A British man has lost his “life savings” after $34,000 of crypto was stolen from his newly obtained Nano Ledger hardware wallet.
The device was compromised, not because of any flaws in its production, but due to a man in the middle attack that saw the reseller insert their own recovery seed.
The buyer then unwittingly started using the wallet, not aware that the default seed they were using had not been randomly assigned by the manufacturer.
He explained:
“I have not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm.
“I am not sure how this is possible as I have not access my Ledger in a week.”
The victim was initially bewildered as to how the attack could have been pulled off, before eventually twigging that the Ebay seller must have tampered with the device.
After sharing his story on Reddit, Ledger reached out to the man who goes by the name moodyrocket and encouraged him to report the crime to “bring the eBay seller to justice.”
The odds of the British-based victim getting his cryptocurrency back are small, but his loss can at least be the community’s gain.
The widespread attention the incident has received highlights the dangers to anyone who is considering the purchase of a hardware wallet from a third party.
Auction sites, unaffiliated vendors, and merchants who have no formal partnership with wallet manufacturers should all be eschewed.
The vast majority of resellers stocking wallets such as Ledgers and Trezors have no goal of meddling with the devices.
However, it only takes one unscrupulous party to interfere with a wallet and pass it on to the unsuspecting buyer.
The Ebay seller who scammed moodyrocket had gone to a lot of trouble to orchestrate the scam.
The seed is to be generated by the device, but this purchase came with “scratch off” paper that revealed the seed.
Despite the security of hardware devices, the weakest link is always the people using them.
Even anti-theft tech can’t make up for human error.
Had the victim reset the device and created a new seed, the incident would have been avoided.
When presented with convincingly forged documentation, though, he naturally felt safe in sticking with the default seed.
Purchasing hardware wallets directly from the manufacturer may take longer and cost more, but the alternatives are just not worth the potential trouble.