Could Your Wallet Be Next? How to Keep Your Crypto Safe

Hot wallets are getting less and less safe

Mar 02, 2023

Hey there,

If you own a hot wallet (i.e. one that is always connected to the internet), it’s most probably time to reconsider your options. There have been 2 wallet hacks that occurred this week, which were most likely due to some vulnerabilities in the wallet apps themselves.

The Top Story: Your private keys aren’t safe

The first that occurred was Edge Wallet, where 2,000 private keys were leaked and 5 figures worth of crypto (in USD) were stolen.

Edge @EdgeWallet

Urgent notice: We have identified a security vulnerability in Edge which has the potential to have affected a subset of users. All users should read the blog post linked below and take immediate action:

edge.appUrgent Notice: Edge Security IncidentOn Feb 20, 2023, Edge senior staff were made aware of a security incident whereby a user had experienced an unauthorized transaction which swept the full amount

This was due to a vulnerability where a user who made a purchase via one of Edge’s on-ramp partners resulted in their private keys being exposed.

If this user uploaded their logs to Edge’s servers, the private keys would leave the mobile phone.

As a result, someone who has access to these private keys could then transfer the funds out of the users’ wallets and into their own.

A private key is the password to your crypto wallet. Anyone who has it will be able to gain full control of the funds in your wallet!

This incident seems eerily familiar to the Slope wallet hack which happened just a few months ago.

OtterSec @osec_io

We were given access to Slope’s wallet code and infrastructure. We independently confirmed that Slope was leaking mnemonics since version 2.2.0 which was released on June 24th We found mnemonics stored in logs on their Sentry server which account for ~12% of the hacked addresses

There were vulnerabilities which resulted in Slope wallet uploading users’ mnemonics (or seed phrases) to their servers. These were not encrypted and allowed the hacker to drain about $4.1 million worth of funds from these users!

These 2 incidents highlight the risks of having your seed phrase or private key stored on a hot wallet. These are always connected to the internet and increases the risk of them being compromised by hackers.

I recently did a video about the Edge Wallet hack which you can find out more about it here.

MyAlgo was hacked too

Another crypto wallet, MyAlgo, had around $9.6 million worth of funds being drained from users’ accounts.

MyAlgo @myalgo_

Recently, a targeted attack was carried out against a group of high-profile MyAlgo accounts. We have been in communication with the affected victims since the attack happened to identify the root cause of it.

However, MyAlgo still does not know what was the cause of this hack.

MyAlgo @myalgo_

IMPORTANT: ⚠️We strongly advise all users to withdraw any funds from Mnemonic wallets that were stored in MyAlgo. As we still don't know the root cause of recent hacks, we encourage everyone to take precautionary measures to protect their assets. Thank you for your understanding.

It could be that a leak resulted in the mnemonics of these wallets being exposed as well, resulting in these users’ wallets being drained.

Do let me know if you are still confused by what’s happening, as I feel that their communication is rather poor.

Are hardware wallets the answer?

Hardware (cold) wallets are more secure compared to hot wallets, where they keep your seed phrases and private keys offline.

It is not exposed to the internet at all, so it makes it much less susceptible to hacks.

However, just having a hardware wallet isn’t the be all and end all. Ultimately, you will still need to keep your seed phrase secure, which still involves keeping it in a safe place.

If you keep a digital copy of your seed phrase, it can be considered as being compromised!

You can check out my video here where I explained this mistake I made with my new Ledger wallet.

I would highly recommend you to get a hardware wallet if you have > $1k worth of crypto assets.

While they may seem very complicated, these wallets are quite straightforward to set up and use for your daily transactions.

If you’re new to hardware wallets, do feel free to let me know some questions you have!

Other top news of the week

Apart from these crypto wallet hacks, here are some other fascinating stories from the past week:

#1 Coinbase suspends BUSD 🛑

You will no longer be able to trade BUSD on Coinbase after they deemed that this stablecoin does not meet their listing standards.

Coinbase Assets @CoinbaseAssets

We regularly monitor the assets on our exchange to ensure they meet our listing standards. Based on our most recent reviews, Coinbase will suspend trading for Binance USD (BUSD) on March 13, 2023, on or around 12pm ET.

This may be rather concerning, but could it also be a targeted attack on Binance?

An article was also published by Forbes claiming that some of the Binance-Peg tokens being issued did not have enough collateral, which CZ had to come out and claim that the allegations are false.

It’s still hard to say whether Binance is truly safe, but to be better safe than sorry, you may want to withdraw all your funds from the platform, as well as any other centralised exchange.

#2 Account Abstraction makes waves on Ethereum

This could be a huge advancement in crypto adoption, with Vitalik seeing it as a gamechanger for Ethereum.

