{"id":78748,"date":"2023-05-15T15:05:11","date_gmt":"2023-05-15T12:05:11","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=78748"},"modified":"2025-09-11T07:07:48","modified_gmt":"2025-09-11T04:07:48","slug":"hackers-stole-about-30000-in-bitcoin-via-counterfeit-hardware-wallet","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-stole-about-30000-in-bitcoin-via-counterfeit-hardware-wallet\/","title":{"rendered":"Hackers stole about $30,000 in Bitcoin via counterfeit hardware wallet"},"content":{"rendered":"<p>Unknown criminals forged a hardware cryptocurrency wallet and siphoned off 1.33 BTC ($29,585 at the time of analysis).<\/p>\n<p>The thieves were able to steal the funds while the offline device lay in the owner&#8217;s safe. On the day of the theft the victim did not perform any operations with it, so the breach went unnoticed for some time.<\/p>\n<p>According to experts, the victim had purchased a compromised hardware wallet, with factory packaging and holographic stickers looking untouched and not suspicious.<\/p>\n<p>Upon opening the device, technicians found signs of malicious tampering.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abInstead of ultrasonic welding, the wallet halves were sealed with glue and fastened with double-sided tape. They replaced the original microcontroller with their own, with modified firmware and bootloader, removing control of protective mechanisms\u00bb, they said.<\/p>\n<\/blockquote>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/image002-1.webp\" alt=\"image002-1\" class=\"wp-image-206938\"\/><figcaption>The hardware wallet from the inside: left the original, right the counterfeit. Data: &#8220;Kaspersky Lab&#8221;.<\/figcaption><\/figure>\n<p>From the outset, the attackers fully controlled the device.<\/p>\n<p>During initialization or when resetting the wallet, a randomly generated seed phrase was replaced with one of 20 pre-created seeds stored in the fraudulent firmware.<\/p>\n<p>Moreover, if the owner had set an additional password to protect the master key, only its first character was used. Thus, to obtain the key to a specific fake wallet, the attackers needed to try just 1,280 variants.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abWhile hardware wallets are considered among the most secure ways to store cryptocurrency, attackers have found a way to compromise them \u2014 by selling infected or counterfeit devices\u00bb.<\/p>\n<\/blockquote>\n<p>Earlier in February, the MetaMask <a href=\"https:\/\/forklog.com\/en\/news\/metamask-team-warns-users-about-phishing\">warned<\/a> about phishing attacks from counterfeit company addresses.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unknown criminals forged a hardware cryptocurrency wallet and siphoned off 1.33 BTC ($29,585 at the time of analysis).<\/p>\n","protected":false},"author":1,"featured_media":78749,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,961,1553],"class_list":["post-78748","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-hardware-wallets","tag-kaspersky-lab"],"aioseo_notices":[],"amp_enabled":true,"views":"17","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/78748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=78748"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/78748\/revisions"}],"predecessor-version":[{"id":78750,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/78748\/revisions\/78750"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/78749"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=78748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=78748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=78748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}