Transaction Hash: fc6ceb6385ae9cfabf173ab51ec3323751e9796402e8f3f8491ace0c7301c422

Address: DdzFFzCqrht9e4tV7UFaUiGnbeXCLPXMtEvVwmgMFW8RxbL2rUDcxa7Q8ApYLURWx4J5WX6LcGkZddVrpUaHxVGRVu42KgDeV4PYDBqx

To

Transaction Hash: fc6ceb6385ae9cfabf173ab51ec3323751e9796402e8f3f8491ace0c7301c422

Address: DdzFFzCqrhszAisfe4k7wNnA8Ue4L3AyHVpdeewZkyrfScRqRptz6RxzzVdbvYNscoq7cWyz69sECE2tKwC7gKFiqu5dzLZfTs3ez1xy

UTXO: a9c9cd329a8aca9edae68aed7fbbd35f5651b0ca1ab4299010baa1e5634a6728

The characteristics of this wallet legacy Byron address format, extremely high transaction count, continuous 24/7 flow of ADA, absence of staking delegation, and sweeping/aggregation behaviour are consistent with control by a Virtual Asset Service Provider (VASP), most likely an exchange hot wallet.

While the specific VASP cannot be conclusively identified without confirmation from the service provider, the on-chain indicators strongly support the assessment that this address is part of an exchange cluster rather than a private individual’s wallet.

As can be seen from following the three trails: One of 1,000 ADA and two of 127,500 ADA all flows ultimately terminate in wallets that exhibit the characteristics of VASP controlled accounts, namely extremely high transaction volumes and continuous in/out activity. While this strongly supports the conclusion that the funds have entered custodial infrastructure, it cannot be stated with certainty that all three trails are controlled by the same VASP. It remains possible that they belong to different service providers, although the behavioural indicators are consistent across each.

Both of the large 127,500 ADA transfers ultimately converge into this address, which strongly suggests that it is controlled by a Virtual Asset Service Provider (VASP). At this stage, however, I have not been able to conclusively identify which VASP operates it.
asset tracers have identified the funds as moving to the following exchanges/services:

1. Kucoin – 300k ADA
2. HTX – 386 ADA
3. SimpleSwap – 10k ADA
4. ChangeHero – 197 ADA
5. HitBTC – 1k ADA

I have re staked the wallet to easy1 and did so to see if my balance reappeared, also had other assets locked to that wallet which since have been removed. just in case the community asked.
If there are any Plutus script security experts, developers out there, i would be interested to talk and discuss an audit of the smart contract that caused this theft

You already posted that story on Reddit (now deleted) and you were already told there that this is not how Cardano works.

Your 700 kADA were sent in this transaction:
https://adastat.net/transactions/857f1006b5f1a530817ac490b029d03626ca6f1969cb97b85a87cfa335d47349
There is no script/contract involved at all in it. They were sent from your wallet and the transaction had to be signed by the private keys of your wallet in order to do that.

Your seed phrase must have been leaked at some point.

It is impossible for any "auditor” to “confirm” that you haven’t leaked your seed phrase in the five years that you have been using that wallet/account. It doesn’t have to have happened recently, could have been months or even years ago.

That you have interacted with VyFi shortly before that is most probably pure coincidence:
https://adastat.net/transactions/42c1c76fe47242a9d627115253cfc41e33a99c1434df44e3dc4541c6cbaa180c
That transaction has nothing to do on-chain with the later transaction stealing your ADA.

Specifically:

This is pure AI-generated bullshit. No such functionality exists on Cardano. We don’t have “token approvals”. If you send tokens to a script/contract address, then an exploit of that script/contract could lose them.

But a script/contract can never give access to other assets that are still in your wallet/account. For those, there always has to be a signature by your private keys (derived from your seed phrase) to move them.

There is no “approve()” function on Cardano in any way, shape, or form. There most probably is no “obscured Null code” in VyFi’s scripts/contracts. (But even if there was, it would have nothing to do with the transactions stealing your assets.)

Your seed phrase was compromised. Period.

You don’t need a Plutus expert. Plutus has nothing to do with this.

This theft was not “caused” by a smart contract.

I beg to differ, when i prove the case i will be back with the pure facts, as stated above, if the cardano community dont wish to know then i have done my part,

Based on what do you beg to differ?