Cointelegraph @Cointelegraph

The new ERC-4337 "account abstraction" standard will be launched at WalletCon in Denver today. It provides Ethereum accounts with all the features of a bank account: 2FA, password recovery and set spending limits.

cointelegraph.comEthereum ERC-4337 ‘smart accounts’ launch at WalletCon: Account abstraction is hereCrypto finally gets user friendly, with the ERC-4337 “account abstraction” standard meaning new users can join any EVM-compatible blockchain without understanding seed phrases, private keys or transaction signing.

The entire concept is rather confusing, but account abstraction enables the development of smart contract wallets.

One of the main use cases is that you do not need to just rely on seed phrases and private keys to secure your wallet.

The Argent wallet already has a feature called Social Recovery, where you can share an encrypted version of your seed phrase with your friend. If you lose your private key, then you can get your friend (AKA guardian) to recover your wallet for you!

There are lots of applications of smart contract wallets, and hopefully this will spur greater adoption of crypto wallets.

#3 Polygon ID launches

There’s yet another new feature released by Polygon, with it claiming to be the first zero-knowledge-based digital ID tool.

David Schwartz @davidsrz

Today, we’re proud to announce the release of the open-source, Polygon ID Identity Infrastructure! 🎉 This is the first decentralized identity platform using zero-knowledge (ZK) to issue credentials on-chain, making it secure and privacy-preserving to power identity on web3. 🧵

This will allow you to verify your identity without any information being stored by a third party!

Remember all of the face scanning or uploads of our IDs that we had to do while signing up for an account on a centralised exchange? This could be a thing of the past with this latest tech.

#4 Solana’s down YET again

It’s just gotten worse for Solana after they faced another outage, but could not find the root cause of it.

CoinMarketCap @CoinMarketCap

#cryptonews: #Solana suffered yet another outage over the weekend, with the project admitting that the root cause of the downtime is still unknown.👀 coinmarketcap.com/alexandria/art…

It’s not looking good for Solana after they suffered 11 major and 3 minor outages in 2022.

#5 Trezor makes their own chips

This hardware wallet no longer needs to rely on third-party chipmakers as they are now building them in-house.

Trezor @Trezor

Silicon chip supply chain has been Trezored 🔒 to keep production and prices stable. bitcoinmagazine.com/business/trezo…

This could make Trezor more secure as it reduces the risk of its chips being compromised when it is manufactured by an external vendor.

Scam Spotter

I've come across some scams recently, and I want to help you spot them too. Here are some details you can look out for before clicking any links.

#1 Fake Optimism Airdrop

This tweet was advertising a second wave of the OP token airdrop.

Although the Twitter name is similar to the official Optimism account, the username being used was @Herzog_99.

The official username of Optimism is “@optimismFND”.

Clicking on the link resulted in this webpage that was rather poorly designed.

This would have been a phishing site that aimed to get you to connect your wallet, and then accept a token approval, which could have drained the funds in your wallet.

#2 Fake Email Scams

Received any messages from Trezor saying that your wallet is compromised?

This is most likely a scam as they may be looking to get hold of your seed phrase or private key via a phishing site.

Trezor @Trezor

🚨 Beware of the active phishing scam! The attackers contact the victims via phone call, SMS and/or email to say that there’s been a security breach or suspicious activity on their Trezor account. ➡️ Please ignore these messages as they are not from Trezor. ⬅️ More info in🧵👇

In a similar scam, a hacker accessed the laptop of an employee of The Sandbox, and he sent emails to its users to redirect them to a phishing site.

The Block @TheBlock__

The Sandbox warns users of security breach used for email phishing campaign theblock.co/post/216471/th…

This site contained some malware which could give third-party control over the user’s computer if they installed it.

Hot Deals

Check out these exciting deals I discovered that you might want to take advantage of!

#1 Free Unstoppable Domains

Unstoppable Domains is giving out free Web3 domains if you deposit $10 into your wallet created with OKX wallet.

unstoppable.nft @unstoppableweb

We've teamed up with @okx to help set up your digital identity Here’s how: - Deposit $10 of crypto into your OKX Wallet - Claim a free starter Web3 domain in app, or buy one from $5 It's that easy! Get yours at unstoppableweb.co/3kwmhJd (stay tuned for a premium giveaway 👀)

I’ll be trying this out and will be making a YouTube video about it once I’ve done so!

#2 Get 1 USDC when you deposit > $10 USD worth of assets to Robinhood wallet

The Robinhood wallet is now publicly available after being invite-only for a few months.

Johann Kerbrat @JohannKerbrat

#RobinhoodWallet is now available to everyone with iOS: rbnhd.co/wallet-tw

To qualify, you’ll need to:

Download and either import / create a Robinhood wallet
Deposit at least $10 worth of any of these supported assets in 1 transaction (either Polygon or Ethereum network)

I would suggest sending over $10 worth of MATIC via the Polygon network, due to lower gas fees on Polygon vs Ethereum.

The Footprint Formula

Discussion about this post