- >Fake Trezor App Steals $600k in BTC, Time to Rethink Your Crypto Security?
Fake Trezor App Steals $600k in BTC, Time to Rethink Your Crypto Security?
Your bitcoin is not safe. No, we’re not talking about vulnerabilities or bugs in the Bitcoin software itself, but rather the weak link that always threatens the security of BTC and other cryptocurrencies: you.
Yes, in many cases, users themselves are putting their crypto at risk, with even fairly experienced holders failing to grasp basic security concepts and doing things they shouldn’t be doing.
Simon Chandler | Apr 7, 2021
This was brought to the fore at the end of March, when Phillipe Christodoulou, a holder of 17.1 bitcoins, downloaded the Trezor app from the Apple App Store. The thing is, Trezor — which manufactures very-secure hardware wallets — doesn’t actually have an app, so when the holder entered the seed recovery phrase for his wallet, he was unwittingly handing the keys to his bitcoin over to the peddlers of a fake application.
In fact, it gets even worse than that, since someone with 17.1 bitcoins really should have known not to enter a hardware wallet seed phrase into an app, or any kind of software. Along with other recent cases of thefts and losses, this episode provides further indication that bitcoin and crypto holders aren’t doing enough to protect their funds. Fortunately, we have some advice for keeping your hardware wallet — and your crypto — safe.
Never Share Your Bitcoin Wallet Seed Phrase
Unsurprisingly, Phillipe Christodoulou is more than a little peeved with Apple, which hosted the malicious app via its App Store.
“They betrayed the trust that I had in them. Apple doesn’t deserve to get away with this,” he told the Washington Post.
Apple does indeed claim that users can trust its App Store and the apps they download from it, writing on its support pages “that users can access these apps on their Apple devices without undue fear of viruses, malware or unauthorised attacks.”
However, it also needs to be said that Christodoulou should apportion some of the blame onto himself. As Jameson Lopp, the co-founder/CTO of Casa, emphatically noted in a tweet, there is a very simple — and exceptionless — rule of thumb when it comes to entering seed phrases into software: don’t do it, ever.
This is such a cardinal rule of security that hardware wallet manufacturers take every opportunity to inform their customers to follow it. Here’s what Ledger writes about protecting your seed phrase:
“You should never store your seed phrase on any application or device that is connected to the internet. Storing them offline is the safest option.”
Note the use of “never.” Likewise, under “Where NOT to keep your seed,” Trezor writes in an FAQ “Anywhere online,” among other no-nos.
It seems too few of us are actually paying attention to such advice, since the Washington Post also reports that, along with Christodoulou, another holder lost $14,000 in bitcoin and ethereum after downloading the same fake app.
There are also other instances of people losing their cryptocurrency as a result of entering their seed phrases, with a scam from November resulting in over 1.1 million XRP being stolen from Ledger users. In this case, Ledgers users were sent phishing emails that directed them to a fake Ledger website, on which they were invited to enter their seed phrase. Something similar happened to Trezor users in July.
Then there are cases of people simply losing their seed recovery phrase, something which is infinitely worse than losing a hardware wallet (since wallets can be replaced, but lost phrases cannot). According to an analysis published by Chainalysis in January, some $140 billion in bitcoin — or around 20% of the existing supply — has been lost this way, although this also includes people losing passwords to software wallets.
How to Keep Your Hardware Wallet and Bitcoin Safe
The above points to two key rules for keeping your wallet and your crypto safe:
- 1) Store your seed phrase on some durable physical medium in a secure location.
- 2) Never, ever share or enter this phrase anywhere.
Basically, keep your phrase and your wallet away from anyone else at all times. This is simple enough, but it’s surprising how often people violate this principle.
At the end of March, a German man had nearly €100,000 in bitcoin stolen, after unlocking the wallet on his phone (in order to prove his holdings) during a supposed face-to-face trade. That same month, a man in Argentina fell victim to something very similar, after arranging an in-person bitcoin trade.
Both of these individuals made the mistake of effectively giving other people access to their funds (and of thinking that a face-to-face bitcoin trade was a good idea). This is obviously a very bad idea, so in aid of educating people to look after their seed phrases and crypto, here are some best practices to follow:
Consider buying a personal safe in which to store the card/metal on which your recovery phrase is printed. Or at least a drawer that can be locked.
Store this safe/locked container in a place that’s less likely to suffer flooding or a fire.
NEVER store your recovery phrase on an internet-connected device (i.e. your phone or laptop). NEVER. And never enter your phrase into such a device: legitimate wallet providers will never ask for it.
Consider giving a trusted family some way of gaining access to your recovery phrase, in the event of something happening to you.
These are the basics of keeping your seed phrase safe. That said, more determined holders (and/or those with more crypto) may consider other measures, such as storing their phrase in a safe deposit box at a bank, and/or storing it using a Cryptosteel Capsule.
Again, don’t share or enter your recovery phrase ever. Unless, of course, you’re actually recovering your hardware wallet. For now, this seems to be a rule too many people are ignoring or forgetting, but given that Bitcoin and crypto are still very young, hopefully most of us will catch up sooner or later.