Jump to content
ChavasRegal

Had two XRP wallets cleared out.

Recommended Posts

Right lets just start by saying I feel sick, physically sick,.

Over Christmas I had family up and we got talking about crypto, after a bit of chatting they decided that they would like to invest in some XRP but with exchanges overwhelmed and registrations being suspended they asked if I would mind  acting as the middleman and putting the money through my bank and on to the exchange, personally I was against this as I know how volatile things can be and although I'm happy to loose my money; I'm not so happy to risk other peoples. I finally caved and put a modest £2k on to the exchange for them with 50% going on a selection of alts and 50% going on XRP, they wanted 100XRP setting aside In a wallet for the grandkids a long ways down the line and the rest in to their wallet. so today after the price of XRP dropped and with them having around £1k in profit from their altcoins they asked me to trade those in and pick up more XRP, happily I obliged.

Come tonight and I'm ready to move the XRP from Binance to their wallet, I copy their wallet address but before I send I double checked the address, to my horror all their XRP had been taken out on the 31st Dec.

Below are the two wallets.

https://bithomp.com/explorer/rEAvsfoR3GN8D7YKEdCGBZj81QkFXyfGPv

https://bithomp.com/explorer/rftjDErSDDdq93zQK9T6Gxf4aEHcxrv9xP

Both these wallets were cold wallets, they were generated and then printed out, their private keys only stored on paper, they were both generated by using 

https://ihomp.github.io/ripply-paper-wallet/coldwallet-SHA1-cdfbe3260927b6073180a1099f02ef99ce0495e8.html

The only thing I can think of is the wallet generator site itself is where the account was compromised!

Has anyone else used this particular wallet generator, can anyone clarify its safety / security?

As I said earlier I feel physically sick, I know to a lot of people its not a lot of money, but I feel personally responsible, my gut instinct to not play with other peoples money was right and now the only option I feel I have is to reimburse them out of my own wallet.

CR

 

Share this post


Link to post
Share on other sites

It is strange that the wallet generators 'fork me on github' link is dead - that is where the source code should be available.

I have previously used TheWorldExchange.net to access the ledger/generate keys etc.  Its source code is available and it runs entirely client side (apart from connecting to the ledger or Ripple servers). I trust TWE, at least the version I downloaded from github and run myself, but I would not trust that paper wallet thing you posted.

Apparently some people trust hardware wallets, but personally I wouldn't trust those either and don't even see the point.

Edited by elias

Share this post


Link to post
Share on other sites
45 minutes ago, kickstart said:

I am guessing ---

  • Computer that was used to generate the wallet is compromised
  • The github hosted code is compromised

Would enabling "GlobalFreeze" prevent others from stealing funds?  What about "RequireAuth"?

https://ripple.com/build/freeze/#global-freeze

https://ripple.com/build/gateway-guide/#requireauth

 

How would you enable Global Freeze on an account please??

Edited by Jannercobbler
edit

Share this post


Link to post
Share on other sites

I used that very same paper wallet link about a week ago and my funds are just fine. You can see my thread asking about verifying a cold storage wallet right before I transferred the funds here 

Also that very wallet is the one reference by @Mercury on one of the tutorials posted here about wallet options 

So far my funds are there and there are no issues, however I would be very alarmed to find out there is an issue with this wallet. The way I did it was to run the code in a newly installed raspbian OS on a blackbery PI 3 that was never online. I never printed the wallet  nor did I generate the key pair on an online machine. I only transferred its key/secret to a couple of usb sticks that I still hold. So far, like I said my wallet has all the funds I transferred almost a week ago.

Edited by gtyj

Share this post


Link to post
Share on other sites

 

 

 

https://ripple.com/build/freeze/#global-freeze

The XRP Ledger gives addresses the ability to freeze non-XRP balances, which can be useful to meet regulatory requirements, or while investigating suspicious activity. There are three settings related to freezes:

Individual Freeze - Freeze one counterparty.

Global Freeze - Freeze all counterparties.

No Freeze - Permanently give up the ability to freeze individual counterparties, as well as the ability to end a global freeze.

Because no party has a privileged place in the XRP Ledger, the freeze feature cannot prevent a counterparty from conducting transactions in XRP or funds issued by other counterparties. No one can freeze XRP.

 

Share this post


Link to post
Share on other sites
3 minutes ago, gtyj said:

I used that very same paper wallet link about a week ago and my funds are just fine. You can see my thread asking about verifying a cold storage wallet right before I transferred the funds here 

Also that very wallet is the one reference by @Mercury on one of the tutorials posted here about wallet options 

So far my funds are there and there are no issues, however I would be very alarmed to find out there is an issue with this wallet. The way I did it was not run the code in a newly installed raspbian OS on a blackbery PI 3 that was never online. I never printed the wallet, only transferred its key/secret to a couple of usb sticks that I still hold. So far, like I said my wallet has all the funds I transferred almost a week ago.

different URL - same look

I'm comparing the source code now

Share this post


Link to post
Share on other sites
1 minute ago, cuber said:

@ChavasRegal Reaching out to @JoelKatz for you now. JK has previously been excellent helping out guys with similar issues such as yours and hopefully he can provide some assistance. Of course, i'm sure that he's extremely busy during these times however you never know.

Thanks cuber much appreciated.

Share this post


Link to post
Share on other sites
6 minutes ago, MooseInTime said:

Can't compare the source code as the Mercury one is dead, I'm looking for anything obvious in the source of the OP's candidate now

My main concern is that the generator is compromised and others are going to be affected.

I don't think its my computer that's the weak link, it's kept fully up to date and scanned regularly for viruses  / malware and I used spyboy search and destroy to immunise against known threats. 

Share this post


Link to post
Share on other sites

I used the same wallet generator (offline) and my XRP is still there. I was steered to the wallet from this thread (trusted source)

-- I believe (hope) it is safe. The hash is the same, as the one in my zip file.

Share this post


Link to post
Share on other sites

×