Kaspersky Lab experts recently investigated a non-trivial incident in which attackers managed to steal 1.33 bitcoins (valued at $29,585 at the time of investigation) from a victim’s hardware wallet while the device was stored in the owner’s safe and disconnected from the internet. On the day of the theft, the victim had not performed any operations with the wallet and did not immediately notice what had happened.
Upon examining the wallet from which the crypto assets were stolen, and opening the device, the researchers found signs of malicious interference. Instead of ultrasonic welding, the halves of the wallet were glued together and fastened with double-sided tape. Additionally, another microcontroller with modified firmware and bootloader had been installed instead of the original one.
It became apparent that the victim had purchased a hardware wallet that was already infected with malware. The factory packaging and holographic stickers had looked intact and had not aroused suspicion.
The attackers had made only three changes to the original firmware of the bootloader and the wallet itself. Firstly, they removed the control of protective mechanisms. Secondly, at the initialization stage or when resetting the wallet, the randomly generated seed phrase was replaced with one of 20 pre-created and stored in the fraudulent firmware. Thirdly, if the owner set an additional password to protect the master key, only its first character was used. Thus, in order to pick up the key to a particular fake wallet, the attackers had to go through a total of 1280 options.
The crypto wallet appeared to be functioning as usual, but the scammers had complete control over it from the very beginning.
