Potential Scam - Unauthorized ADA Outflows After Delegation

English Report a Scam
1

I’m reporting a possible scam involving my friend’s Cardano wallet. He attempted to delegate ADA using a Hyperledger hardware wallet connected to Adalite in early 2023, never entering his seed phrase (which was only written down). Here’s what happened:

  • On January 25, 2023, a delegation of -2.18399 ADA with a $0.78 fee was made to pool 04c60c78417132a195cbb74975346462410f72612952a7c4ade7e438

  • On February 11, 2023, large unauthorized transfers occurred: -6,679.2 ADA, -811.303 ADA, -285.822 ADA and -326.17 ADA (totalling over 8,100 ADA).

  • These funds moved to the following addresses:

I. addr1q8na65rztrp26e4vskuwvntfetlthly0s32zgfaszcpweypcst7kswlp8uj0ws9vrgsm997qr8pcecmxkvqre6gggacqknjawp
with the stake-key: stake1uyug9ltg80sn7f8hgzkp5gdjjlqpnsuvudntxqpuayyywuqd05pgn

from here combined to:

II. addr1q8e2kusxlmpmmlscus3zxcg00nseg0cdzp5rwh7wm20ft0tnv8tyzanl443fdtxc6xjfl66d9a7za33p5gfd6my36gcq4um8ez
with the stake-key: stake1u9ekr4jpwel66c5k4nvdrfyladxj7lpwccs6yykadjgayvq50cfmu

From here to:

III. DdzFFzCqrhswvX7p4ATGo5JP1uPy6EW2Tw5ZzTjq33MKJFLrZgfSfcyCQ5Um6jhXaPAEMT2sstx5HHVShWrKfoRC75ZvhwSvAs12zS8S
losing the stake key

IV. At the End it seemed to have landed in this address:
addr1v94725lv4umktv89cg2t04qjn4qq3p6l6zegvtx5esu2zuqfd487u

Currently, when logging into Adalite with the ledger, there is no option for unstaking any of the bigger amounts. I am unsure if some kind of smart-contract can lead to this late outgoing of the coins, worried about a possible infiltrated pool or did/can the private key get exposed through some failure?

Since I know too less about these subjects (especially the Hyperledger) I was hoping to get a few answers here, I hope I did my homework correctly following the transactions. But there might be the third Ddz wallet might just be a bigger exchange.

So, my questions to the community are:

  • Could a fake Adalite (fishing) or wallet misconfiguration lead to this problem?
  • Is this pool maybe flagged or suspicious? – I tried to find out about it but haven’t found anything…

The first 6,678.434 ADA went with this Transaction Hash: c4070d0def7186d3e680299bf1f0eeb7f544e2d876f48a3efcf3467d44dca01d

→ I’d have screenshots of the history prepared but it seems that it’s not practice to use them. So I hope this information is enough.

1 Like
2

What is this Hyperledger hardware wallet? I can’t find a link in any web search of such hardware wallet. Could you send a link of this wallet to check the specs?

3

Uh, sorry!
It is the Ledger Nano x, that he used. I read about IBM Hyperledger this week and somehow confused it..

On log-in, he always verifies through ledger live. As much as I understood, this would exclude a manipulated wallet.
Moreover, he followed a guide on the Ledger website for staking his ADA. He seems fit on that matter that’s why I am not sure if he got phished or if there really is a wrong Pool involved.

Here is the Model:

4

That’s not how staking works. The 2 ADA are only a deposit for registering the stake address.

What is delegated/staked is always the whole account and the ADA are not locked for that. The ADA always stay in the user’s wallet and the stake pool gets no control over them whatsoever.

ADA holders can always add/remove ADA and then just stake/delegate more/less for future epochs and correspondingly get more/less rewards in the future.

Yes, that address has only ever been used for this:
https://adastat.net/accounts/3882fd683be13f24f740ac1a21b297c019c38ce366b3003ce9084770
They only forwarded a round amount of 8090 ADA, so the remaining 9.47 ADA are still in there to this day.
Stake address has never been registered or delegated so that is kind of irrelevant here.

That account has only been used for three months early December 2022 through early March 2023:
https://adastat.net/accounts/7361d641767fad6296acd8d1a49feb4d2f7c2ec621a212dd6c91d230
It (almost) always forwarded exactly the same amount it received just minutes later, as far as I can see to various centralised exchanges. I’d say that is somehow a laundering/consolidation account of the attackers.
Again, the stake address is kind of irrelevant.

That is a Byron address. They were used before staking was even implemented, so they, of course, do not contain stake addresses. A lot of centralised exchanges still use them as deposit addresses, presumably because they implemented their deposit functionality then and can’t be bothered to invest developer time again for no gain.

