It’s every cryptocurrency owner’s worst nightmare: opening the wallet of your crypto assets to suddenly find it empty or unreachable, being left empty handed.
Sadly, for many cryptocurrency owners, being hacked has been a harsh reality. In this article, we have collected some experiences that have led to the loss of crypto assets. The reasons for these losses can vary a lot, and while these stories range from sad to devastating, the silver lining is that most of their causes can be easily prevented. We at Ledger want to raise awareness to these risks and show how they can be mitigated.
“How I was hacked, and all my cryptocurrencies were stolen!”
Summary: One day, Fabrice Grinda noticed that his phone was no longer working correctly while traveling. What he had not noticed yet was that had been a victim of a hack that resulted in losing his crypto assets on an exchange. The hacker(s) managed this by getting access to his mobile phone through phishing the cell phone provider, which they then used for resetting passwords and two-factor authentication. While, luckily for Fabrice, the hack did not result in a major loss (0,01 BTC), it does underline that exchanges are not the best solution for long-term storage.
Since the birth of the Bitcoin over $1,500,000,000 ($1,5b) in crypto assets was stolen during cryptocurrency exchange hacks. Crypto assets left in exchanges are not only vulnerable to attacks on the cryptocurrency exchanges, however.
“I assumed that by using very complex passwords, or a password manager like Dashlane, and requiring two-factor authentication with text messages sent to my cell phone, I would be safe. Boy was I wrong! “
Data on your computer or smartphone can be used as well to gain access to your cryptocurrency exchange account too. A mobile phone can notably be used to gain access to your two-factor authentication and password reset options (e-mail or exchange account). Once hackers gain access to your data, logging into the cryptocurrency exchange account and moving your crypto assets is an easy task. Having a hardware wallet, such as the Ledger Nano S, can protect you against this type of hack as no data that grants access to your crypto assets is left on your computer or smartphone. Fortunately in this particular case, the hackers were only able to take 0,01 BTC.
Not all are that lucky, however. Cryptoslate mentions that a crypto investor active on Binance lost $50,000 and could not get it back. This hack was equally started through phishing the customer support of their mobile phone service provider.
“I forgot my PIN: An epic tale of losing $30,000 in Bitcoin”
Summary: Mark Frauenfelder had gotten the scare of his life when he had forgotten the PIN code to his Trezor wallet as well as losing his 24-word recovery phrase that serves as a backup. His device contained the large amount of 7.4 BTC, which would normally be locked away forever. In the end, he got very lucky and managed to hack his device with the help of an expert and regained the acces.
Hardware wallets are generally a secure way to keep your crypto assets safe. A good one will keep your private keys out of reach from your computer, thus keeping them out of harm’s reach. If it is used properly, however. When using a hardware wallet, such as our Ledger Nano S, it is important to follow the instructions when setting up your device properly. Mark Frauenfelder sadly learned this the hard way.
“It would only be bad if I couldn’t remember my PIN”
It is important to know your PIN code by heart, but there is one (and ONLY one) backup in case you’d forget it: your recovery phrase. This will help your device generate the same private keys (thus access to the same wallets). This recovery phrase is absolutely critical as its the only backup of your device and needs to be written down on a piece of paper and kept in a secure place.
“Carla?” I asked. “Did you see that orange piece of paper with my bitcoin password on it? I can’t find it in Jane’s room.”
Sadly, in this case it had not been stored in an area out of reach from others. Combined with the forgetting of the PIN code, this means the crypto assets on your device will be lost forever. Mark ended up being lucky, as the device he used (Trezor) ended up having a security flaw at the time, which he was able to exploit with the help of an expert. If not, he would have lost over $30,000 worth of Bitcoin (7.4 BTC).
“Bitcoin Lost: The Heroic and Maddening World of Crypto Wallet Recovery”
Summary: David Veksler’s job involves recovering wallets for clients and has seen a lot of different reasons for Bitcoin being lost. One very notable reason is people having lost their recovery phrase or having entered it into a device connected to the internet.
The reasons for the losses David Veksler discusses can vary a lot. Forgotten passwords and damaged backups or devices have been among the reasons. Fortunately with Ledger devices, you do have a backup in the form of a recovery sheet. This can be used to restore your accounts on another Ledger device, should anything happen to the first one.
“Another customer’s funds had been stolen because the customer had entered his words into notepad on his computer”
This backup does, however, need to be treated with great care. The recovery phrase needs to be kept in a safe place. As David Veksler discussed, the pocket of a pair of jeans is definitely not that. Entering your recovery phrase into a computer isn’t secure either. In the case that he discussed about this, his clients’ crypto assets were stolen due to the hacker being able to see what was being typed into the computer. After having seen the 24 words being entered, it was easy work to access the wallet from there.
A good start would be to store your recovery phrase would be on a piece of paper in a safe location where there’d be no risk of it being destroyed, found or taken.
“How Apple and Amazon Security Flaws Led to My Epic Hacking”
Summary: Mat Honan had become a victim of a hack that caused his digital life to be completely destroyed. Hackers broke into his Amazon, Apple ID, Gmail and Twitter account and were able to reset all data on his iPhone, iPad and MacBook remotely, erasing his irreplaceable photos and documents. The hackers’ goal was entering Mat’s Twitter account to wreak havoc it.
Not all hacks that can have severe consequences are related to cryptocurrencies, as Mat Honan had discovered. Being hacked for personal information can also have severe consequences, even more than Mat had faced. One can think about sensitive information, such as credit card or company information being stolen.
“If I … had used two-factor authentication for Gmail, everything would have stopped here.”
Two-factor authentication is a must-have nowadays, as hacks are ever present. This extra security layer can prevent many hacking efforts. Even then, a two-factor authentication through your mobile phone is not always sufficient as seen in the first article. Our devices equally have extra security features that go beyond crypto assets. Fido U2F is a two-factor authentication that could have stopped this specific hack from progressing. Unlike mobile phones, Ledger devices cannot be accessed or controlled remotely. Equally, our Password Manager app (available in Developer Mode) generates a password for you that can be entered through the device rather than a keyboard.
Conclusion: What are the takeaways for all of these hacks?
There are some key rules regarding crypto asset security. To prevent the losses as seen in these real-life cases, we would like to recommend the following:
- Do not use a cryptocurrency exchange for long-term storage: use a hardware wallet instead.
- Use two-factor authentication, preferably one that is not limited to devices connected to the internet.
- Choose a PIN code that you can remember, but is secure.
- Keep your 24-word recovery sheet well secured and never enter it on any device that is connected to the internet
- Optional: you can set up a second hardware wallet with the same wallets. Read more about this here.
If you can oblige to this one key aspect, hardware wallets are one of the most secure ways to store your crypto assets.