Wallet Hacks: How a Person Lost Over $300,000 Due to Simple Mistakes

Starting two weeks ago, an ether wallet received hundreds of thousands of dollars. The only problem was that these funds were hacked from different wallets. Unfortunately, the vast majority of the funds were hacked due to carelessness on the part of the user.

Over the past couple of weeks, over $400,000 worth of Ethereum has been transferred into a hacker’s wallet, the transactions are shown here.  Over $350,000 of the ether was stolen using a process that was released publicly over two months ago.  With some security measures, at least some of the funds could have been saved from the hacker.

The hack    

The majority of the funds, 973 ether, were stolen from one user.  This user - who uses the Jaxx wallet - managed the funds from a rooted android phone.

This is the attack vector the hacker used to gain access to the funds.  For those of you that don't know, rooted Android devices are like jailbroken iPhones: you can install many new things if you have a rooted phone, but you have no security guarantee that the apps are not compromised. In this case, an app that was compromised was likely downloaded onto the phone giving the hacker all the access he needed.  Once access to the phone was gained, it is likely the hacker used an exploit that retrieves the backup phrase to Jaxx wallets.  This exploit has been known for many months but has not been fixed due to Jaxx being a hot wallet (a wallet where the coin is constantly being used, not stored). The user that had his wallet hacked and wished not to be identified told Coinidol.com:

“Seems like such a terrible omission that could easily be implemented. Life will go on. I have my health.”

How it works

According to a researcher at VX Labs who first found the exploit that was likely used, a summary of how the hack works is this:

“Even when your Jaxx has a security PIN configured, anyone with 20 seconds of (network) access to your PC can extract your 12 word backup phrase and copy it down. Jaxx does not have to be running for this to happen.  With the 12 word backup phrase, they can later restore your wallet, including all of your private keys, on their own computers, and then proceed to transfer away all of your cryptocurrency.”

The Jaxx team believed that fixing the exploit would unnecessarily make the wallet more difficult to use.  According to the CTO of Jaxx, Nilang Vyas, “there will always be tradeoffs between user experience, portability and security and we believe we’ve struck a great balance. Since 2013 over 750,000 Jaxx and (our former company) Kryptokit wallets have been created. Never have funds been lost on any of our production versions due to an issue on our end. We stand by that amazing record.”  With a little care, this hack could have been avoided.  Below are some tips to help you secure your funds.

Ways to increase the security of your funds

Crypto security experts give several pieces of advice on how to secure wallets and funds on them.

1) If you use public wifi, don’t. This is just not a good idea even if you add more security layers such as VPNs.

2)Turn on 2FA for all your accounts. Not text message based, but with google authenticator where possible.

3) Do not store your private key unencrypted, ever.  Use a 256-bit encryption service to encrypt the key if you can’t remember it.

4) Never access your coins on a device that is rooted. For all you iPhone users, rooted devices are basically Androids that have been jailbroken.

5) Do not install apps that are not reputable onto your device. Try to keep only apps that are signed and that you are confident don’t have any malicious code. Another option is to keep a device exclusively for dealing with your funds.

6) The only person that needs your private key is you.  Always look out for phishing scams.

7) Use bookmarklets for sites. Some fake sites have URLs close to the actual one and could steal your information.

8) Don't store funds on exchange wallets or hot wallets such as Jaxx. Cold wallets are more secure. Alternatively, use paper wallets and store them like any other important document you own.

9) Use the monitor option on etherscan to be alerted when there are transactions with your address. 

10) If you have a large sum of money, split it amongst different wallets to ensure one failure will not wipe out everything.