Mysterious Partial Wallet Drain

English Report a Scam
1

I recently discovered that my Cardano wallet was partially drained without my knowledge or interaction. Here are the key details:

  1. Over 4800 ADA was taken from my wallet, leaving about 3400 ADA behind.
  2. The incident occurred in April, but I only noticed it recently.
  3. I hadn’t interacted with my wallet for several months prior to the incident.
  4. My main activities were holding, staking, and liquidity farming on Minswap and Sundaeswap.
  5. Two suspicious transactions were identified:
  • 3000 ADA sent on Apr 17, 2024, at 4:32:21 PM
  • 1800 ADA sent on Apr 17, 2024, at 5:28:14 PM
  1. Both transactions went to the same wallet: addr1qysnnmx8k0xm4aee06st3m5zndv6dpege4wgzj8ae25wgjpp88kv0v7dhtmnjl4qhrhg9x6e56rj3n2us9y0mj4gu3yqj2zhvk
  2. The transactions ends up into a top 100 wallet after a few hops: addr1v804tgee0m3ww7z93zh64wr9flqh9psdhnxg6cykfudgulg6f633p
  3. There were multiple transactions (14) between these two main ones, all within about an hour, liquidating my farming posititions and swapping to ADA.
  4. I use Eternl wallet with a recovery seed phrase securely stored.
  5. I’ve checked DEXs and CEXs, but found no trace of withdrawn funds or remaining liquidity.

I’m puzzled by several aspects:

  • Why wasn’t the entire wallet drained?
  • How could this happen without my interaction?
  • Could a simple wallet connection to a rogue web3 app have compromised it?

I’m seeking advice on:

  1. How to determine the exact cause of this breach.
  2. Steps to secure my remaining funds.
  3. Best practices to prevent future incidents.

Any insights or experiences from the community would be greatly appreciated. I want to understand what went wrong to protect myself and others from similar situations in the future.

3

Pure speculation, but: It looks like your first address was pretty completely emptied. Maybe the attacker used an app that was only looking at that first address and not at the other addresses in your wallet.

Without interaction, this can only happen if your seed phrase or your private key(s) somehow got to an attacker. There are lots of ways how that can happen: Giving them to fake support or to fake apps, malware extracting them from your computer, not even necessarily from the wallet app you are currently using, could also be one you used before and did not completely wipe, …

Only possibility with how Cardano transaction signing works is that you connected to a malicious website and that website asked you for every single one of those transactions and you signed all of them in that very moment on 17th April. That is what those scam tokens you got rid of tried to lure people into (by pretending that those transactions are for claiming some kind of reward). But it is highly unlikely in your case because … you would have had to personally say okay to all of those transactions liquidating all of your holdings.

Hard to impossible unless you remember something from that time or before that that could shed some light on it. Did you use other wallet apps with the same wallet? All places you ever gave that seed phrase to? Maybe malware scan of your computer. …

What is a bit odd is that a couple of minutes after everything was done, someone – presumably the attacker – registered and delegated your wallet again to the same stake pool that it was delegated to before they started – and that they had just deregistered from an hour earlier, then they switched the stake pool, and then they deregistered again. All in a matter of minutes. The last three transactions on 17th April. That makes no sense whatsoever, especially as an attacker.

To be as secure as possible, I would probably treat that seed phrase and all devices it was imported on as compromised. Cleanest solution is always to completely wipe and reinstall them. (Sorry!) If you get a better idea of what happened from the previous point, you could decide that it is sufficient to remove a found malware (that you are sure was the only reason) or that it was not malware at all, but you did give your seed phrase away. But if in doubt, completely clean reinstall is safest.

All assets should be moved to a new wallet with a brand new seed phrase that is generated on a device that is guaranteed to be clean and that is never put into a potentially compromised device. Can be either another device that you happen to have or the one it is currently on after wiping and reinstalling. You can just restore the old wallet in parallel to the new one to make moving everything over easier (although you don’t seem to have left much in there, anyway). Just remove the old wallet afterwards to ensure that you never use it again.

Besides securely storing the seed phrase (not in any way online, best just written by hand multiple times on different sheets of paper stored in different reasonably safe locations), using a hardware wallet is the single best thing to do for security. Its seed phrase obviously being stored even safer if possible and under no circumstances ever put into a computer, just on the hardware wallet.

4

Thank you for your help!

I double checked against my Google activity history. I was at work at the time of the transactions and the computer hosting my wallet was probably shut down. It should be a leak of my private keys somehow.

This is indeed very interesting that:

  1. The attacker didn’t empty the whole wallet
  2. They delegated the remaining amount at the end of the transactions… who would do that?!

Thank you for pinpointing that 2nd point, I haven’t noticed.

Is there a way to know what that final wallet was? It is around top 60 of top ADA holder. Would that be a CEX? If yes, could the CEX take action against the attacker?

I ordered a hard wallet to secure what’s left of my ADA. What happened will remain a mistery I’m afraid…

5

Not only that, but also undid that a few minutes later. Makes no sense at all.

According to this old forum post where someone got ADA from that address, it is Binance: https://forum.cardano.org/t/my-coin-isn-t-reflecting-on-trust-wallet-but-seen-on-cardano-network/123725/19

The address where the 4800 ADA were transferred to already looks like a typical CEX deposit address: addr1q8d60n4nmf4rnyp77gcth3rh44v6kn5jjhg3fs3dwf4rj597faqjhyr7nkajrrlgy9mma4pujgdjre4257ls9n5t95gqgk922w It only has one transaction in and one out. CEXes tend to give such single-use addresses to their customers so that they can distinguish the deposits.

The outgoing transaction d9d5a03918fa01ec241f64bd5aabde0794863ae7ee155e01d4cb5c7b228ff21f of that deposit address takes a lot of these deposits and puts a small part on another address under the stame stake address (which only makes limited sense since that stake address is not registered or delegated, it just somehow groups all these deposit addresses together) and a large part of these deposits on addr1v8243y06t2lt44fj8qqs7uc5k702zgafhu5navg9f92s5ugz7wl36 which just seems to relay everything coming in further to addr1v804tgee0m3ww7z93zh64wr9flqh9psdhnxg6cykfudgulg6f633p which you already found.

Not sure for which accounting reasons they go via this relay address, but I would guess that everything from what I guessed to be a deposit address is all already inside Binance. Those addresses all have much too much activity for a usual user (even if it is an attacker/scammer).

So, you could try to contact Binance, maybe with the help of a lawyer or law enforcement, but I’m honestly not sure how promising that is. We always tell people that this is an option, but I have rarely if ever heard success stories.

Even if they were willing to cooperate, the ADA are probably long sold and gone, and the chance is very high that the used account was either stolen or created with a fake identity.

Apologies that I don’t see a way to give more hope!

6

Thank you again for your help.

I’ve contacted Binance. They’ve been willing to help, but said that neither of the final deposit address or deposit address were theirs, so that sounds like a dead end.

Maybe they aren’t willing to disclose that they’re the owners of it.