Your seed phrase is at risk!
A North Korean hacker group has developed a new method to drain your wallet.
My brother fell victim 🧵🔽
A North Korean hacker group has developed a new method to drain your wallet.
My brother fell victim 🧵🔽
On September 4th, my brother had $25,000 of assets drained from his Ledger wallet. I was perplexed.
After checking his transaction history, I found no interaction with a drainer, a malicious smart contract, or anything suspicious!
There was nothing.
After checking his transaction history, I found no interaction with a drainer, a malicious smart contract, or anything suspicious!
There was nothing.
If I found nothing on-chain, that meant his seed phrase had been physically discovered.
He only had two copies of his seed phrase:
• One on paper, stored in a locked safe.
• The other was a photo of that paper stored in a secure folder on his phone.
He only had two copies of his seed phrase:
• One on paper, stored in a locked safe.
• The other was a photo of that paper stored in a secure folder on his phone.
After running a full diagnostic on his phone, I discovered the presence of malware called SpyAgent.
This malware was hidden in a TV streaming app and had a very unique way of operating.
This malware was hidden in a TV streaming app and had a very unique way of operating.
It scanned all the data on the phone, searching for patterns resembling a seed phrase.
What’s astonishing is that this malware could even recognize a seed phrase from a photo, even though it wasn’t in text form.
What’s astonishing is that this malware could even recognize a seed phrase from a photo, even though it wasn’t in text form.
Upon further investigation, I found that the cybersecurity company McAfee had already identified this malware.
They had compiled a list of 280 fake apps running the malware.
However, they estimate that only 10% of the apps have been identified, meaning many others are still circulating.
They had compiled a list of 280 fake apps running the malware.
However, they estimate that only 10% of the apps have been identified, meaning many others are still circulating.
Mobile malware spreads through phishing campaigns using fake messages from trusted sources.
Once clicked, these links direct users to sites that imitate legitimate ones, tricking them into downloading malicious apps.
Always verify links before clicking! My brother got caught when he tried to download the X TV app.
Once clicked, these links direct users to sites that imitate legitimate ones, tricking them into downloading malicious apps.
Always verify links before clicking! My brother got caught when he tried to download the X TV app.
Clicking the download link prompts users to install an APK that appears legitimate but is actually malware.
It requests access to sensitive information like SMS, contacts, and storage under the pretense of standard app functionality, but it’s a privacy breach.
It requests access to sensitive information like SMS, contacts, and storage under the pretense of standard app functionality, but it’s a privacy breach.
Once installed, the app steals sensitive data such as contacts, SMS, photos, and device details and sends them to a remote server.
It can also receive commands to manipulate settings, send SMS, and confirm data theft, compromising privacy and security.
It can also receive commands to manipulate settings, send SMS, and confirm data theft, compromising privacy and security.
However, some Command and Control (C2) servers had weak security, allowing unauthorized access to files and index pages without credentials.
This exposed the server’s operations, showing how it gathered data, including files mimicking banks and postal services.
This exposed the server’s operations, showing how it gathered data, including files mimicking banks and postal services.
Because of this misconfiguration, victims' personal data were publicly exposed.
Other hacker groups used this information to blackmail victims or use the discovered seed phrases for their own gain.
Other hacker groups used this information to blackmail victims or use the discovered seed phrases for their own gain.
What’s even crazier is that anyone could access the admin page designed to manage victims.
It displayed a list of devices with various actions that anyone could perform.
The more victims there were, the larger the list grew.
It displayed a list of devices with various actions that anyone could perform.
The more victims there were, the larger the list grew.
The attackers’ main objective was to steal mnemonic recovery phrases for cryptocurrency wallets, targeting victims' crypto assets to access and drain them.
The threat processes the stolen data using Python and JavaScript on the server side.
Images are converted to text using optical character recognition (OCR) techniques, and the data is managed through an admin panel.
This shows the attackers’ sophisticated approach to handling seed information.
Images are converted to text using optical character recognition (OCR) techniques, and the data is managed through an admin panel.
This shows the attackers’ sophisticated approach to handling seed information.
The lesson?
Never store your seed phrase on any electronic device, even if it’s stored offline.
Whether it's a PC or a phone, there are now highly sophisticated hacks capable of detecting seed phrase patterns, even from a photo.
Never store your seed phrase on any electronic device, even if it’s stored offline.
Whether it's a PC or a phone, there are now highly sophisticated hacks capable of detecting seed phrase patterns, even from a photo.
I hope you've found this thread helpful.
Follow me @the_smart_ape for more.
Like/Repost the quote below if you can:
Follow me @the_smart_ape for more.
Like/Repost the quote below if you can:
Loading suggestions...