It is a fact that that transaction that stole your funds did not have anything to do with Plutus scripts.

Scripts are only relevant on Cardano to do transactions from a script address (which then contains a hash of the script, so it cannot be exchanged at will, it has to be exactly that script).
The description of what redeemers, datums, reference scripts are in your wall of text above are half-correct, but they are completely irrelevant in your case because the addresses were no script addresses, neither in the payment nor in the stake part.

Those were usual key hash base addresses. And those do not have anything to do with Plutus. You can spend from them (or withdraw rewards and change stake pools in the case of the stake part) if you provide a signature with the private key. Those are the facts in this case.

I hear you. If you’ve got evidence and you plan to lay it out later, that’s fair. Everyone’s free to dig into the facts in their own time. If the Cardano community isn’t interested right now, at least you’ve put your position out there. When you’re ready to share the full details, people can judge for themselves.

I would genuinely like to thank Coin Box for his/her positive support, and i have decided to provide the following if anyone is remotely interested. I have NO AXE to grind, and this is not FUD, I got banned/blocked on reddit for bringing this to the community attention, i decided to try again here. as i hope this doesnt happen to anyone else. if this stops a malicious actor from theft of others assets, i have done my part. i expect the moderator to be his defensive self and tell me i know nothing. let these post be a warning to the community its down to us to fix these bad actors.

Civil and Private action ongoing, I have Not publicly Named the DEFI Project, but for the curious i have left a public record of the transaction and the Malicious “INTERESTING” Smart contract

I would like to thank the developers of this online tool to decode the CBOR https://laceanatomy.com/

ALL Cardano Trolls, Take a good look at this smart contract that is deployed in a Mainnet live environment

67 days ago - 04/ 09/25, 12:30:14 AM

TRX: 42c1c76fe47242a9d627115253cfc41e33a99c1434df44e3dc4541c6cbaa180c

Related Smart contract:

addr1wx8fk923cyzhlptl2th8x0uqwml8j8t3q2e99t0vfn4ewjszp8ksm

Pre production development script with some interesting test wallets, as below

Bech32- USE OF TEST PREPRODUCTION SCRIPTS-In live environment

addr_test1qqmw90yae9yk8xu69g0tk8n3wl7z425jtj295w9p60p52rea3e6ktfccmms7t7gfw7nmkxwlr8uty652uw8jq5klx3hqvj9jf7

Bech32- USE OF TEST PREPRODUCTION SCRIPTS-In live environment

addr_test1qrxztdaaw8a9zdmtgp7w97lk28yt6r7qrsj8s54x3vemdt4ylyl0r4yk35a7t3jj39ese0ag4q0wl482chmcrjlqa5aslslucg

68 days ago - 03/09/25, 7:04:13 AM

TRX: b04059c74a5e08eed762a64d4709a2e2ab937fd3d7de536a26698c184e9bc7bf

Smart contract:

addr1wx92rnsuy7kgmwlshpguwqwj7g0yu33sx768y4whw2yxaagswhjwu

addr1z9wklkdye9x2s0g6wyzlkercl7na8vt6p933dp53jv2yvz0hmhymc227es6flzhu4ekmdr6kcu7l37pec4s529ahgf9qmz8jpy

6199481978d7acac5fc8635a3017db7b043d2d3cf1bfc144a00420f4

Bech32- USE OF TEST PREPRODUCTION SCRIPTS-In live environment

addr_test1qrfrzt2js2k59snd8gvkfjz3z92jqwyf6tzp2c8v3wdr5t7wt0l03ky0nmcp8jzplj0f82hxzexnxr33wun3nzmu589swnxs4v

Bech32- USE OF TEST PREPRODUCTION SCRIPTS-In live environment

addr_test1qrfrzt2js2k59snd8gvkfjz3z92jqwyf6tzp2c8v3wdr5t7wt0l03ky0nmcp8jzplj0f82hxzexnxr33wun3nzmu589swnxs4v

Possible Reasons

1. Human Error / Misconfiguration

• A developer might accidentally deploy the wrong script due to similar file names or incorrect environment variables.
• CI/CD pipelines misconfigured to point to mainnet instead of testnet.

