Hardware wallets are regarded as one of the safest means of storing bitcoin and other cryptocurrencies. Each device grants the holder possession of their private keys and adds a PIN code plus other tamer-proof tech for enhanced security. Hardware wallets are not impregnable, however, as one British man found to his peril after purchasing the device on Ebay.

Man in the Middle

Redditor moodyrocket is coming to terms with having his “life savings” wiped out this week, after $34,000 of crypto was stolen from his newly acquired Nano Ledger hardware wallet. The device was compromised, not due to any flaws in its design, but thanks to a man in the middle attack that saw the reseller insert their own recovery seed. The buyer then unwittingly began using the wallet, unaware that the default seed they were using had not been randomly assigned by the manufacturer. He explained:

I have not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week.

The victim was initially confused as to how the attack could have been successfully pulled off, before eventually twigging that the Ebay seller must have tampered with the device. After sharing his story on Reddit, Ledger reached out to moodyrocket and encouraged him to report the crime to “bring the eBay seller to justice”.

Man Has Cryptocurrency Stolen from Hardware Wallet Supplied by a Reseller
The fraudulent documentation that came with the wallet.

An Elaborate Hoax

The odds of the British-based victim getting his cryptocurrency back are remote, but his loss can at least be the community’s gain. The widespread attention the tale has received serves to highlight the dangers to anyone considering purchasing a hardware wallet from a third party. Auction sites, unaffiliated vendors, and merchants who have no formal partnership with wallet manufacturers should all be avoided.

Man Has Cryptocurrency Stolen from Hardware Wallet Supplied by a Reseller
This sheet should not come with your Ledger wallet.

The vast majority of resellers stocking wallets such as Ledgers and Trezors have no intention of meddling with the devices. But it only takes one unscrupulous entity to interfere with a wallet and pass it on to the unsuspecting buyer. The Ebay seller who duped moodyrocket had gone to great lengths to orchestrate the scam. The seed is meant to be generated by the device, but this purchase came with “scratch off” paper that revealed the seed.

Despite the security of hardware devices themselves, the weakest link is always the people using them. Even a raft of anti-theft tech can’t atone for human error. Had the victim reset the device and created a new seed he would have been fine. When presented with convincingly forged documentation, though, he naturally felt safe in sticking with the default seed. Purchasing hardware wallets directly from the manufacturer may take longer and cost more, but the alternatives just aren’t worth it.

 


Images courtesy of Shutterstock, and Reddit.