Jump to content

Had two XRP wallets cleared out.

ChavasRegal

By ChavasRegal
in Software and Hardware

 Share

Recommended Posts

ChavasRegal

ChavasRegal

Posted
Posted

Right lets just start by saying I feel sick, physically sick,.

Over Christmas I had family up and we got talking about crypto, after a bit of chatting they decided that they would like to invest in some XRP but with exchanges overwhelmed and registrations being suspended they asked if I would mind  acting as the middleman and putting the money through my bank and on to the exchange, personally I was against this as I know how volatile things can be and although I'm happy to loose my money; I'm not so happy to risk other peoples. I finally caved and put a modest £2k on to the exchange for them with 50% going on a selection of alts and 50% going on XRP, they wanted 100XRP setting aside In a wallet for the grandkids a long ways down the line and the rest in to their wallet. so today after the price of XRP dropped and with them having around £1k in profit from their altcoins they asked me to trade those in and pick up more XRP, happily I obliged.

Come tonight and I'm ready to move the XRP from Binance to their wallet, I copy their wallet address but before I send I double checked the address, to my horror all their XRP had been taken out on the 31st Dec.

Below are the two wallets.

https://bithomp.com/explorer/rEAvsfoR3GN8D7YKEdCGBZj81QkFXyfGPv

https://bithomp.com/explorer/rftjDErSDDdq93zQK9T6Gxf4aEHcxrv9xP

Both these wallets were cold wallets, they were generated and then printed out, their private keys only stored on paper, they were both generated by using 

https://ihomp.github.io/ripply-paper-wallet/coldwallet-SHA1-cdfbe3260927b6073180a1099f02ef99ce0495e8.html

The only thing I can think of is the wallet generator site itself is where the account was compromised!

Has anyone else used this particular wallet generator, can anyone clarify its safety / security?

As I said earlier I feel physically sick, I know to a lot of people its not a lot of money, but I feel personally responsible, my gut instinct to not play with other peoples money was right and now the only option I feel I have is to reimburse them out of my own wallet.

CR

 

Link to comment
Share on other sites
  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

gtyj
gtyj

Thanks @MooseInTime I myself have reviewed the code. I'm a web developer but my JS skills are not as great as my backend skills (C#, SQL, etc). Here's my breakdown: This program has two buttons,

PunishmentOfLuxury
PunishmentOfLuxury

The following method for cold wallet generation using Node.js seems to be safe after inspection by @JoelKatz  

MooseInTime
MooseInTime

Their findings in brief: The code does not contain any callouts to servers or mechanisms to transfer the keys via TCP/HTTP/FTP etc, or webservice calls Image (QRs) are generated by the co

elias

elias

Posted
Posted (edited)

It is strange that the wallet generators 'fork me on github' link is dead - that is where the source code should be available.

I have previously used TheWorldExchange.net to access the ledger/generate keys etc.  Its source code is available and it runs entirely client side (apart from connecting to the ledger or Ripple servers). I trust TWE, at least the version I downloaded from github and run myself, but I would not trust that paper wallet thing you posted.

Apparently some people trust hardware wallets, but personally I wouldn't trust those either and don't even see the point.

Edited by elias
Link to comment
Share on other sites
Jannercobbler

Jannercobbler

Posted
Posted (edited)
45 minutes ago, kickstart said:

I am guessing ---

  • Computer that was used to generate the wallet is compromised
  • The github hosted code is compromised

Would enabling "GlobalFreeze" prevent others from stealing funds?  What about "RequireAuth"?

https://ripple.com/build/freeze/#global-freeze

https://ripple.com/build/gateway-guide/#requireauth

 

How would you enable Global Freeze on an account please??

Edited by Jannercobbler
edit
Link to comment
Share on other sites
gtyj

gtyj

Posted
Posted (edited)

I used that very same paper wallet link about a week ago and my funds are just fine. You can see my thread asking about verifying a cold storage wallet right before I transferred the funds here 

Also that very wallet is the one reference by @Mercury on one of the tutorials posted here about wallet options 

So far my funds are there and there are no issues, however I would be very alarmed to find out there is an issue with this wallet. The way I did it was to run the code in a newly installed raspbian OS on a blackbery PI 3 that was never online. I never printed the wallet  nor did I generate the key pair on an online machine. I only transferred its key/secret to a couple of usb sticks that I still hold. So far, like I said my wallet has all the funds I transferred almost a week ago.

Edited by gtyj
Link to comment
Share on other sites
RecentChange

RecentChange

Posted
Posted

 

 

 

https://ripple.com/build/freeze/#global-freeze

The XRP Ledger gives addresses the ability to freeze non-XRP balances, which can be useful to meet regulatory requirements, or while investigating suspicious activity. There are three settings related to freezes:

Individual Freeze - Freeze one counterparty.

Global Freeze - Freeze all counterparties.

No Freeze - Permanently give up the ability to freeze individual counterparties, as well as the ability to end a global freeze.

Because no party has a privileged place in the XRP Ledger, the freeze feature cannot prevent a counterparty from conducting transactions in XRP or funds issued by other counterparties. No one can freeze XRP.

 

Link to comment
Share on other sites
MooseInTime

MooseInTime

Posted
Posted
3 minutes ago, gtyj said:

I used that very same paper wallet link about a week ago and my funds are just fine. You can see my thread asking about verifying a cold storage wallet right before I transferred the funds here 

Also that very wallet is the one reference by @Mercury on one of the tutorials posted here about wallet options 

So far my funds are there and there are no issues, however I would be very alarmed to find out there is an issue with this wallet. The way I did it was not run the code in a newly installed raspbian OS on a blackbery PI 3 that was never online. I never printed the wallet, only transferred its key/secret to a couple of usb sticks that I still hold. So far, like I said my wallet has all the funds I transferred almost a week ago.

different URL - same look

I'm comparing the source code now

Link to comment
Share on other sites
ChavasRegal

ChavasRegal

Posted
  • Author
Posted
6 minutes ago, MooseInTime said:

Can't compare the source code as the Mercury one is dead, I'm looking for anything obvious in the source of the OP's candidate now

My main concern is that the generator is compromised and others are going to be affected.

I don't think its my computer that's the weak link, it's kept fully up to date and scanned regularly for viruses  / malware and I used spyboy search and destroy to immunise against known threats. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...