This one for sure looks like such a CEX deposit address:
https://adastat.net/addresses/DdzFFzCqrhswvX7p4ATGo5JP1uPy6EW2Tw5ZzTjq33MKJFLrZgfSfcyCQ5Um6jhXaPAEMT2sstx5HHVShWrKfoRC75ZvhwSvAs12zS8S
Deposited amounts are always forwarded a few hours later and, as far as I have checked, always to the same address. Moreover, we can see that the transaction forwarding the 8090 ADA took a lot of other deposits from other deposit addresses and put them all together on the next address.
https://adastat.net/transactions/92a9579472e37f304e2fe3b85c5e54b44dcd60037dc3d4eb605f06e147c0492e

If this deposit address was always used for the same customer or has been reused for different customers cannot be seen from on-chain data. The CEX can do as it wants in that regard. Many only use deposit addresses once, but this one has obviously been used many times.

Yep, looks like the main address of an exchange – hundreds of thousands of transactions, had quite high balances at times. But does not seem to be actively used recently. Couldn’t find any hint which CEX that is, though.

Of course not. Those amounts were moved elsewhere 2.5 years ago. As said above, you do not stake/unstake specific amounts on Cardano, but you delegate the whole account without any of the ADA being locked, without the need to “unlock” them.

There were no “smart” contracts involved in any of this. On Cardano, contracts are only involved if you specifically send/lock ADA and other tokens by sending them to a contract address where the spending is controlled by the contract instead of a key. That did not happen here at all.

Pools do not have any control over the ADA delegated to them. That’s just not a thing.

What we see here can only have happened if your friend either exposed their seed phrase to the attacker or authorised the four transactions on 2023-02-11 themselves.

The latter could, for example, have happened through a fake Adalite website. (There’s a reason Adalite warns about fakes very prominently at the top of their website.) But they would have had to confirm all four of them separately on their Ledger. Not totally impossible if a fake Adalite, e.g., said: “Hey, in order to stake those ADA, we have to do this and that. Please confirm!“

Anyway, there are only 23.52 ADA left in your friend’s account since 2023:
https://adastat.net/accounts/d825279abd7236b67d400705a561cccbd25b78f22214744ba008ac52
They did deregister and register their stake address a few times which did not make a whole lot of sense, does not help with the ADA being gone since those transactions in February 2023.

2 Likes
5

Thank you for your quick response, I would just have a follow up question regarding my friends history and the staking.

What is delegated/staked is always the whole account and the ADA are not locked for that. The ADA always stay in the user’s wallet and the stake pool gets no control over them whatsoever.

So on the first transaction in January 25th, of 2.183 ADA it clearly displays in his history:
“send” at 11:06 am after that “delegate” also 11:06 am

With this transaction he delegated his account (or the 8k ADA?) to the staking pool and this worked?
And there was probably just a bad log-in on a phishing site or someone stole his money on february 11, is that correct?

Thank you for your time and the details, I think there is nothing to do for my friend, but I told him already, it felt too awkward.

Best regards,
Neresko

6

Yes. That is this transaction:
https://adastat.net/transactions/6d05040b30c0635f413cab41ace39ad57089a16e519bc080c4b2167f8026224f

It sent 2.183 ADA because 2 ADA are a deposit for registering the stake key and 0.183 are the transaction fees.

That delegates the whole stake, the whole account to that stake pool. Which does not mean that the ADA are ever moved. It is just a number for determining if pools are allowed to mint a block.

Every five days a snapshot of all registered stakes is taken. The number of ADA recorded in that snapshot are used in the epoch from 5 to 10 days later to determine how many blocks the chosen pool is allowed to mint and how much of that pool’s rewards go to that delegator 15 days after the snapshot, 5 days after the end of the production epoch.

A user can always add or remove ADA or change the chosen pool and that change influences their rewards 15 days after the next snapshot (where that change is recorded).

You can see that effect after the funds in your friend’s account were stolen:

screenshot-2025-08-02-23:50:16
screenshot-2025-08-02-23:50:16815×620 73.9 KB

There were three more rewards above 2 ADA after that (because they were for snapshots recorded before it happened) and the rewards dropped off at the fourth epoch boundary after it.

The 2 ADA deposit are paid back if the stake key is deregistered. Your friend did that a few times (probably to fix the situation, but that could not help it), for example here:
https://adastat.net/transactions/bc6d621bf51c33ac97e05f77d595ebd532b1c85fd4ac1e8e91fb25d3aae47ada

Unfortunately, yes, that seems to be the case.

On 25th January, everything went as it should. The steal on 11th February does not have a close connection to that. Either they gave away their seed phrase or they were tricked into signing those transactions. Both possible. And totally understandable if they do not recall after more than two years.

2 Likes