Cryptocurrency investors often turn to hardware wallets as a secure way to store their digital assets, assuming that they are impenetrable. However, even the most advanced hardware wallets on the market may not be foolproof, and there are still risks associated with using fake or infected devices. Kaspersky has shared the details behind the incident of cryptocurrency theft involving a hardware wallet, which resulted in the loss of 1.33 BTC worth US$29,585.
Hardware wallets, also known as ‘cold’ wallets, store cryptocurrency keys on a device the size of a USB stick, which must be plugged into a computer to send crypto or interact with decentralised finance protocols. As a result, these devices are generally considered safer than ‘hot’ wallets that are connected to the Internet at all times.
However, a recent investigation by Kaspersky revealed a rare case of theft of assets from a hardware wallet, demonstrating how cybercriminals are coming up with new tactics to maximise their profits. The victim did not make any transactions that day, and the cold wallet was not connected to the computer. Thus, the victim did not immediately notice the theft, and the fraudster transferred 1.33 BTC (worth around US$29,585) without the victim’s knowledge.
Although the copy we studied appeared identical to the original, the device showed signs of malicious tampering upon opening it. Rather than being welded together ultrasonically like genuine hardware wallets, each half of the device was filled with glue and held together with double-sided tape. Additionally, the wallet had a different microcontroller with read protection mechanisms and the flash memory completely disabled, instead of the original one. This led the company’s researchers to conclude that the victim had purchased a hardware wallet that had already been infected.
The attackers made only three changes to the original firmware of the bootloader and the wallet itself. They removed the control of protective mechanisms, replaced the randomly generated seed phrase with one of the 20 preset phrases, and used only the first character of any additional password. This gave the attackers a total of 1,280 options to pick the key per one wallet.
Thus, the attackers were able to carry out the operation while the disabled crypto wallet was lying in the owner’s safe. The crypto wallet seemed to work as usual, but from the very beginning, the scammers had complete control over it.
“Hardware wallets have long been considered one of the safest ways to store cryptocurrency, but cybercriminals have found new ways to benefit by selling infected or fake devices to unsuspecting victims. Such attacks are totally preventable. Hence, we strongly advise users to only purchase hardware wallets from official and trusted sources to minimise the risk,” said Stanislav Golovanov, Cyber Incidents Investigation Expert at Kaspersky.