2. Shortcut for Testing

• Some teams skip proper staging environments and test directly on mainnet for speed, which is risky and unprofessional.
• They might assume the script only reads data and won’t affect state—but this assumption can fail.

3. Lack of Environment Isolation

• Poor separation between preproduction and production environments can lead to scripts being reused unintentionally.
• Missing safeguards like API keys or network checks.

4. Malicious Intent

• In rare cases, a developer could deliberately use a preproduction script to exploit vulnerabilities or drain funds.

Why It’s Dangerous

• Incorrect Logic: Preproduction scripts often contain hardcoded addresses, dummy keys, or incomplete validation logic.
• Security Risks: They may bypass checks or logging, exposing the system to exploits.
• Financial Loss: On mainet, any unintended transaction is irreversible and can cost real money.
• Compliance Issues: Using non-approved scripts in production can violate audit and regulatory requirements.
  interested in Positive ongoing community engagement
  Plutus validator script : This is the smart contract that decides if a transaction is allowed. It checks conditions before letting funds move.

Redeemer : Think of this as the “instruction” given to the contract, like “withdraw funds” or “close account.” It tells the script what action to perform.

Reference script likely null : Normally, transactions can point to a pre-stored script to save space. Here, the full script was included in the transaction instead of referencing one. This means the attacker didn’t rely on an external script—they embedded it directly.

Datum hash present : A datum is extra data stored on-chain that the script uses to validate conditions (like who owns the funds or what rules apply). The hash is just a fingerprint of that data. If the datum matches what the script expects, the transaction passes.

Why this matters for the theft :
The attacker had:

• The correct redeemer (instruction to withdraw).
• The correct datum (data the script expected).
• The script logic allowed the withdrawal without requiring your signature.

So the smart contract validated the transaction as “legit,” even though it was malicious.

Stake deregistration Script purpose = Publish; validator script hash tied to stake credential

• Script purpose = Publish : In Cardano, every script has a purpose. “Publish” means the script was used for a certificate-related action, like registering or deregistering a stake key or pool. It’s not about sending ADA directly; it’s about changing staking status.
• Validator script hash tied to stake credential : The stake key (your staking identity) was controlled by a Plutus validator script instead of a normal signature. This means the smart contract had authority over your staking actions. Whoever could provide the correct redeemer and datum could deregister your stake or withdraw rewards.

Why this matters for the theft :
If your stake key was locked under a script, the attacker didn’t need your wallet signature—they only needed to satisfy the script’s logic. If the script was malicious or too permissive, they could deregister your stake and withdraw funds without your consent.

Theft of 720000 Cardano and meme CNT from Yoroi- Ledger wallet with Malicious smart contract and malicious actors

The moderator shot me down and stated that these transactions had no smart contracts, if he had of looked, 1 transaction had 101 outputs and loads of smart contracts, same for below, it must be wonderful to mislead the masses, its down to us all to fix this issuue of malicious actors

I need cardano developer help to locate and trace the smart contract that actioned the following transactions from wallet:

addr1q80d25zf5s07z5ua3l98t9sm2tr4drrun8rasysun973ztf4p7l5amnunl0ahhe4uvaq5eul8pqpj2f9e7kntns7z07s8c4xs3 it was delegated at the time to easy1stakepool, and de staked by the thief: 33eb081210e67d5db6f2d4621780aff790dee7bb9ef3de652d1aba2e9a2d4ba3 ( 1 input and 1 output).

then trx: 857f1006b5f1a530817ac490b029d03626ca6f1969cb97b85a87cfa335d47349. (101 input and 2 outputs) includes smart contracts theft of 700.000. Cardano.

then trx: ee06ad4aefbb5efca5afc2c343a20fc4cff414f34eb50fdc06949649d286750b5( 95 inputs and 3 outputs) includes smart contracts theft of 10,995 cardano+CNTs

then destaked trx: 2d0fa449e362b23e6b182f7b1834cc43205e996cdbb5fa4475ba0bce93fac939 ( 1 input and 1 output) then further theft 197 cardano TX 326ee621add1d982ff72fe48e7807a2f15e1aff44e5c18e57196dbd0540db2b9. ( 12 inputs and 2 outputs) includes smart contracts. there is some very strange movement of funds between staking node addresses and possible network security flaws, that should be investigated